Re: [qubes-users] Safely use USB keyboard and untrusted USB devices with only 1 USB controller?

2019-06-24 Thread 'awokd' via qubes-users

oak2...@gmail.com:


Hi, having problems creating sys-usb and want to use a usb keyboard, usb mouse, 
and a usb flash drive with the computer, that's it.  What would be the most 
secure setup for that in terms of where to assign my usb devices too?  Qubes 
page says using an Untrusted Qube for them is the most secure, but I don't know 
what that is and how it differs from a Disposable VM.

sys-usb is an Untrusted Qube. I think in that context the only trusted 
Qube is dom0. A disposable VM is one that keeps no state information 
between boots, and always reverts to its original definition. You can 
combine the two and make a disposable sys-usb.


Are you following the steps in https://www.qubes-os.org/doc/usb-qubes/ 
to make a sys-usb?


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3bb33cc5-f8f9-b6e5-ddc2-b88a8596cd4c%40danwin1210.me.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Safely use USB keyboard and untrusted USB devices with only 1 USB controller?

2019-06-24 Thread oak2572
On Sunday, March 19, 2017 at 6:13:48 PM UTC-4, Andrew David Wong wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> On 2017-03-19 13:50, andres...@gmail.com wrote:
> > Hi!
> > 
> > I use an external keyboard and mouse, both currently connected to
> > dom0. After reading the USB doc I wanted to add an USB qube so I
> > could "safely" connect other devices (like untrusted pendrives, and
> > my smartphone to an adb qube).
> > 
> > Since untrusted devices will connected to this USB qube, it should
> > be considered untrusted. But I think I only have one USB
> > controller... This mean my keyboard and mouse will need to be
> > connected to this untrusted qube together with untrusted devices,
> > right?
> > 
> 
> If your keyboard and mouse are USB devices, yes.
> 
> > Is it worth it to create this extra USB qube this way?
> > 
> 
> That's up to you. The pros and cons are, I think, pretty clearly laid
> out on the USB page. If you have specific questions that aren't
> addressed there, please feel free to ask.
> 
> - -- 
> Andrew David Wong (Axon)
> Community Manager, Qubes OS
> https://www.qubes-os.org
> -BEGIN PGP SIGNATURE-
> 
> iQIcBAEBCgAGBQJYzwKEAAoJENtN07w5UDAw76kP/jnfjJ26Pgjii/N9MGz1CY4r
> 6naH9kikwkGtGFeNghZXPSuj5FVzzm3UwU0L2auciOkDjclNvukx29lMnrPdDR+i
> V4GfEn0eiBVceyJsUyrvPFGAE9dpLQdzHn4Tzckt/kl+db1x748ErleM4QZJPaKT
> h9/HIksuiQIO/9hVQzS60OQgbLY08uY2DveuKO6KVQJ3/79vwCO98SirThzdxXtA
> Cuq81jXntgceCznrK76xMVgwqYnapgnQmbyueFS0ZrjEgOWddHogAXzvT7ETnVfh
> ZvGtLQcviUqwLTa0R0+IMMByJrBzTlUM8VBGtCRjI00OF4CYHPGp60hJWZWTXq8F
> pP1pduIMeY3scVroT7PchRxT4UifUlwMOypYHjOVsloSRrOFiRy3m4cGyYtulBa0
> d7KzDlq0Av8m7nM66GfGb9E+ZLHSf9uX9EWv3Ej38VSsjmups/vcViEjj136Eg9V
> O2ZZI2mKYKP8ZRSpG+8RX58GjFHAJe/umlgPdNxsP2SJXuiysVzDJslPzsb5DHMd
> ksOOEnPi5qR/of2e3rFBlt/hfk2aeFzpNJcSFSNN5f7OB0RrI7jOg5C5ICcSGk9H
> pfEk+muCG6J4Tn8uoIbO4IWi79erb7W+iPXo6hDYMMckopXCGZOFhRKHDW+BRdS0
> nB0IzFxYQNtRNR9fg2sJ
> =6k39
> -END PGP SIGNATURE-

Hi, having problems creating sys-usb and want to use a usb keyboard, usb mouse, 
and a usb flash drive with the computer, that's it.  What would be the most 
secure setup for that in terms of where to assign my usb devices too?  Qubes 
page says using an Untrusted Qube for them is the most secure, but I don't know 
what that is and how it differs from a Disposable VM.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/39f3a846-7d69-45e9-b01d-a3bf5b4035fc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Safely use USB keyboard and untrusted USB devices with only 1 USB controller?

2017-07-11 Thread Andres MRM
[2017-05-23 15:18] Vít Šesták:

> So, I've created DVM-like sys-usb and it the first working version was easier 
> than I thought. Just make /var/lib/qubes/servicevms/sys-usb/private.img an 
> empty file. I have renamed the original file and performed "touch 
> private.img".
> 
> VM sys-usb then still boots and works as USB input proxy. It does not run X11 
> apps until I create+chown /home/user and perform systemctl restart 
> qubes-gui-agent.service, but it does not matter so much.

Thanks for the tip! I did it and hope it's working.
But now sometimes I need to "replug" mouse or/and keyboard after boot for them
to work...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/149977468708.5204.3258625358229903159%40localhost.localdomain.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Safely use USB keyboard and untrusted USB devices with only 1 USB controller?

2017-05-23 Thread Vít Šesták
So, I've created DVM-like sys-usb and it the first working version was easier 
than I thought. Just make /var/lib/qubes/servicevms/sys-usb/private.img an 
empty file. I have renamed the original file and performed "touch private.img".

VM sys-usb then still boots and works as USB input proxy. It does not run X11 
apps until I create+chown /home/user and perform systemctl restart 
qubes-gui-agent.service, but it does not matter so much.

Regards,
Vít Šesták 'v6ak'

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0038396a-eb56-4bed-b6f3-7be475ec819b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Safely use USB keyboard and untrusted USB devices with only 1 USB controller?

2017-03-28 Thread Andres MRM
Thanks for the replies!

[2017-03-27 22:13] cooloutac:
> so I guess just take your chances with it on the usb qube. I do it with
> mouse never seen anything weird happen.  a wireless mouse too. although I
> probably should put lock screen on I just realized I don't even have it on.

I setup an USB qube. It's working well, for now. =)

[2017-03-28 04:03] Vít Šesták:
> DVM for sys-usb would be cool, but I don't think it is possible today. The
> main challenge is probably to attach a PCI device to DVM. Well, maybe if you
> clone/tune qfile-daemon-dvm or related files… After you attach the USB
> controller to the DVM, you have essentially won; you will probably need just
> to upload and run some script (for starting the input proxy) to the USBDVM.
> Thos should be trivial, compared to attaching the USB device.

Is there any difference between using a DVM as USB qube, or just recreating
the USB qube when needed (e.g.: after using an untrusted pen drive)?


Best regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/149070066109.1245.5774877112809671387%40localhost.localdomain.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Safely use USB keyboard and untrusted USB devices with only 1 USB controller?

2017-03-28 Thread Vít Šesták
Well, are you sure that the vast majority of computers have just one USB 
controller? I find it pretty common even now to have both USB 2 and USB 3 
ports. Well, my laptop (though it is quite older) has separate USB2 and USB3 
with separate controllers. But maybe today's laptops have both USB2 and USB3 
ports handled by the same controller, I don't know.

DVM for sys-usb would be cool, but I don't think it is possible today. The main 
challenge is probably to attach a PCI device to DVM. Well, maybe if you 
clone/tune qfile-daemon-dvm or related files… After you attach the USB 
controller to the DVM, you have essentially won; you will probably need just to 
upload and run some script (for starting the input proxy) to the USBDVM. Thos 
should be trivial, compared to attaching the USB device.

I understand why you want an external ergonomic keyboard. I also have one and I 
wouldn't want to switch back…

Regards,
Vít Šesták 'v6ak'

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/db73d864-f829-4acf-a8ec-030f3fd8f91d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Safely use USB keyboard and untrusted USB devices with only 1 USB controller?

2017-03-27 Thread cooloutac
On Sunday, March 26, 2017 at 8:22:46 PM UTC-4, Andres MRM wrote:
> [2017-03-26 21:14] cooloutac:
> > what about using the internal kb, no good?
> 
> No... I'm using an ergonomic one. It wasn't cheap, it's very different from a
> common one and it took me months to get used to it. =P

so I guess just take your chances with it on the usb qube. I do it with mouse 
never seen anything weird happen.  a wireless mouse too. although I probably 
should put lock screen on I just realized I don't even have it on.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a097d330-9914-4fd2-b139-3adf08df3903%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Safely use USB keyboard and untrusted USB devices with only 1 USB controller?

2017-03-26 Thread Andres MRM

[2017-03-26 21:14] cooloutac:
> what about using the internal kb, no good?

No... I'm using an ergonomic one. It wasn't cheap, it's very different from a
common one and it took me months to get used to it. =P

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/149057415942.803.181230451023176868%40localhost.localdomain.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Safely use USB keyboard and untrusted USB devices with only 1 USB controller?

2017-03-26 Thread cooloutac
On Sunday, March 26, 2017 at 8:05:55 AM UTC-4, Andres MRM wrote:
> > ehci is for older usb protocol.  xhci is for 3.0,  maybe there is option in
> > bios to disable usb 3.0.  then maybe it will have separate routed
> > controllers? Thats how it works on my desktop pc.  otherwise all controllers
> > get routed through the xhci one.  but then you will be giving up usb 3.0,
> > but maybe worth it not to have kb in sys-usb. 
> 
> Thanks, cooloutac! I checked my BIOS, but couldn't find an option to disable
> USB 3.0. =/

what about using the internal kb, no good?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/624b5631-767a-48e1-8b71-cbe7a6a521c2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Safely use USB keyboard and untrusted USB devices with only 1 USB controller?

2017-03-26 Thread Andres MRM
> ehci is for older usb protocol.  xhci is for 3.0,  maybe there is option in
> bios to disable usb 3.0.  then maybe it will have separate routed
> controllers? Thats how it works on my desktop pc.  otherwise all controllers
> get routed through the xhci one.  but then you will be giving up usb 3.0,
> but maybe worth it not to have kb in sys-usb. 

Thanks, cooloutac! I checked my BIOS, but couldn't find an option to disable
USB 3.0. =/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/149052994964.798.1907313827177849368%40localhost.localdomain.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Safely use USB keyboard and untrusted USB devices with only 1 USB controller?

2017-03-23 Thread cooloutac
On Thursday, March 23, 2017 at 8:21:40 AM UTC-4, Andres MRM wrote:
> [2017-03-22 18:52] cooloutac:
> > not sure but if its like my pc when using xhci (usb 3.0) everything goes
> > through thaT one controller. it look like you have ehci controller too but
> > not sure.  What I do with one controller is use a usb to pci adapter for the
> > kb.  For mouse you can use the qubes proxy, not as bad as also having kb in
> > usbvm.
> 
> Thanks, cooloutac!
> 
> What do you mean by "it look like you have ehci controller too"? What is it?
> Can it help me?
> 
> Unfortunately my notebook has no PCI port...

ehci is for older usb protocol.  xhci is for 3.0,  maybe there is option in 
bios to disable usb 3.0.  then maybe it will have separate routed controllers? 
Thats how it works on my desktop pc.  otherwise all controllers get routed 
through the xhci one.  but then you will be giving up usb 3.0, but maybe worth 
it not to have kb in sys-usb. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/04e617fc-72f6-426b-a96f-ec5022b95bd8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Safely use USB keyboard and untrusted USB devices with only 1 USB controller?

2017-03-23 Thread Andres MRM
[2017-03-22 18:52] cooloutac:
> not sure but if its like my pc when using xhci (usb 3.0) everything goes
> through thaT one controller. it look like you have ehci controller too but
> not sure.  What I do with one controller is use a usb to pci adapter for the
> kb.  For mouse you can use the qubes proxy, not as bad as also having kb in
> usbvm.

Thanks, cooloutac!

What do you mean by "it look like you have ehci controller too"? What is it?
Can it help me?

Unfortunately my notebook has no PCI port...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/149027169476.4535.10778284502551220775%40localhost.localdomain.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Safely use USB keyboard and untrusted USB devices with only 1 USB controller?

2017-03-22 Thread cooloutac
On Monday, March 20, 2017 at 6:36:54 AM UTC-4, Andres MRM wrote:
> Thanks for the replies, Unman and Andrew.
> And sorry for not answering you before, Unman, but I only saw your
> message now.
> 
> [2017-03-19 20:48] Unman:
> > Try 'lspci|grep USB'
> > Alternatively, look in QubesManager on the devices tab, and see how many
> > Controllers are there.
> 
> # lspci|grep USB
> 00:14.0 USB controller: Intel Corporation 7 Series/C210 Series Chipset Family 
> USB xHCI Host Controller (rev 04)
> 00:1a.0 USB controller: Intel Corporation 7 Series/C216 Chipset Family USB 
> Enhanced Host Controller #2 (rev 04)
> 00:1d.0 USB controller: Intel Corporation 7 Series/C216 Chipset Family USB 
> Enhanced Host Controller #1 (rev 04)
> 
> In the devices tab of any VM I also can see these 3 controllers. But, by
> the output of the other commands, it seems all my external devices are
> connected to the first controller, no?
> (Bus 4 and 3, that have id 00:14.0)
> 
> 
> Regards

not sure but if its like my pc when using xhci (usb 3.0) everything goes 
through thaT one controller. it look like you have ehci controller too but not 
sure.  What I do with one controller is use a usb to pci adapter for the kb.  
For mouse you can use the qubes proxy, not as bad as also having kb in usbvm.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6da7e928-5cd6-4f16-909b-976bd7fd9849%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Safely use USB keyboard and untrusted USB devices with only 1 USB controller?

2017-03-20 Thread Andres MRM
Thanks for the replies, Unman and Andrew.
And sorry for not answering you before, Unman, but I only saw your
message now.

[2017-03-19 20:48] Unman:
> Try 'lspci|grep USB'
> Alternatively, look in QubesManager on the devices tab, and see how many
> Controllers are there.

# lspci|grep USB
00:14.0 USB controller: Intel Corporation 7 Series/C210 Series Chipset Family 
USB xHCI Host Controller (rev 04)
00:1a.0 USB controller: Intel Corporation 7 Series/C216 Chipset Family USB 
Enhanced Host Controller #2 (rev 04)
00:1d.0 USB controller: Intel Corporation 7 Series/C216 Chipset Family USB 
Enhanced Host Controller #1 (rev 04)

In the devices tab of any VM I also can see these 3 controllers. But, by
the output of the other commands, it seems all my external devices are
connected to the first controller, no?
(Bus 4 and 3, that have id 00:14.0)


Regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/149000620962.1073.4482443968028805728%40email.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Safely use USB keyboard and untrusted USB devices with only 1 USB controller?

2017-03-19 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-03-19 17:52, Andres MRM wrote:
> Thanks for the reply, Andrew!
> 
> [2017-03-19 19:13] Andrew David Wong:
>> That's up to you. The pros and cons are, I think, pretty clearly
>> laid out on the USB page. If you have specific questions that
>> aren't addressed there, please feel free to ask.
> 
> That's what I feared... =/
> 
> I think I have no option, for I can only forward the smartphone to
> an "adb" qube if the USB controller is in a USB qube, right? (can't
> do that from dom0)
> 

Right.

> Do the USB qube get reset every reboot (like a DVM)? That would
> reduce the threat, I think...
> 

By default, no. It's probably possible to script a disposable USB qube
solution, though.

> And about the commands' outputs, any idea if they really mean only
> one USB controller?
> 

I don't know for certain, but I think your machine (like the vast
majority) probably has only one USB controller.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYzzq8AAoJENtN07w5UDAwq54QAKbGoC3Q3dkT4bKYZvY3FvSx
k+25+pRAZgftPCjRBVrKMAVsINojuWlshTcCvYJrvs/Su308cD1yL+gzrZcdfpUg
wlCdDNpgr8ysC9fwRsTTjL4IkiwQHXF4DSu/YeMxKBGW2BHL9z/JISQfx3abB4Qd
XAjLFRuIWvnyrEekZyoyoszk7Ago1w+Ma7zjeSPZXf4WMLCg6YfmDWS+LU8tc/lu
+Q0ic58NQVWxozC/ORGdjEddckBcZzL30t6hRCh6HeNhEXSHPRx/qhLgABmZzMjy
v86HKl0MaCeN7DuxUQ84tnoCfuBgfZ3voZnoAkDp9Eraf4+cDp/u1615EfIH+EHX
EqJlJhs6nmcEpFc84WBiqhlG/mqpayRLEbBHOSGQ/waLFLe/CutJ6jxqSfd5IKLg
op+uq7ZK5CnwXwy03wY5NFIizxUysvkfNNZtJiAtq/nYIsPX3zfbIvWxGg2D+KkX
5O5eaawfomIRzd276/NSg1vXnOveTwdkUMGYq4jUTZpReG4pzFytx6RWrpkmGEtN
PVnHE81FNq5qEH9v9k4OHyGWGkIks1sg/8dUEb72ts6YBewBTyVHHjJ89wsvFNoY
OT7dN60jHn+OzShXaIJOWMdQvRYL3cOBQvtiiIMzRAko02bSTSShsMzJjmMTHgfH
2seJPazXbp1v/L/jbS+y
=o7d2
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4df3e2e8-c549-4b9a-1774-b831ab1f7ee2%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Safely use USB keyboard and untrusted USB devices with only 1 USB controller?

2017-03-19 Thread Andres MRM
Thanks for the reply, Andrew!

[2017-03-19 19:13] Andrew David Wong:
> That's up to you. The pros and cons are, I think, pretty clearly laid
> out on the USB page. If you have specific questions that aren't
> addressed there, please feel free to ask.

That's what I feared... =/

I think I have no option, for I can only forward the smartphone to an
"adb" qube if the USB controller is in a USB qube, right? (can't do that
from dom0)

Do the USB qube get reset every reboot (like a DVM)? That would reduce
the threat, I think...

And about the commands' outputs, any idea if they really mean only one
USB controller?


Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/148997117881.900.6223634171823122302%40email.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Safely use USB keyboard and untrusted USB devices with only 1 USB controller?

2017-03-19 Thread Unman
On Sun, Mar 19, 2017 at 01:50:30PM -0700, andres...@gmail.com wrote:
> Hi!
> 
> I use an external keyboard and mouse, both currently connected to dom0.
> After reading the USB doc I wanted to add an USB qube so I could "safely"
> connect other devices (like untrusted pendrives, and my smartphone to an adb
> qube).
> 
> Since untrusted devices will connected to this USB qube, it should be
> considered untrusted. But I think I only have one USB controller...
> This mean my keyboard and mouse will need to be connected to this untrusted
> qube together with untrusted devices, right?
> 
> Is it worth it to create this extra USB qube this way?
> 
> Bellow are the outputs of two commands, if anyone can help me make sure I
> really have only one USB controller. I pointed the devices I identified using 
> a
> ">(device name)". All my 3 USB ports were in use when I ran the commands.
> 
> # lsusb
> Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
> Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
> Bus 001 Device 003: ID 04f2:b2e3 >Internal Camera
> Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
> Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
> Bus 004 Device 002: ID 04e8:61b6 >External HDD
> Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
> Bus 003 Device 003: ID 0e6a:030c >External Keyboard
> Bus 003 Device 006: ID 046d:c077 >External Mouse
> Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
> 
> # readlink /sys/bus/usb/devices/usb*
> ../../../devices/pci:00/:00:1a.0/usb1
> ../../../devices/pci:00/:00:1d.0/usb2
> ../../../devices/pci:00/:00:14.0/usb3
> ../../../devices/pci:00/:00:14.0/usb4
> 
> 
> The most similar thread I found about this topic is this one:
> https://groups.google.com/forum/#!searchin/qubes-users/usb|sort:relevance/qubes-users/a86st0lUgEw/2FH24xuBFAAJ
> But in that case mojosam had 2 controllers.
> 
> 
> Thanks for the attention!
> 

Try 'lspci|grep USB'
Alternatively, look in QubesManager on the devices tab, and see how many
Controllers are there.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170319234802.GA17309%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Safely use USB keyboard and untrusted USB devices with only 1 USB controller?

2017-03-19 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-03-19 13:50, andres...@gmail.com wrote:
> Hi!
> 
> I use an external keyboard and mouse, both currently connected to
> dom0. After reading the USB doc I wanted to add an USB qube so I
> could "safely" connect other devices (like untrusted pendrives, and
> my smartphone to an adb qube).
> 
> Since untrusted devices will connected to this USB qube, it should
> be considered untrusted. But I think I only have one USB
> controller... This mean my keyboard and mouse will need to be
> connected to this untrusted qube together with untrusted devices,
> right?
> 

If your keyboard and mouse are USB devices, yes.

> Is it worth it to create this extra USB qube this way?
> 

That's up to you. The pros and cons are, I think, pretty clearly laid
out on the USB page. If you have specific questions that aren't
addressed there, please feel free to ask.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYzwKEAAoJENtN07w5UDAw76kP/jnfjJ26Pgjii/N9MGz1CY4r
6naH9kikwkGtGFeNghZXPSuj5FVzzm3UwU0L2auciOkDjclNvukx29lMnrPdDR+i
V4GfEn0eiBVceyJsUyrvPFGAE9dpLQdzHn4Tzckt/kl+db1x748ErleM4QZJPaKT
h9/HIksuiQIO/9hVQzS60OQgbLY08uY2DveuKO6KVQJ3/79vwCO98SirThzdxXtA
Cuq81jXntgceCznrK76xMVgwqYnapgnQmbyueFS0ZrjEgOWddHogAXzvT7ETnVfh
ZvGtLQcviUqwLTa0R0+IMMByJrBzTlUM8VBGtCRjI00OF4CYHPGp60hJWZWTXq8F
pP1pduIMeY3scVroT7PchRxT4UifUlwMOypYHjOVsloSRrOFiRy3m4cGyYtulBa0
d7KzDlq0Av8m7nM66GfGb9E+ZLHSf9uX9EWv3Ej38VSsjmups/vcViEjj136Eg9V
O2ZZI2mKYKP8ZRSpG+8RX58GjFHAJe/umlgPdNxsP2SJXuiysVzDJslPzsb5DHMd
ksOOEnPi5qR/of2e3rFBlt/hfk2aeFzpNJcSFSNN5f7OB0RrI7jOg5C5ICcSGk9H
pfEk+muCG6J4Tn8uoIbO4IWi79erb7W+iPXo6hDYMMckopXCGZOFhRKHDW+BRdS0
nB0IzFxYQNtRNR9fg2sJ
=6k39
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4c742dfb-0ffe-5f0d-9c63-9aa2a21b20af%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Safely use USB keyboard and untrusted USB devices with only 1 USB controller?

2017-03-19 Thread andresmrm
Hi!

I use an external keyboard and mouse, both currently connected to dom0.
After reading the USB doc I wanted to add an USB qube so I could "safely"
connect other devices (like untrusted pendrives, and my smartphone to an adb
qube).

Since untrusted devices will connected to this USB qube, it should be
considered untrusted. But I think I only have one USB controller...
This mean my keyboard and mouse will need to be connected to this untrusted
qube together with untrusted devices, right?

Is it worth it to create this extra USB qube this way?

Bellow are the outputs of two commands, if anyone can help me make sure I
really have only one USB controller. I pointed the devices I identified using a
">(device name)". All my 3 USB ports were in use when I ran the commands.

# lsusb
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 003: ID 04f2:b2e3 >Internal Camera
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 002: ID 04e8:61b6 >External HDD
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 003: ID 0e6a:030c >External Keyboard
Bus 003 Device 006: ID 046d:c077 >External Mouse
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

# readlink /sys/bus/usb/devices/usb*
../../../devices/pci:00/:00:1a.0/usb1
../../../devices/pci:00/:00:1d.0/usb2
../../../devices/pci:00/:00:14.0/usb3
../../../devices/pci:00/:00:14.0/usb4


The most similar thread I found about this topic is this one:
https://groups.google.com/forum/#!searchin/qubes-users/usb|sort:relevance/qubes-users/a86st0lUgEw/2FH24xuBFAAJ
But in that case mojosam had 2 controllers.


Thanks for the attention!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3d4b2819-e59c-4251-a0a3-3e7a046a0d72%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.