Hi, I’ve just installed Qubes on my laptop(it has only usb-c) and attached my external monitor to it, but obviously it’s not very practical to use a monitor with laptop’s keyboard and mouse, but every search I did I get some scary threats that may come out of the bluetooth keyboard and mouse(less). So what are the practical ways of working with external monitors? I assume there is some workaround this issue?
Thanks
In this case there are no workarounds (or at least I don’t know of any). Either you’ll have more convenience by using USB/bluetooth keyboard/mouse but less security or you’ll have more security by using PS/2 keyboard/mouse but with less convenience.
you’ll have more security by using PS/2 keyboard/mouse but with less convenience
I want this, but is this even possible with a laptop that have only type-c? And besides, does it make any sense to use ps/2 with type-c and not regular usb-keyboard?
Well, if you have Thunderbolt USB-C port then you can use PS/2 keyboard/mouse.
I don’t know if there are any Thunderbolt dock stations with PS/2 ports or Thunderbolt to PS/2 adapters.
But there are Thunderbolt to PCI adapters and you can connect PCI to PS/2 adapter to this Thunderbolt to PCI adapter.
But I’m not sure about security implications of connecting Thunderbolt devices to Qubes OS.
I’m not sure if that’s going to be treated as a standard PS/2… same as with sys-usb and sys-net, but I’m not sure and would be glad if someone could clear this out.
I’ve searched a bit for PCI to PS/2 adapters and all I could find are just USB controllers with built in PS/2 to USB adapters.
So it won’t really add up to security, at most it’ll just make it harder for attacker to connect malicious USB device to USB controller since there won’t be a physical USB port.
This is frustrating… I can’t see any practical solutions to this.
Is there no one here who use external monitor with a computer that has only type-c connections?
Can you like please suggest something practical for me, because working with a laptop screen / external monitor and laptop’s keyboard is not practical whatsoever.
and @disp6252 , thanks for trying to help me out.
I think most people just relax their threat model and use USB keyboard/mouse with sys-usb since the security concerns with such setup require attacker to have physical access to your laptop or to replace one of your USB devices or dock station with a malicious one. Not many people have a threat model that require them to protect themselves from such attacks.
It might be I just didn’t understand how this works. So, I can buy a usb(not type-c) wired keyboard and just use it based on the documentation?
Also, I don’t have a sys-usb, instead I have sys-net and I think it’s due to the checkbox I selected in installation process, don’t remember why. So even so, it should work, correct? I don’t want to buy a keyboard just for testing proposes.
USB keyboard/mouse will work even without sys-usb, but in this case the USB controllers and USB devices will be connected to dom0 which will have more security risks compared to using sys-usb as stated in documentation:
A USB qube acts as a secure handler for potentially malicious USB devices, preventing them from coming into contact with dom0 (which could otherwise be fatal to the security of the whole system). It thereby mitigates some of the security risks of using USB devices. Nonetheless, we strongly recommend carefully reading the security warning on USB input devices before proceeding.
But you still can create a USB qube for use with a USB keyboard according to documentation and use it. But there could be some peculiarities for your system which will require you specifically configure your sys-usb or to be unable to use sys-usb at all. For example, if you’re using Qubes OS installed on external USB drive and you have only one USB controller in your laptop then you won’t be able to use sys-usb because this USB controller with connected Qubes OS USB drive must be connected to dom0 to use the drive.
I really glad to hear that.
So I grabbed an old usb-keyboard from a friend, modified qubes.InputKeyboard and when I plugged the keyboard it pop-up four "Operation execution"s, with confirmation to connect the keyboard to sys-net, they were identical and the keyboard worked only after confirming all three of them - is this a bug?
However, when I tried to create a sys-usb as it says in the docs with sudo qubesctl state.sls qvm.sys-usb it failed with an error:
The following requisites were not found:
require:
sls: qvm.sys-net
and then on the bottom:
DOM0 configuration failed, not continuing
What I did is just followed the docs with USB qubes | Qubes OS
Bump
What are you bumping for.
If it is because you want to create a sys-usb using salt, then you need
to investigate why you no longer have a sys-net state file - that file
should be at /srv/formulas/base/virtual-machines-formula/qvm/sys-net.sls
If you just want to create a sys-usb, then create it manually: you can
look at sys-usb.sls to see what salt does.
If you want a disposable sys-usb:
qvm-create DispVM sys-usb -l red
qvm-prefs sys-usb memory 400
qvm-prefs sys-usb virt_mode hvm
qvm-prefs sys-usb netvm ''
qvm-prefs sys-usb autostart True
qvm-features sys-usb service.network-manager ''
qvm-features sys-usb service.memimfo-writer ''
This will create sys-usb using the default disposable template.
You should have qubes-input-proxy installed in the underlying template.
You can change this to a custom disposable template if you want.
You will need to identify the usb controller you want to use and attach
it to sys-usb (devices tab on Settings). you may need to configure
strict reset for the controller, depending on your hardware.
Since it looks as if you have some USB controllers attached to sys-net
already, you will have to remove them from there to attach them to the
new sys-usb.
If this doesn’t address you problem, apologies.
Be explicit about what you are bumping.