How to implement the idea of USB qube in other OS?

Qubes OS has many good ideas for security. But sometimes a user may not be running Qubes OS. So it will be useful if he can realize some of Qube’s ideas in his current OS.

For example i’m running Debian and I have multiple KVM virtual machines. They isolate my different activities. Now I want a “USB qube” with KVM. The steps I can think of is to:

  1. In virt-manager, create a new virtual machine as normal.
  2. For the new VM, “Add Hardware”, select “PCI Host Device”, and add the USB controller.
  3. Boot the new USB VM. When plugging in a USB device, simply “Add Hardware” again, select “USB Host Device”, and add the plugged-in USB device.

My question is, is this procedure correct, or not sensible at all? KVM and Xen are different, after all. Will it work, or break the system (even with a PS/2 keyboard), or leave security holes?

Additionally, how can this work for keyboard and mouse? For USB storage devices, it’s probably straightforward because I can just read and exfiltrate the content in the USB VM. But how does Qubes forward the keyboard and mouse input from USB qube, back to the host, and how can this be implemented under KVM? Will it be necessary to write programs for this, or will the features of KVM be enough?

Note: I was following the “Manual Creation” section of the USB qube doc, though it is specific to Qubes, not KVM. It also doesn’t talk about how to check if a USB controller is “appropriate” to assign to a VM, or will doing so break the system.

I can’t answer to your question, but perhaps this might be relevant:

1 Like

After I carefully backed up the system and took other preventive measures, I tried those steps, and it seemed to work. After I attached a USB Controller to the VM, I tested by inserting USB devices onto the machine. The host OS doesn’t see the USB device in commands like lsblk anymore. In fact, the host OS can’t seem to detect any USB devices. But the VM can automatically see the USB device in lsblk, without the part in step 3 of adding “USB Host Device” to the VM.

However, it remains a question of whether this means a malicious USB device will be fully contained in the VM, or does it not stop it from attacking the host OS. Of course, the question assumes the malicious USB device is plugged in after the VM is started.

The question probably requires moderate knowledge of the inner working of Qubes. Maybe the developers can help.