I’m unsure of the exact details on how the internal sys-usb qubes works. I’ll break this into two parts.
If I have one usb device with backup files on it, and I plug in another usb stick with a compromised firmware, does this expose my backup files to the compromised device?
I’ve read about creating multiple sys-usb qubes for each usb device. How would this work? My devices (PCI devices) only show a single USB 3.0 device and a single thunderbolt device, even though I have multiple ports of each.
If anyone could explain these concepts and / or point me to an existing thread, it would be much appreciated.
Small note : don’t confuse an USB “controller” (a PCI device), an USB “port/plug” (the physical plug), and an USB “device” (mouse, keyboard, etc).
So, a single USB controller is responsible for several USB plugs and devices (even handling various protocols like USB2, USB3, thunderbolt, …).
Compare the different outputs of “lspci | grep -i USB” and “lsusb” (or “lsusb -vt”).
Or using the Qubes tools, “qvm-pci” and “qvm-usb”.
When you have 2 controllers like you, you can have several sys-usb qubes, each handling a separate controller.
This way you could use a sys-usb for “trusted devices” (your mouse, keyboard, maybe backup drive) using one controller, and another sys-usb using the other for “untrusted devices” (or more !).
On Qubes, you just have to be careful as AFAIK, the system-provided sys-usb handles your keyboard and mouse. It depends on your install choices.
But in vendor hardware documentation, I’ve never found which plug goes to which controller.
There are some explanations in the above docs, but it may be daunting for some users.
So, there is this thread : Figure out which port goes to which controller, but it’s kinda messy now (I posted there) ^^
Also, it may or may not depend on the internal wirings of your computer (but I may have misread the Intel docs about the laptop of the OP and be wrong on that).
It’s not that difficult, but depends on your computer knowledge -and- your security requirements.
Yes, I have read the docs. That’s my point. In question #1 I mention my concern for isolating different usb ports / devices and in question two I mention how I only have (2) usb controllers (one for usb 3.0 and one for thunderbolt).
It was mentioned above that there was some way to isolate individual secure and insecure usb devices, but from my reading of the docs, i don’t see how this is possible.
If anyone knows how I can achieve individual usb port isolation, please post.
To clarify, I understand I can manually reassign usb devices to another qubes and potentially ‘clear’ sys-usb of devices before testing a compromised device, but again going back to my first question - I’m not sure the technical details of how secure this would be. (Also, the goal of my question is for an auto reassignment to prevent human error)
No, you read too quickly.
I said that to achieve this, you need to use one USB -controller- for safe devices, and -another controller- for unsafe devices. You achieve this by PCI PT-ing each controller to a different usb qube.
That way, you can have two qubes :
“sys-usb-safe”, with one controller
“sys-usb-unsafe”, with another controller
Ofc, you can create as much sys-usb qubes as you have -PCI- USB controllers, depending on your threats (sys-usb-private, sys-usb-friends, sys-usb-unknown, etc).