Re: [qubes-users] Re: Creating USB qube: PCI device in use by driver xenlight

2016-11-27 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-11-26 14:29, Grzesiek Chodzicki wrote:
> W dniu sobota, 26 listopada 2016 19:52:39 UTC+1 użytkownik Pawel Debski 
> napisał:
>> W dniu sobota, 26 listopada 2016 18:56:49 UTC+1 użytkownik Grzesiek 
>> Chodzicki napisał:
>>> put following command in dom0 terminal: qvm-prefs -s vmname pci_strictreset 
>>> false
>>
>> Tx Greg, that works.
>>
>> Can we briefly discuss how much does it lower the security of the 
>> workstation. I mean: does it really allow to plug-in fabricated USB device 
>> to install keylogger to obtain credentials to highly sensitive applications 
>> running in other qube (say VaultVM).
>>
>> What other potential attack scenaria does it open?
>> (assuming that one is interested only to protect VaultVM transient content)
> 
> If the device is assigned to one vm only at all times then it doesn't lower 
> security afaik. PCI strict reset is used to reset the device's state when 
> moving the device between machines. If the device is not moved between 
> machines then it shouldn't matter.
> 

Correct. From `man qvm-prefs`:

pci_strictreset
Accepted values: True, False

Control whether prevent assigning to VM a device which does not support any 
reset method. Generally such devices should not be assigned to any VM, because 
there will be no way to reset device state after VM shutdown, so the device 
could attack next VM to which it will be assigned. But in some cases it could 
make sense - for example when the VM to which it is assigned is trusted one, or 
is running all the time.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYO4QdAAoJENtN07w5UDAwDQUP/j8ipg43tTTftByJ57Fgwoee
3jt4EQtOu/Dj9B1zOvJjdESSXFBconqzRuB6gtEXkUJFNbHVM1zXrYKVl3BIs8fL
9Q5bde7bFOL3s8iUct9LUptZrkJApWE1lLslIXkf310Q/ZueWOeDOj6AWH3JgOQq
4e+YRfmWo2iYdgtOwE8lTafhf6dWW70XwaigDgftmjSrEEXQzCDZIB/skxJYFk08
FTvO/j9Hf5yfjRVHMWCXkK7XNAWQGcZfVh0CXv/mW8YEfmw/c+C9bJMT5HYjf6xw
SuLMX5plaE1uqUhGrNhKLICfrF+mr6D0fJLbUqblGmRY7TyneyT4KY404T6euMQw
nfgyrXQXhEPk9IDDXI+Lhf1rEOFiSIqovTxMbTdj6nYlvhE4tuj951sOvcsbwXje
sriPw1viRntTOLXig41tj1cuKCtoAzoUCz1E/EDS4lUAMJ9eh85sxyGevBxbDMnl
H3nE1pyTmy0sobvIc8MwdcgMdQM18yCxmoFq3GbHp3gnibngRSufMbNBe7/u0XKK
ihTQxY1hUMnhq/iiXg1UwLVUqDY/1ohzvB0gs3qqvh7AT6gu+8ypEhkxydpv04bb
ZcqWZO1C+z9xmDz0k2rHL9nViqj2D/C1PgWJ1/y3MFR+S84TVnOEWt0QjvhOYgSH
+Hse/mswOmQy9h+BNNpf
=6i/C
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/848eb69d-92bf-1af1-b771-cf385b04d0a2%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Creating USB qube: PCI device in use by driver xenlight

2016-11-27 Thread Pawel Debski

Great, tx.

Wiadomość została wysłana przy pomocy AquaMail dla systemu Android
http://www.aqua-mail.com


Dnia 26 listopada 2016 23:29:39 Grzesiek Chodzicki 
 napisał(a):


W dniu sobota, 26 listopada 2016 19:52:39 UTC+1 użytkownik Pawel Debski 
napisał:
W dniu sobota, 26 listopada 2016 18:56:49 UTC+1 użytkownik Grzesiek 
Chodzicki napisał:
> W dniu sobota, 26 listopada 2016 18:53:26 UTC+1 użytkownik Pawel Debski 
napisał:

> > Folks,
> >
> > I'm trying to create a VM that will handle all USB devices that are or 
may be connected to the machine.

> >
> > 1. I have created a new AppVM based on fedora-24-full-sw template.
> >
> > 2. fedora-24-full-sw template is a copy of Fedora 24 template with all 
sorts of additional software installed, for example for Bluetooth handling, 
3G modem, finger print reader, camera, flash card reader and so on.

> >
> > 3. I have assigned an USB controller to the newly created AppVM and 
switched-off memory balancing in the options as recommended by the message 
on "Advanced" tab.

> >
> > 4. When I'm trying to start the VM I'm getting the following message:
> > "PCI device in use by driver xenlight"
> >
> > Please note that at the moment only one single USB bus is assigned to 
this VM.

> > Without any assigned devices this VM starts properly.
> >
> > What shall I do to make it work with USB bus?
> >
> > Best regards
> > PD
>
> put following command in dom0 terminal: qvm-prefs -s vmname 
pci_strictreset false


Tx Greg, that works.

Can we briefly discuss how much does it lower the security of the 
workstation. I mean: does it really allow to plug-in fabricated USB device 
to install keylogger to obtain credentials to highly sensitive applications 
running in other qube (say VaultVM).


What other potential attack scenaria does it open?
(assuming that one is interested only to protect VaultVM transient content)


If the device is assigned to one vm only at all times then it doesn't lower 
security afaik. PCI strict reset is used to reset the device's state when 
moving the device between machines. If the device is not moved between 
machines then it shouldn't matter.


--
You received this message because you are subscribed to a topic in the 
Google Groups "qubes-users" group.
To unsubscribe from this topic, visit 
https://groups.google.com/d/topic/qubes-users/livE9VYBvUI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to 
qubes-users+unsubscr...@googlegroups.com.

To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c965fe62-57f0-4dc1-ad5a-ba3108df6b15%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/158a5a371f0.27bf.e8d9d2e9cd019a112d31c27ed70f495b%40econsulting.pl.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Creating USB qube: PCI device in use by driver xenlight

2016-11-26 Thread Pawel Debski
W dniu sobota, 26 listopada 2016 18:56:49 UTC+1 użytkownik Grzesiek Chodzicki 
napisał:
> W dniu sobota, 26 listopada 2016 18:53:26 UTC+1 użytkownik Pawel Debski 
> napisał:
> > Folks,
> > 
> > I'm trying to create a VM that will handle all USB devices that are or may 
> > be connected to the machine.
> > 
> > 1. I have created a new AppVM based on fedora-24-full-sw template.
> > 
> > 2. fedora-24-full-sw template is a copy of Fedora 24 template with all 
> > sorts of additional software installed, for example for Bluetooth handling, 
> > 3G modem, finger print reader, camera, flash card reader and so on.
> > 
> > 3. I have assigned an USB controller to the newly created AppVM and 
> > switched-off memory balancing in the options as recommended by the message 
> > on "Advanced" tab.
> > 
> > 4. When I'm trying to start the VM I'm getting the following message:
> > "PCI device in use by driver xenlight"
> > 
> > Please note that at the moment only one single USB bus is assigned to this 
> > VM.
> > Without any assigned devices this VM starts properly.
> > 
> > What shall I do to make it work with USB bus?
> > 
> > Best regards
> > PD
> 
> put following command in dom0 terminal: qvm-prefs -s vmname pci_strictreset 
> false

Tx Greg, that works.

Can we briefly discuss how much does it lower the security of the workstation. 
I mean: does it really allow to plug-in fabricated USB device to install 
keylogger to obtain credentials to highly sensitive applications running in 
other qube (say VaultVM).

What other potential attack scenaria does it open?
(assuming that one is interested only to protect VaultVM transient content)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c48ebb07-ed82-418d-9276-b5623e5bc815%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Creating USB qube: PCI device in use by driver xenlight

2016-11-26 Thread Grzesiek Chodzicki
W dniu sobota, 26 listopada 2016 18:53:26 UTC+1 użytkownik Pawel Debski napisał:
> Folks,
> 
> I'm trying to create a VM that will handle all USB devices that are or may be 
> connected to the machine.
> 
> 1. I have created a new AppVM based on fedora-24-full-sw template.
> 
> 2. fedora-24-full-sw template is a copy of Fedora 24 template with all sorts 
> of additional software installed, for example for Bluetooth handling, 3G 
> modem, finger print reader, camera, flash card reader and so on.
> 
> 3. I have assigned an USB controller to the newly created AppVM and 
> switched-off memory balancing in the options as recommended by the message on 
> "Advanced" tab.
> 
> 4. When I'm trying to start the VM I'm getting the following message:
> "PCI device in use by driver xenlight"
> 
> Please note that at the moment only one single USB bus is assigned to this VM.
> Without any assigned devices this VM starts properly.
> 
> What shall I do to make it work with USB bus?
> 
> Best regards
> PD

put following command in dom0 terminal: qvm-prefs -s vmname pci_strictreset 
false

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3302dab9-e690-4c67-aa9f-77811819bebc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.