When installing Qubes, I elected to use a sys-usb VM. As an extra layer of security, I would like to make this VM disposable such that if a malicious USB is inserted, the damage would be limited to that disposable VM’s session.
Does it make sense that using a disposable VM for sys-usb would improve security?
Is it possible to make sys-usb disposable? Ideally it would automatically start upon OS startup, and my usb keyboard and mouse would be recognized automatically. Other sys-usb features would ideally operate the same in this disposable version.
Could the same logic apply to other sys- VMs, such as sys-net (the perimeter networking VM), sys-firewall (the internal networking VM), and sys-whonix (the Tor proxy networking VM)?
i have followed the steps (1-5) in the disposable sys-usb,
and successfully creating disposable sys-usb,
but usually, starting a disposable VM, will create another new VM,
with a unique naming, i.e. disp8734,
which i don’t see it happen, when starting disposable sys-usb,
so instead of creating another new VM with unique name, i.e. disp8734
it starts the disposable sys-usb itself,
just like other normal app VM,
although it’s using disposable VM as template VM,
so, which part it is wrong ?
or is it creating disposable VM on the background ?
how do we know that it is disposable ?
That is normal behavior for disposable sys-usb.
You can test that sys-usb is being properly dispostable by creating a dumb file to the home directory and restarting sys-usb, if the file is still there something went wrong with the installation.
Btw Qubes OS 4.1 provides an option during install to create disposable sys-usb and sys-firewall that is enabled by default (in rc1). There is also an option to create disposable sys-net but that isn’t enabled by default.
do you know, why the disposable sys-usb,
is categorized as domain, instead of service ?
also, all of the app menus are being assigned to the disposable sys-usb i created,
but when i check in the Qubes Settings Application, none of those are selected,
i have tried:
qvm-features disp-sys-usb appmenus-dispvm 1
qvm-features disp-sys-usb appmenus-dispvm ‘’
but nothing change,
Probably not the official way but: Open up terminal in dom0.
cd ~/.local/share/applications/
ls | grep disp-sys-usb
That should show you with list of .desktop files only for disp-sys-usb.
Leave Qube Settings .desktop file, but delete the rest (be sure that you only delete .desktop files that contain disp-sys-usb)
You can remove files like this: rm name-of-the-file.desktop
And then run qvm-features disp-sys-usb appmenus-dispvm ' '
but after deleting all related .desktop file, it also delete the disp-sys-usb from Qubes list,
but it still exist in the Qubes manager,
so it makes me feel like,
it only delete the name list, but doesn’t really remove the app menu from the vm,
hmm, is this understanding correct ?
If there are no entries for a qube, dom0 wont display it in the app menu. Those .desktop file were exactly the same app menu entries that run when you click on them. If you want your disp-sys-usb be listed in the app menu you can manually change the apps that you want to show (or Start qube option) by opening disp-sys-usb settings in the Qube manager and under “Applications” you can select which apps to list (sometimes, especially with dispVM’s this doesn’t work properly and a cleanage of .desktop files manually is needed). The applications are still installed in your TemplateVM (which your disp-sys-usb is based on).