Re: [qubes-users] sys-usb and usb read-only
On Fri, Aug 11, 2017 at 4:41 AM, Nicolas Mojon wrote: > Hi, > > I would like to know if on the new 4.0 it is possible to lock down data in a > VM like that nothing can go out of the VM (like no internet or copypaste > through dom0). I would like to make that specially for usb sticks or other > stocking device, that people can work on things on the usb in the VM but > nothing must be able to go out. > > Additionally to that, I would like to know if it is possible to use the > sys-usb vm but with an usb keyboard, cause for the moment, when I try to > implement it, it finish in a dead lock cause I cannot use the keyboard when > restarting. And even with the ask policy, it happens after the login so it is > pretty problematic and allow it completely,will probably cause a security > issue for my system on of the question above. > > Thank you in advance... > > Best regards > > Nicolas You can put explicit deny rules for all qrexec services involving that VM. Copy/paste evaluates qubes-rpc policy too, but with an implicit undefined or ask meaning yes. *HOWEVER*: To truly and completely accomplish this is pretty much impossible with modern computer architectures unless you limit to only one VM running at a time. There will likely always be ways to establish covert channels between cooperating VMs due to hardware side-channels, regardless of whatever Qubes might try to do to stop it. See also: https://www.qubes-os.org/doc/data-leaks/ Regards, Jean-Philippe -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABQWM_CoQY9NuHGOf6sAQLPqGKVCd3nYsgMumwae2X6CDwb9_g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] sys-usb and usb read-only
On 08/11/2017 08:41 PM, Nicolas Mojon wrote: > Hi, > > I would like to know if on the new 4.0 it is possible to lock down data in a > VM like that nothing can go out of the VM (like no internet or copypaste > through dom0). I would like to make that specially for usb sticks or other > stocking device, that people can work on things on the usb in the VM but > nothing must be able to go out. > > Additionally to that, I would like to know if it is possible to use the > sys-usb vm but with an usb keyboard, cause for the moment, when I try to > implement it, it finish in a dead lock cause I cannot use the keyboard when > restarting. And even with the ask policy, it happens after the login so it is > pretty problematic and allow it completely,will probably cause a security > issue for my system on of the question above. > > Thank you in advance... > > Best regards > > Nicolas > Hi Nicolas, I am not aware of any changes between r3.2 and r4.0 that would affect your use case. You can disable the vm's networking of course. If you want a read-only USB flash drive you should look at the USG hardware firewall. I have recently released configurable firmware with a read-only mass storage option: https://github.com/robertfisk/usg/wiki Regarding USB keyboards with sys-usb, as you have discovered this does not work. Enabling sys-usb sets a kernel option to hide all USB controllers from dom0, and you then cannot type the disk password. You have two choices: 1 - Leave sys-usb enabled. Boot with a PS/2 keyboard attached (laptop keyboards are PS/2) 2 - Disable sys-usb. Leave your keyboard's PCI USB controller attached to dom0. Assign other PCI USB controllers to your own usb VM. If your system only has one USB controller you could purchase a USB expansion card. Read the Qubes USB docs for more info: https://www.qubes-os.org/doc/usb/ Regards, Robert -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f539d88f-6575-6786-6139-d2705b0781a5%40fastmail.fm. For more options, visit https://groups.google.com/d/optout.
[qubes-users] sys-usb and usb read-only
Hi, I would like to know if on the new 4.0 it is possible to lock down data in a VM like that nothing can go out of the VM (like no internet or copypaste through dom0). I would like to make that specially for usb sticks or other stocking device, that people can work on things on the usb in the VM but nothing must be able to go out. Additionally to that, I would like to know if it is possible to use the sys-usb vm but with an usb keyboard, cause for the moment, when I try to implement it, it finish in a dead lock cause I cannot use the keyboard when restarting. And even with the ask policy, it happens after the login so it is pretty problematic and allow it completely,will probably cause a security issue for my system on of the question above. Thank you in advance... Best regards Nicolas -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8849fc0a-70ac-42ac-8e25-176db7653d11%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.