Re: [qubes-users] sys-usb and usb read-only
On Fri, Aug 11, 2017 at 4:41 AM, Nicolas Mojon wrote: > Hi, > > I would like to know if on the new 4.0 it is possible to lock down data in a > VM like that nothing can go out of the VM (like no internet or copypaste > through dom0). I would like to make that specially for usb sticks or other > stocking device, that people can work on things on the usb in the VM but > nothing must be able to go out. > > Additionally to that, I would like to know if it is possible to use the > sys-usb vm but with an usb keyboard, cause for the moment, when I try to > implement it, it finish in a dead lock cause I cannot use the keyboard when > restarting. And even with the ask policy, it happens after the login so it is > pretty problematic and allow it completely,will probably cause a security > issue for my system on of the question above. > > Thank you in advance... > > Best regards > > Nicolas You can put explicit deny rules for all qrexec services involving that VM. Copy/paste evaluates qubes-rpc policy too, but with an implicit undefined or ask meaning yes. *HOWEVER*: To truly and completely accomplish this is pretty much impossible with modern computer architectures unless you limit to only one VM running at a time. There will likely always be ways to establish covert channels between cooperating VMs due to hardware side-channels, regardless of whatever Qubes might try to do to stop it. See also: https://www.qubes-os.org/doc/data-leaks/ Regards, Jean-Philippe -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABQWM_CoQY9NuHGOf6sAQLPqGKVCd3nYsgMumwae2X6CDwb9_g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] sys-usb and usb read-only
On 08/11/2017 08:41 PM, Nicolas Mojon wrote: > Hi, > > I would like to know if on the new 4.0 it is possible to lock down data in a > VM like that nothing can go out of the VM (like no internet or copypaste > through dom0). I would like to make that specially for usb sticks or other > stocking device, that people can work on things on the usb in the VM but > nothing must be able to go out. > > Additionally to that, I would like to know if it is possible to use the > sys-usb vm but with an usb keyboard, cause for the moment, when I try to > implement it, it finish in a dead lock cause I cannot use the keyboard when > restarting. And even with the ask policy, it happens after the login so it is > pretty problematic and allow it completely,will probably cause a security > issue for my system on of the question above. > > Thank you in advance... > > Best regards > > Nicolas > Hi Nicolas, I am not aware of any changes between r3.2 and r4.0 that would affect your use case. You can disable the vm's networking of course. If you want a read-only USB flash drive you should look at the USG hardware firewall. I have recently released configurable firmware with a read-only mass storage option: https://github.com/robertfisk/usg/wiki Regarding USB keyboards with sys-usb, as you have discovered this does not work. Enabling sys-usb sets a kernel option to hide all USB controllers from dom0, and you then cannot type the disk password. You have two choices: 1 - Leave sys-usb enabled. Boot with a PS/2 keyboard attached (laptop keyboards are PS/2) 2 - Disable sys-usb. Leave your keyboard's PCI USB controller attached to dom0. Assign other PCI USB controllers to your own usb VM. If your system only has one USB controller you could purchase a USB expansion card. Read the Qubes USB docs for more info: https://www.qubes-os.org/doc/usb/ Regards, Robert -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f539d88f-6575-6786-6139-d2705b0781a5%40fastmail.fm. For more options, visit https://groups.google.com/d/optout.