hey I have a question about USB keyboards and mice.
I have Qubes OS in dual boot (separate ssd) And yes, I know that hardcore people don’t want to hear that, but I want to understand.
Theoretically, my mouse and keyboard could get infected from windows or in a qube and thus infect my windows. How could this be avoided?
Would it help if each operating system had its own mouse and keyboard + each its own USB port? And every time you start or stop the system and want to switch to the other system, that you also switch the keyboard and mouse? I think it’s pretty rare for something like this to happen.
I also read about the usb qube. But Dom0 would still be in danger even if I started it via the USB qube? Since I couldn’t do anything else if it wasn’t connected to the main system.
So let’s say a Qube gets infected. Can the attacker access my keyboard and mouse? What about my second hard drive that is connected? It is displayed but I don’t use it.
Yes and I know there are such things as bootkits and I don’t think anyone out there bothers to write something like that. I’m only concerned with whether this would be possible because it would be the only “relevant” point of attack between the two systems.
I think so, since these are modern devices with RGB lights and firmwares. They work plug and play moderately but I think that you could do something there.
Is it possible to assign one keyboard and mouse for dom0 and another keyboard and mouse for the other qubes? Without one interacting with the other?
No, with default settings the attacker can’t access your devices, the attacker can only see the virtual hardware exposed to the qube.
You would need to configure your system in a way where the devices are passed directly to the hacked qube for the attacker to get access to the physical hardware.
Is this the case when you pass usb devices to any qube through sys-usb?
sys-usb gets direct physical access and a qube that usb device is passed to gets access only to virtual devices?
Also speaking about usb devices, I’m really confused about usb no-strict-reset option for attached usb controller. I just happen to have such controller that doesn’t support resetting. This doc says that
Some devices do not implement a reset option. In these cases, Qubes by default does not allow attaching the device to any VM. If you decide to override this precaution, beware that the device may only be trusted when attached to the first VM. Afterwards, it should be considered tainted until the whole system is shut down. Even without malicious intent, usage data may be leaked.
In case device reset is disabled for any reason, detaching the device should be considered a risk. Ideally, devices for which the no-strict-reset option is set are attached once to a VM which isn’t shut down until the system is shut down.
First question: Is it “considered tainted” only for vms that you would attach usb devices to through sys-usb with the no-strict-reset option enabled? Or is it “considered tainted” for dom0 as well? That “no shut down” advice seems to imply the latter, but I don’t see how it would affect dom0 if it doesn’t see any usb devices and has rd.qubes.hide_all_usb added to /etc/default/grub? Or is dom0 somehow still has access to controller, because I can still see it in lspci output?
Second question: It says that you need to “shut down” the machine to reset the controller. Does rebooting counts as “shutting down”? Or do I need to completely power off the machine for reset to take place?
So it doesn’t matter if you use a USB keyboard and mouse? Because they have direct access to dom0. This keyboard and mouse can save profiles and macros. Wouldn’t that be a gap to attack? But you mean that you only “see” the hardware but cannot access it?
It does matter if you use USB, and if anyone has access to sys-usb it could be an attack vector, but someone who only has access to an appVM isn’t going to be able to replay a macro in dom0.