Bernhard:
By default network cards are assigned to sys-net and are not visible
in dom0 (as far as I know). Open the Qubes Manager -> sys-net -> VM
settings -> Devices tab, and make sure your network card is assigned
to it. So you need to run lsusb or lspci from within sys-net, not
dom0. You should also run `iw list`, `iwconfig`, and/or `ifconfig` in
sys-net.
Let me clarify: PCI network cards are assigned to sys-net and not
visible in dom0 by default, regardless of USB Qube. Other PCI devices
remain in dom0.
I can "see" they exist by typing lspci in dom0 (including network cards,
and the usb controller). My understanding is that while dom0 can see
them, they cannot see dom0 nor other qubes than the one they are
attached to (and dom0 will not talk to them unless a game-over event
occurred).
Looks like you're right. They still show up in dom0 lspci even when
assigned to a VM. If you use 'lspci -k', you'll see that the kernel
driver in use for assigned devices is Xen 'pciback' instead of the
actual driver.
I also think you're right that they cannot "see" dom0, in the sense that
they don't have DMA access to any memory owned by dom0 or any other VM.
On machines with working VT-d at least. On machines without VT-d, the VM
could in theory infect the device and gain access to all the machine's
physical memory. But it's still safer to have devices in their own VMs
such as sys-net and sys-usb, even on machines without VT-d.
The last part, I think you're right, as long as you don't reattach the
device to dom0. When you un-assign a device from a VM it is not
automatically reattached to dom0, as a safety feature. You shouldn't
attach it to any other VMs either, or the device could infect that VM.
You have to reboot, and then un-assign the device without starting the
VM it was assigned to. However it should be safe to re-assign devices
that support the reset command, as long as it is implemented correctly
by the hardware/firmware. I don't know if I would trust it, personally.
The recent QSB 52 fixed a vulnerability where un-assigned devices could
still carry out DMA attacks even without being reattached to dom0 by the
user. If I understand correctly.
https://www.qubes-os.org/doc/pci-devices/
https://www.qubes-os.org/doc/device-handling-security/#pci-security
https://www.qubes-os.org/news/2019/10/31/qsb-052/
You also have the option of combining
sys-net and sys-usb into the same Qube so no passthru is necessary. (Or
is that mandatory when using USB network cards and a USB Qube?)
USB is one attack surface, network another. I would suggest to keep them
apart. In fact, a USB qube does not need any networking at all (not even
internet access). Imagine its becomes victim of a "bad-usb" then it
still cannot 'break out' and phone home, for example. Actually my
Yeah, it's definitely more secure to have them separate. I think the
option is there in case you run into trouble passing a USB network card
from sys-usb to sys-net. Combining them doesn't require any USB
passthru, just PCI passthru of the USB controllers, so it's simpler and
more likely to work. That would be my guess anyway. I don't really know
how USB passthru works. Also useful for machines that don't have much
ram to spare, maybe.
sys-usb is halted by default unless I really need it (consequence: if
you plug any usb device, nothing happens. just nothing.).
Just curious, when you plug in a flash drive while your sys-usb is off,
does the flash drive's LED turn on at all for you? I noticed on one of
my machines, when USB qube is enabled (hide_all_usb), my devices aren't
recognized, and when I plug in a flash drive the LED blinks very briefly
and then turns off. The same flash drive on other OSes, or with USB qube
disabled, the LED normally stays on, and blinks when you access the
drive. (I currently don't have a Qubes machine with a working USB qube I
could try this on.)
-------------------------------------------------
This free account was provided by VFEmail.net - report spam to ab...@vfemail.net
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/f1c8a59a-7b35-0ccd-eacb-fe722878cb7a%40vfemail.net.
