On 3/22/22 13:21, 'Dan' via qubes-users wrote: > Hello fellow Qubies, > > I have my USB controller (the PCI device) assigned to sys-net because I have > a USB-Ethernet device. I also have my USB keyboard and mouse in sys-net on > the same USB controller, and the keyboard and mouse can control dom0. My > system has only one USB controller. > > I want to isolate compromises of sys-net. Would there be any advantage to > creating sys-usb and then attaching only the USB-Ethernet device to sys-net? > My USB-Ethernet device shows up as a device in the device widget (currently > under sys-net as described above). > > So then my plan would be to put the USB controller in sys-usb, then attach > just the USB-Ethernet device to sys-net. Would that reduce the ability of > sys-net to compromise the USB controller and the keyboard?
Perhaps? It depends on the specific NIC in question. Fixing this properly will require switching to a unikernel for sys-usb. I also suggest blocklisting the USB Ethernet drivers in sys-usb’s template, and loading them manually in sys-net. -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/12660ead-9f36-5a41-d6a9-200310889899%40invisiblethingslab.com.
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature