This is a proposal for a procedure for using untrusted USB drives. I’m putting it in “user support” cause I’m looking for feedback on it. I am expecting many revisions. If we can get it into a solid working procedure, I’ll move it to “user support - guides”.
You need to look at the contents of a USB flash drive that you found in the parking lot, or on your desk or whatever. The point is that we don’t trust the USB flash drive.
the rest of this post is a draft of a proposal
First, the AppVM one time setup procedure:
(do either the “easier version” or the “hardcore version”, not both)
qvm-create --class AppVM --label gray --template debian-10 sys-usb-flashdrive-template qvm-prefs sys-usb-flashdrive-template template_for_dispvms true
sudo qubes-dom0-update qubes-template-debian-minimal qvm-create --class AppVM --label gray --template debian-minimal sys-usb-flashdrive-template qvm-prefs sys-usb-flashdrive-template template_for_dispvms true (then apt-get install qubes-usb-proxy inside the debian-minimal template)
Next, the disposable VM one time setup procedure:
qvm-create -C DispVM -l red --template sys-usb-flashdrive-template disp-sys-usb-flashdrive qvm-prefs disp-sys-usb-flashdrive virt_mode hvm qvm-service disp-sys-usb-flashdrive meminfo-writer off qvm-prefs disp-sys-usb-flashdrive autostart true qvm-prefs disp-sys-usb-flashdrive netvm '' qvm-prefs disp-sys-usb-flashdrive provides_network false qvm-pci attach --persistent disp-sys-usb-flashdrive dom0:00_11.0 qvm-pci attach --persistent disp-sys-usb-flashdrive dom0:00_11.2 #qvm-features <sys-VMName> appmenus-dispvm ''
then add “
disp-sys-usb-flashdrive $anyvm deny” as the first line of both these files:
Finally the procedure to use it:
- boot Qubes (without the flash drive in the USB socket)
- create a separate sys-usb2 for just that USB controller, leaving your other usb devices in a different sys-usb .
- set the policy for no keyboard and no mouse in sys-usb2 (probably somewhere in /etc/qubes-rpc/)
- start a disposable VM with no networking
- insert the USB flash drive into the correct usb socket to connect to sys-usb2 (note that the importance of doing this at this moment and not having the flash drive in at boot)
- Once the drive registers with qubes, then using the devices icon at the top, connect the flashdrive to the disposable VM
- use the disposable VM to view and interact with the files on the flash drive.
- when you are done, remove the flash drive from the USB socket
- destroy the disposable VM (by just closing it)
- then destroy disp-sys-usb-flashdrive (by shutting it down)
THE PROBLEM THAT IS STILL LEFT:
However since many USB controllers forget to turn off the ability to reprogram the firmware, and if the flash drive can attack the firmware in the usb controller, then can’t the compromised USB controller itself act as a USB device during the next reboot in order to comprise dom0?
In the past I’ve attempted to find a USB controller card that gives some kind of guarantee that it has the ability to reprogram the controller disabled, but did not have luck.