During install, we are presented with a set of options One of them being to create a qube to put the USB and Net to be the same qube.
I just opt for the default. Must be some positive benefit for some situations?
As was described previously:
Use sys-net qube for both networking and USB devices : it saves some memory as only sys-net will be running, instead of sys-net and sys-usb, but also allows easy use of USB networking devices (like 3G/LTE modems) directly in sys-net.
But it adds the security risks in case when your conjoined sys-net/sys-usb qube gets compromised using network and it’ll compromise your USB devices as well. This is especially dangerous if you use USB input devices:
If you have separate sys-net and sys-usb qube then sys-net compromise using network won’t affect your USB devices in sys-usb.
2 Likes
It’s less about devices, but more about the controller… So
… it will if they’re on the same controller, and the controller is compromised.
1 Like
You have PCI network controllers in sys-net and PCI USB controllers in sys-usb, what do you mean by the same controller?
I never saw this on this topic? Where exactly it is said or meant that “I” have different controllers in different sys’?
I feel I have a wrong comprehension behind the idea/offer during install putting both services into one qube… Can you explain yours?
The Qubes OS installer offers you two configuration choices:
-
separate sys-net and sys-usb qubes
Use a qube to hold all USB controllers option is checked
Use sys-net qube for both networking and USB devices option is unchecked
In this case all PCI network controllers will be attached to sys-net and all PCI USB network controllers will be attached to sys-usb. -
conjoined sys-net/sys-usb qube
Use a qube to hold all USB controllers option is checked
Use sys-net qube for both networking and USB devices option is checked
In this case both all PCI network controllers and all PCI USB network controllers will be attached to sys-net qube.
Note that you can’t assign the same PCI controller to two distinct qubes that are running at the same time. (Try, the second, whichever it is, will be unable to start until the first is shut down.)
So if you have distinct sys-net and sys-usb running at the same time, then you have distinct network and USB controllers. 
1 Like
Not exclusively true. They actually CAN be on the same controller, as I already wrote. And that is exactly why I see this offer by the devs during install. Yet no one to explain the idea of having sys-net and sys-usb combined to me
1 Like
1 Like
Exactly.
So, they can be on the same USB controller, and that is why we’re offered with combine sys-net-usb during install. Even computers without ethernet (and there are more and more of them) that have only internal WiFi modules, them can be on USB controller.
Even on multiple USB controllers, when again it would be good to reconsider creating separate sys-usb(-net) for each USB controller.
So, I’d advise anyone in doubt while installing Qubes, to get to know their computer prior to choose correspondent option, otherwise, I’d consider myself cuckoo for Cocoa Puffs risking poisoning multiple controllers via single sys-net-usb.
So you mean attaching USB device from sys-usb to sys-net?
Then if sys-net is compromised using network then the attacker will have access to the USB device passed to sys-net and maybe this could lead to further compromise of the USB controller in sys-usb and compromise of other USB devices.
But it’s still better than conjoined sys-net/sys-usb where compromise using network will directly lead to the USB devices compromise.
I never said that. Can you quote it, please?
That’s what I said.
Then I don’t understand what do you mean.
Can you describe in more details?
The setup is the default with separate sys-net/sys-usb qubes:
sys-net has two PCI Network controllers (Ethernet and Wireless) attached to it
sys-usb has all PCI USB controllers attached to it
So what do you mean by the same controller?
1 Like
That was also never stated, by the OP or me.
I really don 't know which part exactly isn’t clear?
The OP wanted to know benefits of choosing default option. You replied
I just said that it’s not about having separate sys-net and sys-usb, but where the devices are physically attached to. If they’re attached to the same controller, compromising network and other USB devices cannot be avoided.
As a PoC you were presented with a quoted topic which if you read and search quoted topic from there, you were given an example where you could have both sys-net and sys-usb, still network and USB devices to be attached to the same controller.
So, your claim (again, sorry)
could be incomplete, or misleading or at worst wrong, or all of them at the same time.
There are multiple scenarios in which you could have both qubes, but depending on your computer hardware and the way you choose to go online (some of which were stated too on this topic, but there are others too), all your USB devices could be compromised, too, and the worse, your USB controller to be poisoned for good.
So, it’s not about sys* qubes or devices, but about controllers in combination with devices and the way you choose to go online.
Maybe ask the question differently.
What is the advantage of choosing the none default option?
The developers surely had a good reason to offer a second option. so under what circumstances would I choose the --advanced option. Meaning not just the definition, but the implications to my security? usability? stability?
Neither you nor OP stated this so I’ve specified this as a common configuration so you can give a specific example.
I still don’t get it.
Can you give a specific example of a sys-net/sys-usb configuration and PCI controllers/USB devices attached to them that would lead to the sys-usb qube compromise by compromising sys-net if you don’t attach USB devices from sys-usb to sys-net as you stated here:
The developers described the advantages like this:
1 Like
Thank you for the information. I am always concerned that documentation is not quite up to date. Once again, I am wrong
This description was in the documentation before but it was removed 4 years ago for some reason.
That is why you shouldn’t double downing (not to say trolling), because you might endanger novices.