Reset / reinstall USB qube after compromise

I isolated all USB devices including keyboard and mouse in the USB qube:

sudo qubesctl state.sls qvm.usb-keyboard

Now, if i suspect any plugged-in USB device to be compromised: How can I preemptively reset the USB qube back to original state?

Removing a USB Qube suggest to remove the qube and kernel options for EFI, but this wouldn’t allow me to use the USB keyboard for the reinstall process. I probably also would lock myself out (?).

There doesn’t seem to be any salt command to reset the USB qube.

For simple resetting, you can use a disposable sys-usb.

1 Like

There isn’t a salt command to reset the qube.
Just delete the qube and recreate it with salt.
If you are concerned about losing access to the keyboard, this has been
covered before.
Just create a simple script:

#!/bin/bash
qvm-remove sys-usb && sleep 5 && sudo qubesctl state.sls qvm.usb-keyboard

or run the command at the command line.

Depending on the nature of the device compromise, this may not do anything
of value. If the device has attacked the USB controller, then it’s done,
and nothing in Qubes will help. The best you can do is create different
sys-usb qubes for each controller, and use one only for untrusted
devices.

2 Likes

@fsflover Thank you, sounds reasonable to make the USB and other stateless qubes disposables. I’ll try that approach with a bit more experience.

@unman This is a great idea, probably the simplest solution to just clean its state!

Might elaborate on this? Do you mean a compromise of the hardware side (USB controller) of the PC?

My understanding is, a malicious device plugged in to an USB controller jailed inside the qube might lead to a compromise of this VM software-wise. As the VM also manages keyboard + mouse (I only have one USB controller), it would be able to write arbitrary input and also sniff all my inputs. But I still could anticipate malicious, generated keystrokes using that PC at the same time, as a script using the USB proxy cannot run in background as opposed to a dom0 script. (I read that last part from an issue created by marmarek, can search for it, if needed.)

So I would believe, an USB qube reset solves the software-side infection and doesn’t do any harm, as long as you don’t type your password at the time of the compromise, assumed that malcious device could report these keystrokes over internet or similar.

1 Like

Btw found aforementioned issue by @marmarek about USB qubes:

Even if the system have only one USB controller, and only USB keyboard, creating USB VM, with qubes.InputKeyboard service, part of input-proxy, enabled still makes some sense. While USB VM will be able to spy and/or subvert the keyboard, user will see resulting actions. Malicious USB device will not be able to exploit some dom0 kernel driver, silently in the background. And when bundled with some 2FA, malicious USB VM will not be able to unlock the screen on its own.

1 Like