Re: [qubes-users] sys-usb and usb read-only

2017-08-12 Thread Jean-Philippe Ouellet
On Fri, Aug 11, 2017 at 4:41 AM, Nicolas Mojon  wrote:
> Hi,
>
> I would like to know if on the new 4.0 it is possible to lock down data in a 
> VM like that nothing can go out of the VM (like no internet or copypaste 
> through dom0). I would like to make that specially for usb sticks or other 
> stocking device, that people can work on things on the usb in the VM but 
> nothing must be able to go out.
>
> Additionally to that, I would like to know if it is possible to use the 
> sys-usb vm but with an usb keyboard, cause for the moment, when I try to 
> implement it, it finish in a dead lock cause I cannot use the keyboard when 
> restarting. And even with the ask policy, it happens after the login so it is 
> pretty problematic and allow it completely,will probably cause a security 
> issue for my system on of the question above.
>
> Thank you in advance...
>
> Best regards
>
> Nicolas

You can put explicit deny rules for all qrexec services involving that
VM. Copy/paste evaluates qubes-rpc policy too, but with an implicit
undefined or ask meaning yes.

*HOWEVER*: To truly and completely accomplish this is pretty much
impossible with modern computer architectures unless you limit to only
one VM running at a time. There will likely always be ways to
establish covert channels between cooperating VMs due to hardware
side-channels, regardless of whatever Qubes might try to do to stop
it.

See also: https://www.qubes-os.org/doc/data-leaks/

Regards,
Jean-Philippe

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_CoQY9NuHGOf6sAQLPqGKVCd3nYsgMumwae2X6CDwb9_g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] sys-usb and usb read-only

2017-08-11 Thread Robert Fisk
On 08/11/2017 08:41 PM, Nicolas Mojon wrote:
> Hi, 
>
> I would like to know if on the new 4.0 it is possible to lock down data in a 
> VM like that nothing can go out of the VM (like no internet or copypaste 
> through dom0). I would like to make that specially for usb sticks or other 
> stocking device, that people can work on things on the usb in the VM but 
> nothing must be able to go out.
>
> Additionally to that, I would like to know if it is possible to use the 
> sys-usb vm but with an usb keyboard, cause for the moment, when I try to 
> implement it, it finish in a dead lock cause I cannot use the keyboard when 
> restarting. And even with the ask policy, it happens after the login so it is 
> pretty problematic and allow it completely,will probably cause a security 
> issue for my system on of the question above.
>
> Thank you in advance...
>
> Best regards
>
> Nicolas
>

Hi Nicolas,

I am not aware of any changes between r3.2 and r4.0 that would affect
your use case. You can disable the vm's networking of course. If you
want a read-only USB flash drive you should look at the USG hardware
firewall. I have recently released configurable firmware with a
read-only mass storage option:

https://github.com/robertfisk/usg/wiki

Regarding USB keyboards with sys-usb, as you have discovered this does
not work. Enabling sys-usb sets a kernel option to hide all USB
controllers from dom0, and you then cannot type the disk password. You
have two choices:

 1 - Leave sys-usb enabled. Boot with a PS/2 keyboard attached (laptop
keyboards are PS/2)
 2 - Disable sys-usb. Leave your keyboard's PCI USB controller attached
to dom0. Assign other PCI USB controllers to your own usb VM. If your
system only has one USB controller you could purchase a USB expansion card.

Read the Qubes USB docs for more info:

https://www.qubes-os.org/doc/usb/

Regards,
Robert

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f539d88f-6575-6786-6139-d2705b0781a5%40fastmail.fm.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] sys-usb and usb read-only

2017-08-11 Thread Nicolas Mojon
Hi, 

I would like to know if on the new 4.0 it is possible to lock down data in a VM 
like that nothing can go out of the VM (like no internet or copypaste through 
dom0). I would like to make that specially for usb sticks or other stocking 
device, that people can work on things on the usb in the VM but nothing must be 
able to go out.

Additionally to that, I would like to know if it is possible to use the sys-usb 
vm but with an usb keyboard, cause for the moment, when I try to implement it, 
it finish in a dead lock cause I cannot use the keyboard when restarting. And 
even with the ask policy, it happens after the login so it is pretty 
problematic and allow it completely,will probably cause a security issue for my 
system on of the question above.

Thank you in advance...

Best regards

Nicolas

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8849fc0a-70ac-42ac-8e25-176db7653d11%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.