I’m currently following this approach to attach a USB storage device to an AppVM:
# in dom0
qvm-block list
I note down the first column (BACKEND:DEVID) in $identifier. Then:
# in dom0
qvm-block attach "$appVM" "$identifier"
This works. I can see the attached device in “$appVM” under /dev/xvdi and I can mount it.
However, I don’t have the package qubes-usb-proxy installed in either sys-usb, or the $appVM. I’ve checked using sudo apt list --installed qubes-usb-proxy.
Is this normal? The docs say that this package is necessary.
My reply is pretty by the book but usually I go to the Settings for the AppVM, change to HVM, hit Apply, then go to the Devices tab and add the USB port to that Qube.
A USB qube acts as a secure handler for potentially malicious USB devices, preventing them from coming into contact with dom0 (which could otherwise be fatal to the security of the whole system). It thereby mitigates some of the security risks of using USB devices.
…
If you opted to allow the Qubes installer to create a USB qube for you during the installation process, then you should already have a working USB qube, and no further action should be required.
However, there are several cases where this USB qube is not created, for instance:
if you have a usb keyboard
if you are running QubesOs from a usb device (my use case)
In all those cases, you can still attach USB devices per-VM - you just don’t benefit from the same security guarantees as through qubes-usb-proxy
Exactly, and it’s even preferable that way. Attaching as a block device is more robust, can be faster, and there’s less attack surface, compared to attaching as a USB device.
Is there any reference that confirms block devices are treated differently from other USB devices?
There is no difference between the qvm-device, qvm-block and qvm-usb commands; the man qvm-device page says they’re aliases of qvm-device with different flags.
Minimal templates — Qubes OS Documentation says: “The following list provides an overview of which packages are needed for which purpose. […] USB qube, such as the template for sys-usb: qubes-usb-proxy to provide USB devices to other Qubes”
And (if appropriate), a reminder from the minimal templates page:
The minimal templates are intended only for advanced users. Most things will not work out-of-the-box, and you will have to fix them yourself. If you are not prepared to do a lot of reading, searching, learning, and troubleshooting, then you should instead stick to the standard templates, which are perfectly suitable for the vast majority of users. In particular, if you are new to Qubes, you should not attempt to use minimal templates until you have gained more experience.
qvm-block ... is an alias for qvm-device block ... (and corresponds to the “Block Storage” section of the Qubes Devices widget). Similarly qvm-usb ... for qvm-device usb .... They use a completely different forwarding mechanism - Xen’s blkback+blkfront vs. the Linux kernel’s USB/IP (over qrexec), respectively.
