I have 2 usb controllers. One for keyboard and mouse and another for all other devices such as usb sticks. I accidentally plugged in a likely malicious usb stick while the second sys-usb-externals was turned off. Does that mean it connects to dom0 whenever the sys-usb-externals is turned off? Did I just ruin all my security or does QubesOS have prevention measures in place?
Hello, @RamLovingPenguin
For useful replies, I think it would be useful to give some details of your setup. It sounds like it is not a standard install…
For example: How are your usb controller(s) hidden from Dom0 at boot, or not hidden (grub command line)? How do you use USB keyboard for encryption key input(or not)? Do you have multiple sys-usb qubes? How are they set up?
2 Likes
When the sys-usb is shut down, the devices in the corresponding ports should not work at all, not even should they be charging. You can verify this yourself by trying to charge something.
AFAIK no, when I shut down my (only) sys-usb, no USB devices are connected anywhere. Relevant docs: USB qubes | Qubes OS
1 Like
Not sure how to tell and what those entirely mean but during install I clicked yes to wanting a sys-usb and for it to start up on boot as I only have a usb keyboard and mouse instead of ps/2. To get my second sys-usb I just clicked Clone Qube in the Qubes Manager on the sys-usb and then changed the device controller to the one in sys-usb orginally and switched the controller in sys-usb to the extra one I have connected via pcie.
I turned off sys-usb-externals and plugged in something to charge and it did indeed turn on and was charging despite the sys-usb-externals vm being turned off.
You are right, I just tried it too and my device indeed can charge even with sys-usb shutdown. However, dom0 doesn’t show anything with lsusb or with qvm-usb in this case.
From my link:
USB controllers are automatically hidden from dom0 if you opt to create a USB qube during installation. This also occurs automatically if you choose to create a USB qube using the
qubesctlmethod. However, if you create a USB qube manually and do not hide USB controllers from dom0, there will be a brief period of time during the boot process when dom0 will be exposed to your USB controllers (and any attached devices). This is a potential security risk
I think it is possible for controllers to provide power even without instruction from the driver. (I’ve been reading the manual for a Renesas device, and it looks like the vendor can choose)
Another test is to shutdown sys-usb-externals and plug a keyboard to one of its ports. If you can type to Dom0, then you have allowed the untrusted device to impersonate a keyboard - this would require malicious firmware on the key.
If the device was only a storage (with or without viruses), and your grub vmlinuz line contains usbcore.authorized_default=0, then Dom0 did not interact with it, because USBGuard only allows keyboard and mouse by direct USB connection. Normally Dom0 is not interested in USB anyway, except for KB/mouse.
A last thing ( I think it is not your case, but maybe it is interesting):
if your grub vmlinuz line contains ’rd.qubes.hide_all_usb’ and also 'rd.qubes.dom0_usb=, and is the BDF of your trusted USB controller, then you are all good and 100% safe, because all USB controllers are hidden except for the chosen one. This is my preferred setup with one controller where I only plug trusted KB/mouse - I think it is also compatible with a trusted sys-usb. It is only vulnerable in two cases (I believe):
V1: if your trusted USB changes position on the PCI bus AND another untrusted one takes its place. This seems unlikely except if you have another USB controller next to “trusted one” on the bus.
V2 : you plug something really bad in your trusted ports.