[qubes-users] Isolating USB devices

Hello fellow Qubies,

I have my USB controller (the PCI device) assigned to sys-net because I have a USB-Ethernet device. I also have my USB keyboard and mouse in sys-net on the same USB controller, and the keyboard and mouse can control dom0. My system has only one USB controller.

I want to isolate compromises of sys-net. Would there be any advantage to creating sys-usb and then attaching only the USB-Ethernet device to sys-net? My USB-Ethernet device shows up as a device in the device widget (currently under sys-net as described above).

So then my plan would be to put the USB controller in sys-usb, then attach just the USB-Ethernet device to sys-net. Would that reduce the ability of sys-net to compromise the USB controller and the keyboard?

Thanks,
Dan

I implemented my idea, but I also stopped using the USB keyboard and mouse.

Now I have sys-usb with the USB controller PCI device attached and sys-net with the USB-Ethernet device attached from sys-usb. The only glitch is that on boot up, sys-net will not start at all if the USB-Ethernet device is not available, but sys-usb starts after sys-net when they are both set to autostart. I think the autostart ordering for VMs is essentially arbitrary (possibly alphabetical).

How can I specify an ordering for VM startup or a dependency on a USB device?

Perhaps? It depends on the specific NIC in question. Fixing this
properly will require switching to a unikernel for sys-usb. I also
suggest blocklisting the USB Ethernet drivers in sys-usb’s template,
and loading them manually in sys-net.

I'll document how I solved this. First, I tried creating:
/etc/systemd/system/qubes-vm@sys-net.service.d/60_afterusb.conf
with content:
[Unit]
Requires=qubes-vm@sys-usb.service
After=qubes-vm@sys-usb.service

For reasons I didn't investigate, this wasn't sufficient. sys-net still failed to autostart. Then I added:
/etc/systemd/system/qubes-vm@sys-usb.service.d/60_beforenet.conf
with content:
[Unit]
Before=qubes-vm@sys-net.service

This caused sys-net to autostart, but sys-firewall still failed to autostart. Then I added:
/etc/systemd/system/qubes-vm@sys-firewall.service.d/50_autostart.conf
with content:
[Unit]
Before=systemd-user-sessions.service
After=qubes-vm@sys-net.service

and then I finally had a system that would boot up to a running sys-usb, sys-net, and sys-firewall.

As a reminder, all the systemd configuration came after doing:
qvm-usb attach --persistent sys-net sys-usb:<ethernet-device>

Bare minimum requirements to get a
1. working system
2. with a USB Ethernet device
3. with separate sys-net and sys-usb

If there is any value in having separate sys-net and sys-usb with USB Ethernet devices, I recommend fixing this in future releases/installers, as USB Ethernet is probably the second most common way to connect to the internet from laptops, after WiFi. Laptops don't come with PCI based Ethernet devices anymore.