[qubes-users] How to manage multiple USB controllers
On Oct. 10, 2016 at 9:27 AM, Unman wrote > I wouldn't assign back to dom0. > There's no reason why you shouldn't adopt some variation on A, and have > different qubes handling different controllers. Of course, you'd have to > make sure that you follow a consistent pattern with use of sockets. > You could enforce this with configuration in the policy file, and by > some udev rules to block anything except storage devices in the relevant > ports. > unman - Before trying either "A" or "B" direction, I've stumbled upon the following difficulty:- after booting, Xfce popes up a dialog box which invites user to log in. At this time, sys-usb hasn't started yet. That is why, the USB keyboard is not operational. In essence, it is a chicken and egg problem: in order to enter a password, the sys-usb VM shall be started; in order to start the sys-usb VM, a valid password shall be entered. Unman> There's no reason why you shouldn't adopt some variation on AI was leaning to adopt some variation of the plan "A". Unfortunately, the experience (see previous paragraph) demonstrates that it is not possible :( I went forward with the plan "B": B-1) Stay with a single sys-usb qube and remove rear.OHCI0 controller from sys-usb (using Qubes VM Manager). I assume that the controller will be returned back to dom0. Is it correct?B-2) Remove "sys-usb dom0 ask,user=root" from /etc/qubes-rpc/policy/qubes.InputKeyboard. B-3) Remove "sys-usb dom0 ask,user=root" from /etc/qubes-rpc/policy/qubes.InputMouse. B-4) Remove rd.qubes.hide_all_usb from /etc/default/grub and run grub2-mkconfig -o /boot/grub2/grub.cfg in dom. With this plan in place, I am able to log in using the USB keyboard. Further enhancements * In the step B-4, it would be nice to hide all USB controllers from dom0 except rear.OHCI0. How to achieve this? Unman> Of course, you'd have to make sure that you follow a consistent pattern with use of sockets. You could enforce this with configuration in the policy file, and by some udev rules to block anything except storage devices in the relevant ports. * How to achieve this? Is there some manual? Do you mind to share an example? * Correct the policy in https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard manual. It should be: sys-usb dom0 ask,user=root -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1946887460.2653244.1476146051505%40mail.yahoo.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to manage multiple USB controllers
On Mon, Oct 10, 2016 at 10:27 AM, Unman wrote: > On Mon, Oct 10, 2016 at 05:04:26AM +, 'David Shleifman' via > qubes-users wrote: > > The PC system has 2 USB hubs: the first one is used for USB jacks on the > front panel, the second one is used for USB jacks on the rear panel. Each > hub has 3 controllers: > > front.OHCI0 handles first 3 USB 1.1 devices that are plugged in (nothing > at the moment) > > front.OHCI1 handles next 3 USB 1.1 devices that are plugged in (nothing > at the moment) > > front.EHCI0 handles up to 6 USB 2.0 devices that are plugged in (DVD-RW > drive and flash stick at the moment) > > rear.OHCI0 handles first 3 USB 1.1 devices that are plugged in (USB > keyboard and USB mouse are plugged in persistently) > > > > rear.OHCI1 handles next 3 USB 1.1 devices that are plugged in (nothing > at the moment) > > > > rear.EHCI0 handles up to 6 USB 2.0 devices that are plugged in (Web > camera, and CD-RW drive are plugged in persistently) > > I followed the recommendation at https://www.qubes-os.org/doc/ > usb/#creating-and-using-a-usb-qube. After running > > [dom0]$ qubesctl top.enable qvm.sys-usb > > > > [dom0]$ qubesctl state.highstate > > > > all 6 controllers have been assigned to sys-usb qube. It looks like a > very bad idea to mix security sensitive devices such as keyboard/mouse with > other devices. Where do I go from this point? > > > > A) Split controllers into two groups and assign each group to a > different sys-usb qube? Keyboard/mouse shall end up in a first group, while > other devices shall end up in the second group. Is this break down in line > with the security guidelines (see https://www.qubes-os.org/doc/usb/)? > > > > > > B) Stay with a single sys-usb qube and assign rear.OHCI0 controller back > to dom0? Do > > I need to remove "sys-usb dom0 ask" from > > /etc/qubes-rpc/policy/qubes.InputKeyboard? > Do I need to remove > > GRUB_CMDLINE_LINUX rd.qubes.hide_all_usb from /etc/default/grub ? How > to instruct GRUB to hide all controllers except rear.OHCI0 ? > > I wouldn't assign back to dom0. > There's no reason why you shouldn't adopt some variation on A, and have > different qubes handling different controllers. Of course, you'd have to > make sure that you follow a consistent pattern with use of sockets. > You could enforce this with configuration in the policy file, and by > some udev rules to block anything except storage devices in the relevant > ports. > > I am planning to do something like them with my Lenovo x230 that has a docking station with some USB ports. There should be an independent controller in the docking station. When I detach the laptop from the docking station the second sys-usb will be unable to find its assigned controller and will give some error, but should be no problem. Then I may use the USB controller on laptop for more dirty stuff and the controller on the docking station for connecting Trezor for bitcoin transactions and similar more delicate tasks. Best Fran > unman > > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to qubes-users+unsubscr...@googlegroups.com. > To post to this group, send email to qubes-users@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/qubes-users/20161010132724.GC18661%40thirdeyesecurity.org. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAPzH-qD9GhWDXxe2L_qQsXt9bXFvkzdK9c-HVKYfeMMpx6d3bg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to manage multiple USB controllers
On Mon, Oct 10, 2016 at 05:04:26AM +, 'David Shleifman' via qubes-users wrote: > The PC system has 2 USB hubs: the first one is used for USB jacks on the > front panel, the second one is used for USB jacks on the rear panel. Each hub > has 3 controllers: > front.OHCI0 handles first 3 USB 1.1 devices that are plugged in (nothing at > the moment) > front.OHCI1 handles next 3 USB 1.1 devices that are plugged in (nothing at > the moment) > front.EHCI0 handles up to 6 USB 2.0 devices that are plugged in (DVD-RW drive > and flash stick at the moment) > rear.OHCI0 handles first 3 USB 1.1 devices that are plugged in (USB keyboard > and USB mouse are plugged in persistently) > > rear.OHCI1 handles next 3 USB 1.1 devices that are plugged in (nothing at the > moment) > > rear.EHCI0 handles up to 6 USB 2.0 devices that are plugged in (Web camera, > and CD-RW drive are plugged in persistently) > I followed the recommendation at > https://www.qubes-os.org/doc/usb/#creating-and-using-a-usb-qube. After > running > [dom0]$ qubesctl top.enable qvm.sys-usb > > [dom0]$ qubesctl state.highstate > > all 6 controllers have been assigned to sys-usb qube. It looks like a very > bad idea to mix security sensitive devices such as keyboard/mouse with other > devices. Where do I go from this point? > > A) Split controllers into two groups and assign each group to a different > sys-usb qube? Keyboard/mouse shall end up in a first group, while other > devices shall end up in the second group. Is this break down in line with > the security guidelines (see https://www.qubes-os.org/doc/usb/)? > > > B) Stay with a single sys-usb qube and assign rear.OHCI0 controller back to > dom0? Do > I need to remove "sys-usb dom0 ask" from > /etc/qubes-rpc/policy/qubes.InputKeyboard? Do I need to remove > GRUB_CMDLINE_LINUX rd.qubes.hide_all_usb from /etc/default/grub ? How to > instruct GRUB to hide all controllers except rear.OHCI0 ? I wouldn't assign back to dom0. There's no reason why you shouldn't adopt some variation on A, and have different qubes handling different controllers. Of course, you'd have to make sure that you follow a consistent pattern with use of sockets. You could enforce this with configuration in the policy file, and by some udev rules to block anything except storage devices in the relevant ports. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20161010132724.GC18661%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] How to manage multiple USB controllers
The PC system has 2 USB hubs: the first one is used for USB jacks on the front panel, the second one is used for USB jacks on the rear panel. Each hub has 3 controllers: front.OHCI0 handles first 3 USB 1.1 devices that are plugged in (nothing at the moment) front.OHCI1 handles next 3 USB 1.1 devices that are plugged in (nothing at the moment) front.EHCI0 handles up to 6 USB 2.0 devices that are plugged in (DVD-RW drive and flash stick at the moment) rear.OHCI0 handles first 3 USB 1.1 devices that are plugged in (USB keyboard and USB mouse are plugged in persistently) rear.OHCI1 handles next 3 USB 1.1 devices that are plugged in (nothing at the moment) rear.EHCI0 handles up to 6 USB 2.0 devices that are plugged in (Web camera, and CD-RW drive are plugged in persistently) I followed the recommendation at https://www.qubes-os.org/doc/usb/#creating-and-using-a-usb-qube. After running [dom0]$ qubesctl top.enable qvm.sys-usb [dom0]$ qubesctl state.highstate all 6 controllers have been assigned to sys-usb qube. It looks like a very bad idea to mix security sensitive devices such as keyboard/mouse with other devices. Where do I go from this point? A) Split controllers into two groups and assign each group to a different sys-usb qube? Keyboard/mouse shall end up in a first group, while other devices shall end up in the second group. Is this break down in line with the security guidelines (see https://www.qubes-os.org/doc/usb/)? B) Stay with a single sys-usb qube and assign rear.OHCI0 controller back to dom0? Do I need to remove "sys-usb dom0 ask" from /etc/qubes-rpc/policy/qubes.InputKeyboard? Do I need to remove GRUB_CMDLINE_LINUX rd.qubes.hide_all_usb from /etc/default/grub ? How to instruct GRUB to hide all controllers except rear.OHCI0 ? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/791381640.1825127.1476075866991%40mail.yahoo.com. For more options, visit https://groups.google.com/d/optout.
