Re: [qubes-users] sys-usb and usb read-only

2017-08-12 Thread Jean-Philippe Ouellet 
On Fri, Aug 11, 2017 at 4:41 AM, Nicolas Mojon  wrote:
> Hi,
>
> I would like to know if on the new 4.0 it is possible to lock down data in a 
> VM like that nothing can go out of the VM (like no internet or copypaste 
> through dom0). I would like to make that specially for usb sticks or other 
> stocking device, that people can work on things on the usb in the VM but 
> nothing must be able to go out.
>
> Additionally to that, I would like to know if it is possible to use the 
> sys-usb vm but with an usb keyboard, cause for the moment, when I try to 
> implement it, it finish in a dead lock cause I cannot use the keyboard when 
> restarting. And even with the ask policy, it happens after the login so it is 
> pretty problematic and allow it completely,will probably cause a security 
> issue for my system on of the question above.
>
> Thank you in advance...
>
> Best regards
>
> Nicolas

You can put explicit deny rules for all qrexec services involving that
VM. Copy/paste evaluates qubes-rpc policy too, but with an implicit
undefined or ask meaning yes.

*HOWEVER*: To truly and completely accomplish this is pretty much
impossible with modern computer architectures unless you limit to only
one VM running at a time. There will likely always be ways to
establish covert channels between cooperating VMs due to hardware
side-channels, regardless of whatever Qubes might try to do to stop
it.

See also: https://www.qubes-os.org/doc/data-leaks/

Regards,
Jean-Philippe

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_CoQY9NuHGOf6sAQLPqGKVCd3nYsgMumwae2X6CDwb9_g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] sys-usb and usb read-only

2017-08-11 Thread Robert Fisk 
On 08/11/2017 08:41 PM, Nicolas Mojon wrote:
> Hi, 
>
> I would like to know if on the new 4.0 it is possible to lock down data in a 
> VM like that nothing can go out of the VM (like no internet or copypaste 
> through dom0). I would like to make that specially for usb sticks or other 
> stocking device, that people can work on things on the usb in the VM but 
> nothing must be able to go out.
>
> Additionally to that, I would like to know if it is possible to use the 
> sys-usb vm but with an usb keyboard, cause for the moment, when I try to 
> implement it, it finish in a dead lock cause I cannot use the keyboard when 
> restarting. And even with the ask policy, it happens after the login so it is 
> pretty problematic and allow it completely,will probably cause a security 
> issue for my system on of the question above.
>
> Thank you in advance...
>
> Best regards
>
> Nicolas
>

Hi Nicolas,

I am not aware of any changes between r3.2 and r4.0 that would affect
your use case. You can disable the vm's networking of course. If you
want a read-only USB flash drive you should look at the USG hardware
firewall. I have recently released configurable firmware with a
read-only mass storage option:

https://github.com/robertfisk/usg/wiki

Regarding USB keyboards with sys-usb, as you have discovered this does
not work. Enabling sys-usb sets a kernel option to hide all USB
controllers from dom0, and you then cannot type the disk password. You
have two choices:

 1 - Leave sys-usb enabled. Boot with a PS/2 keyboard attached (laptop
keyboards are PS/2)
 2 - Disable sys-usb. Leave your keyboard's PCI USB controller attached
to dom0. Assign other PCI USB controllers to your own usb VM. If your
system only has one USB controller you could purchase a USB expansion card.

Read the Qubes USB docs for more info:

https://www.qubes-os.org/doc/usb/

Regards,
Robert

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f539d88f-6575-6786-6139-d2705b0781a5%40fastmail.fm.
For more options, visit https://groups.google.com/d/optout.