Which one is more secure: "sys-usb" or "sys-net as sys-usb"?

Continuing the discussion from "Now You're Thinking with Qubes":

Which one is more secure :

sys-usb
sys-net as sys-usb

Or check all of them !!
What is actually happen when I choose the both of them…

This one. Having sys-usb and sys-net as separate qubes is always better security wise.

When thinking with Qubes always thinking of: what is more compartmentalized? In this case having USB stuff in one an network hardware stuff on the other one is probably better, security-wise.

1 Like

I may haven’t understood the question, but I would add one, “sys-net-usb” (or sys-usb-net).

sys-usb : for all USB devices - except networking ones
sys-net : for all networking devices - except USB ones
sys-net-usb : only for USB networking devices

Or is it too much, aka not providing much more security ?
I’m thinking about preventing “badUSB” from interfering with NICs firmwares as well as USB storage devices.

It will only be secure if you have more than one USB controller. Otherwise, the isolation will not work.

Ah, even when you “USB passthrough” a single USB port ?

AFAIK yes. (Would be good if someone gave some links). USB passthrough has some benefits, but all USB ports on the same USB hub are based on the same firmware and can interact AFAIK.

Ah, thanks for the clarification.
But let’s say I have a multifunction USB device (Ethernet + USB hub/ports), what would be the correct or recommended way to use it in Qubes ?
The goal is to use the Ethernet part as the outgoing connection (as in sys-net), and the USB ports to plug various things (as in sys-usb), although never a keyboard or mouse.
I’ve read the docs and the security implications, but i admit it’s still a bit blurry. It seems the case of USB Ethernet is not mentionned.
Would it change something to not use a multifunction device and rather use two (one for Ethernet only, the other for all other use cases) ? From your answer I imagine that’s a “No”, as they’re on the same USB controller.

I think that question is closely related to the fact that almost all modern devices use USB-C for docking stations. This can be much more than a simple USB controller (Ethernet, external monitor connections, audio, multiple USB ports, …).

I noticed that my T470 with Qubes 4.0 keeps crashing if I boot it up while being connected to such a device, or if I remove the connection while it is in standby. I think these cases can get quite complex, because such a device could be detected as individual PCI devices, which in theory could be passed individually to different VMs. However, what happens if these PCI devices suddenly disappear due to disconnection of the docking station?

For the time being, I work around this issue by just connecting the monitors via USB-C and using a second USB-A cable for other USB peripherals. However, this will get even more important in the future if such devices get more common. Maybe someone with more detailed knowledge can say if there is a general-purpose approach. My guess would be that “it depends”, based on your actual hardware.

Yes that’s this kind of device I use, except it’s only USB2. I can’t speak for USB-C types, but mine is not detected as a PCI device, nothing shown in lspci, only lsusb, even for the NIC (it worked on a raspi0, so PCI is out, but curious to see how that behaves on your system !).
My device has 3 physical USB ports, and is detected as a 4 ports USB hub, from which one port is used internally by the NIC.
Seeing how the hardware in laptop evolves, you’re right that more and more devices like that will be used ! Sadly though, esp for Qubes which would need MORE ports/controllers, not less …

Maybe it’s a driver issue ? Xen supports PCI hotplugging, but in this case, no clue how it’s handled from dom0. What do dom0+domU logs say ?

Waiting for that too ^^

Did you think on something this?

Thanks for the link, but it’s not the same thing really, as the problem is that my device has not only an Ethernet adapter, but also a USB hub. So it’s one more problem than yours !
Also, before thinking about security, I need to make it work ^^

Also, Joanna writes …

… but does not continue on this path. Her post is from 2011, and may not apply to the current situation.

You can read this post, in which you also participated. It’s about a logitech unified dongle, which handles keyboard+mouse, but maybe the underlying problem is still the same : how to reliably and securely “passthrough” USB devices on the same USB hub and/or controller.
Maybe the answer is simply “NO”, as Joanna wrote in the last paragraph.

Summary

Despite the warning, nothing has changed 11 years later …

Well, those who have older laptops had pretty painless solution

Since obviously, as I wrote there, we will soon face one laptop per controller, I think there will be no dilemma abut the question from the subject of this topic. We will be left alone with the latter option. Or, more likely, Joanna’s story from 2011 will have to be revived.

Yeah PCMCIA, but as always, money dictated everything … It’s even true on desktops, when I see my old MoBos with plenty of PCI (not PCI-E) ports, I cry when I see new ones.
Our only hope for laptops are the new alternate brands, which could create MoBos with several USB controllers ! Qubes could even push into that direction, but it must attract enough users.

Sorry to bump, but no news about “individual” USB passthrough security ?