Qubes OS has many good ideas for security. But sometimes a user may not be running Qubes OS. So it will be useful if he can realize some of Qube’s ideas in his current OS.
For example i’m running Debian and I have multiple KVM virtual machines. They isolate my different activities. Now I want a “USB qube” with KVM. The steps I can think of is to:
- In virt-manager, create a new virtual machine as normal.
- For the new VM, “Add Hardware”, select “PCI Host Device”, and add the USB controller.
- Boot the new USB VM. When plugging in a USB device, simply “Add Hardware” again, select “USB Host Device”, and add the plugged-in USB device.
My question is, is this procedure correct, or not sensible at all? KVM and Xen are different, after all. Will it work, or break the system (even with a PS/2 keyboard), or leave security holes?
Additionally, how can this work for keyboard and mouse? For USB storage devices, it’s probably straightforward because I can just read and exfiltrate the content in the USB VM. But how does Qubes forward the keyboard and mouse input from USB qube, back to the host, and how can this be implemented under KVM? Will it be necessary to write programs for this, or will the features of KVM be enough?
Note: I was following the “Manual Creation” section of the USB qube doc, though it is specific to Qubes, not KVM. It also doesn’t talk about how to check if a USB controller is “appropriate” to assign to a VM, or will doing so break the system.