[qubes-users] How to hide all except one USB controller?

2017-12-22 Thread 'Chris' via qubes-users 
Hi,

I bought a second internal USB controller (A) to connect a flash drive for 
booting from SD.

How can I prevent the internal controller(B) (with the keyboard attached) to be 
recognized during startup? I can still type my boot password with it, that 
means the controller is visible, right?

So how can I configure Qubes OS to:

1) At boot time, only controller (A) should be attached to dom0. Controller (B) 
should be unable to affect Qubes OS maliciously
2) After boot, controller (A) should be attached to dom0, controller (B) to 
sys-usb.
3) hide-all-usb does not seems to support this. How can I configure Grub to 
ignore all usb controllers except one specific one?

Cheers
Chris

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/qMRVLcTfS-Ee22yK7-KkyQI3Vcip4jG0BPZoJwfw1aqktnG4oiorKcqptVXAy7apco97G8ziafgZ2HApa4JEfsTQtnR2gH1-PJDMb0bJPPQ%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] DMA attacks are possible not only via USB?!

2017-12-17 Thread 'Chris' via qubes-users 
Hi,

I am wondering a bit what this USB & NetVM shielding are really buying me. I am 
switching from a laptop to a desktop, so it may remain unattended for quite a 
while and thus could be exposed to hardware access... The hardware access will 
be mild, meaning I could imagine someone to compromise a bootloader or install 
a malicious device.

Now say that install an internal USB controller to which I connect an SD-Card 
reader, which in turn uses Anti-Evil-Maid to boot the machine. This controller 
needs to be whitelisted. But since it is internal and will only provide one 
slot for the card reader, the machine will not boot properly without this 
setup. Still, someone could compromise this setup.

So lets say I had a PCI-Express card reader, which seems to not be available 
for desktops... Wouldn't this pose the same problem? PCI-Express also has DMA 
access. How does Qubes know that a particular PCI-Express device can be safely 
attached to Dom0 (like a SD card reader on a laptop, which is usually 
PCI-Express)? If the PCI-Express device is compromised, wouldn't it compromise 
Dom0?

Anyway I am trying to wrap my head around what I can and can not protect 
against.

It seems as if Qubes OS is useless in protecting against hardware access. Even 
with TPM, I am not sure how realistic it is. Will AEM be triggered when 
changing USB controllers or adding hostile USB devices to the one whilelisted 
controller that manages the AEM device? If not, what is the point of AEM? How 
is AEM any better than simply putting the bootloader on a separate disk? Okay, 
it gives a bit better piece of mind that really MY bootloader was used, but 
that is about it, right? It won't help against someone adding compromised 
devices to a PCI-E slot or USB?!

Any links or help here? Btw, its really hard to find any useful information via 
Google about most topics regarding Qubes OS. Is Qubes OS somehow downranked 
intentionally?

Cheers
Chris

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/suUnD0yJpvEF22zlFlIRDF10NkbqtaPsbbmZwiQz0lErvA9-HmGLGX49d_s7GjytL7x3hy84XNR33F_Ip6P3pOzaNtWFHqAkfuw9FM1qX-E%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes OS and latest hardware (8700K)

2017-12-14 Thread 'Chris' via qubes-users 
Hi,

will Qubes OS 3.2 work with the 8700K desktop CPU that was just released? I've 
heard conflicting reports. If not, will 4.0 support it? I read that you need 
Kernel 4.12 (I believe) but even Qubes 4.0 seems to be stuck with 4.8...

Is this just a matter of "perfect" support or are they talking about not even 
running on 8700K with a lower kernel version?

The same question popped up for the new DELL XPS, which runs then 8th gen 
mobile CPUs. I guess the support question is similar here?!

Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/Qbt2a6hGMaom2QKS7mKmDbAQeuwwwySXQnFTJa57-SceRR0kffjK0wjaIZuF8DNKZE-9M1nikKJJLAXT850xwJU7e0s9j1GtoDv4Xu39Ckg%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: What are the disadvantages of NOT having vt-d?

2017-12-13 Thread 'Chris' via qubes-users 
I see.. But currently I am using Qubes 3.2 and 4.0 last time I tried was VERY 
unpolished, I am not sure I am going to look at it before support for 3.2 
expires...

It's not like I would not have the money to buy a 7700k, but I want to avoid 
spending money if not necessary that is why I want to get a clear picture...

>  Original Message 
> Subject: [qubes-users] Re: What are the disadvantages of NOT having vt-d?
> Local Time: December 14, 2017 1:40 AM
> UTC Time: December 14, 2017 12:40 AM
> From: vigilian.pira...@gmail.com
> To: qubes-users 
>
> Le jeudi 14 décembre 2017 01:27:23 UTC+1, Chris a écrit :
>
>> Hi,
>> I am an avid user of Qubes OS and I love what you have done. Finally I have 
>> a feeling of security and a peace of mind... I am not a security person but 
>> I kinda do care about it and have some basic understanding and am slightly 
>> paranoid.
>> I am currently running a DELL Precision 5520, which has vt-d. But it is 
>> owned by my company which I am leaving soon, and then I will have to switch 
>> back to my desktop, an old Intel 3700K without vt-d.
>> I am wondering, compared to my precision laptop with vt-d, what attack 
>> vectors will open up? The desktop will be connected to an Ubiquity router 
>> via Ethernet cable (no WLAN) which is in turn connected to a normal Cable 
>> modem. Is this reasonably safe? Is the NetVM mostly useful for WLAN or also 
>> for Ethernet?
>> I am a normal person, soon working as a developer at Amazon (so I would say 
>> while I am not high-profile, people might have interest in attacking me to 
>> gain access to AWS or any other Amazon service)...
>> Cheers
>> Mara
>>
>> Well for what I remember, you may not have any choice since for R4.0 you 
>> won't be able to install without vt-d activated. I have kinda the same 
>> problem. I will have to change the CPU from mthe laptop where qubes is 
>> installed to make it compatible.
>>
>> --
>> You received this message because you are subscribed to the Google Groups 
>> "qubes-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to qubes-users+unsubscr...@googlegroups.com.
>> To post to this group, send email to qubes-users@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/qubes-users/02c07ac0-1578-4b33-96ff-1412de3ba133%40googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/S_X6ylPGCA7Uo4UtwpudNnYCWivvWd2frBgsaGn4rQgehtQHEzfaxArst4HhSn25_yj-fde1TtkoP1jAVlRq4TIpyIW6zEakoMLHIiep8DM%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] What are the disadvantages of NOT having vt-d?

2017-12-13 Thread 'Chris' via qubes-users 
Hi,

I am an avid user of Qubes OS and I love what you have done. Finally I have a 
feeling of security and a peace of mind... I am not a security person but I 
kinda do care about it and have some basic understanding and am slightly 
paranoid.

I am currently running a DELL Precision 5520, which has vt-d. But it is owned 
by my company which I am leaving soon, and then I will have to switch back to 
my desktop, an old Intel 3700K without vt-d.

I am wondering, compared to my precision laptop with vt-d, what attack vectors 
will open up? The desktop will be connected to an Ubiquity router via Ethernet 
cable (no WLAN) which is in turn connected to a normal Cable modem. Is this 
reasonably safe? Is the NetVM mostly useful for WLAN or also for Ethernet?

I am a normal person, soon working as a developer at Amazon (so I would say 
while I am not high-profile, people might have interest in attacking me to gain 
access to AWS or any other Amazon service)...

Cheers
Mara

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/o3W8BIjswS5l71z7DsPde5dvkSlTh5lrmP2wQ33q-soegwXfj74acGjIqCt8oxDaKXPHUanHVXu1qIztTkaXBkhfzuq4NJ1RIQ03yFrJN1E%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.