Mounting internal non-Qubes OS hard drive -- Dom0 security issue?

-I am using qubes on external hard.

-My Dom0 Desktop can read my internal hard and I can access the files on it .

my question is “if my internal hard compromised can it compromises my qubes -running on external hard -”

My first thought is, “it shouldn’t.” That said, are there any circumstances where dom0 might read the drive, and are those attack vectors?

1 Like

First, it’s generally not recommended to dual boot a qubes system unless you are simply testing it out.

While Qubes by default does not expose USB mass-storage devices to dom0, any internal drives are attached to dom0 by default. Note that the non-boot device file systems aren’t parsed and mounted by default…but the partitions are parsed and shown in /dev.

EDIT: I take back the part about the internal drive filesystem not being parsed. I tested by attaching a second internal drive and powering up. I found that a local NTFS volume name shows up associated with the block device in the Qubes device widget. At a minimum, some parts of the filesystem are scanned by components of dom0.

There’s a kernel parameter for libata (originally via a patch, now in mainline kernels) to disable ATA or SATA drives at boot time discussed here: boot - How can I tell linux kernel to completely ignore a disk as if it was not even connected? - Ask Ubuntu

If the other drive is NVME, I’m less certain if there is a solution.



I think we need more info here.

If the question only this, the the answer is a simple yes.

But as others are explained, in case of a dual boot, there are many more - and much more dangerous - attack vectors you are facing into.

1 Like

Any different thoughts here ?

Clarified post title and moved to “General Discussion” … this is clearly Qubes OS specific and as such off-topic in “All around Qubes”

1 Like