Creating Multiple sys-usb Qubes


I’m unsure of the exact details on how the internal sys-usb qubes works. I’ll break this into two parts.

If I have one usb device with backup files on it, and I plug in another usb stick with a compromised firmware, does this expose my backup files to the compromised device?

I’ve read about creating multiple sys-usb qubes for each usb device. How would this work? My devices (PCI devices) only show a single USB 3.0 device and a single thunderbolt device, even though I have multiple ports of each.

If anyone could explain these concepts and / or point me to an existing thread, it would be much appreciated.

Thank you.

For your first question, I assume yes, but I’ll let more knowledgeable users explain/link the how and why.
See USB Security / Security Warning On USB Input Devices.

Small note : don’t confuse an USB “controller” (a PCI device), an USB “port/plug” (the physical plug), and an USB “device” (mouse, keyboard, etc).
So, a single USB controller is responsible for several USB plugs and devices (even handling various protocols like USB2, USB3, thunderbolt, …).
Compare the different outputs of “lspci | grep -i USB” and “lsusb” (or “lsusb -vt”).
Or using the Qubes tools, “qvm-pci” and “qvm-usb”.

When you have 2 controllers like you, you can have several sys-usb qubes, each handling a separate controller.
This way you could use a sys-usb for “trusted devices” (your mouse, keyboard, maybe backup drive) using one controller, and another sys-usb using the other for “untrusted devices” (or more !).
On Qubes, you just have to be careful as AFAIK, the system-provided sys-usb handles your keyboard and mouse. It depends on your install choices.

Recommended docs :

But in vendor hardware documentation, I’ve never found which plug goes to which controller.
There are some explanations in the above docs, but it may be daunting for some users.
So, there is this thread : Figure out which port goes to which controller, but it’s kinda messy now (I posted there) ^^
Also, it may or may not depend on the internal wirings of your computer (but I may have misread the Intel docs about the laptop of the OP and be wrong on that).
It’s not that difficult, but depends on your computer knowledge -and- your security requirements.


Thank you! Those are all great documents.

I set up a sys-usb, and I can see all of the devices.

My main concern is how to properly deploy this secure and insecure configuration.

My first step would be to copy the sys-usb qubes and rename each accordingly.

How would I do a permanent assignment of each usb device / port to the respective sys-usb?

Thank you.

You do not assign any device/port to a sys-usb. You assign controller to a sys-usb. So before (trying to) deploy, I think rereading is needed.

Yes, I have read the docs. That’s my point. In question #1 I mention my concern for isolating different usb ports / devices and in question two I mention how I only have (2) usb controllers (one for usb 3.0 and one for thunderbolt).

It was mentioned above that there was some way to isolate individual secure and insecure usb devices, but from my reading of the docs, i don’t see how this is possible.

If anyone knows how I can achieve individual usb port isolation, please post.

Thank you.

To clarify, I understand I can manually reassign usb devices to another qubes and potentially ‘clear’ sys-usb of devices before testing a compromised device, but again going back to my first question - I’m not sure the technical details of how secure this would be. (Also, the goal of my question is for an auto reassignment to prevent human error)

It’s impossible to isolate the different USB ports with software since this is a hardware problem:
Malicious Devices Can Capture Keystrokes, Other Sensitive Data from Leaky USB Hubs | Tripwire


No, you read too quickly.
I said that to achieve this, you need to use one USB -controller- for safe devices, and -another controller- for unsafe devices. You achieve this by PCI PT-ing each controller to a different usb qube.
That way, you can have two qubes :

  • “sys-usb-safe”, with one controller
  • “sys-usb-unsafe”, with another controller

Ofc, you can create as much sys-usb qubes as you have -PCI- USB controllers, depending on your threats (sys-usb-private, sys-usb-friends, sys-usb-unknown, etc).