Thanks! > -------- Original Message -------- > Subject: Re: [qubes-devel] qvm-block and qvm-usb implementation > Local Time: 3 gennaio 2018 8:38 AM > UTC Time: 3 gennaio 2018 07:38 > From: [email protected] > To: Drolo <[email protected]> > [email protected] <[email protected]> > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On Tue, Jan 02, 2018 at 02:40:16PM -0500, 'Drolo' via qubes-devel wrote: > >> Hi, >> I'm interested in how qvm-block and qvm-usb are implemented and in which way >> they interact in the USB drive case. Here is what i discovered about PCI >> Passthrough and USB Passthrough: >> From [0] I read that Qubes OS uses VT-d (through [3] and [5]) to isolate >> networking and USB controllers in domains. In fact lspci (in dom0) states >> that the pciback driver is associated with those PCI devices. So dom0 >> handles only the passthru, nothing more. >> [6] states that it's not possible to assign a single USB devices to a >> domain, because VT-d design. However I think that it's not updated because >> qubes-usb-proxy ([2]). From [7] and [8] I deduced that qvm-usb uses PVUSB >> ([4]) to passthru single USB device. >> From [1] I read that qvm-block uses Xen block backed hosted in the UsbVM. >> Initially I didn't find what it refers to. Then I found xl block-attach >> command (from [2]). So I found [10] and [11]. >> So I concluded: >> >> - qvm-usb uses PVUSB. However Qubes OS's xl doesn't seems to implement >> usb-list and related. >> - qvm-pci uses Xen PCI passthru. So xl pci-attach and related. >> - Specifically for network: xl network-attach. From [2] I read that because >> [12] the attack surface is smaller in guest domain. So the security benefit. >> - qvm-block uses xl block-attach and related. >> - qvm-block is independent from qvm-usb, after that the guest domain detect >> the drive. >> >> Are these conclusions correct? > > Almost: qvm-usb uses USBIP over qrexec instead of IP. Some details are > here: > https://github.com/QubesOS/qubes-app-linux-usb-proxy > > Other points are correct. > >> [0] = >> https://www.qubes-os.org/attachment/wiki/QubesArchitecture/arch-spec-0.3.pdf >> [1] = >> https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf >> [2] = https://www.qubes-os.org/doc/usb/ >> [3] = https://wiki.xenproject.org/wiki/Xen_PCI_Passthrough >> [4] = https://wiki.xenproject.org/wiki/Xen_USB_Passthrough >> [5] = https://wiki.xenproject.org/wiki/Driver_Domain >> [6] = https://www.qubes-os.org/doc/assigning-devices/ >> [7] = https://github.com/QubesOS/qubes-issues/issues/2144 >> [8] = https://github.com/QubesOS/qubes-issues/issues/531 >> [9] = https://www.qubes-os.org/doc/dom0-tools/qvm-block/ >> [10] = https://xenbits.xen.org/docs/4.6-testing/man/xl.1.html >> [11] = >> https://xenbits.xen.org/docs/4.6-testing/misc/xl-disk-configuration.txt >> [12] = https://wiki.xenproject.org/wiki/Xen_Networking > > --------------------------------------------------------------- > > Best Regards, > Marek Marczykowski-Górecki > Invisible Things Lab > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -----BEGIN PGP SIGNATURE----- > > iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlpMiIsACgkQ24/THMrX > 1yxQ1wf/duCpjccBCaPsF2u7RzghzITDpV50RSo/TMvyHXM/z2JRcE8oHj+XBMed > avhpIjRiNYl6BNEKC/qQYzPTS/y5V4sZLSTzVHytQoTM6uK1OVyS1s0JS+SuFyeC > MilA3T1kyEOsjWH7PEOq5v63DLuSs4D3cBQIzTKtvWLbEKh8LnTCzXvn1+eGtwYQ > xKV+W0D4RDXyXcl1RDZQqF0fGle2nQIhtB8+HdvDEhqseFQKjACUHyPFqlY2TacI > WLaBhACrIsMHWGqEB/nIWVqkR7fzjvicH4wD8lD6FYt+UCLXwiC5csE7ajlLTVBn > IVMMo4CJndztpNBM/gTP5ntt3jJD9Q== > =UteK > -----END PGP SIGNATURE----- > > You received this message because you are subscribed to the Google Groups > "qubes-devel" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-devel/20180103073850.GN2653%40mail-itl. > For more options, visit https://groups.google.com/d/optout.
-- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/Nt3jbmnHln_MT-S8bJ44Etbl9xPjhqgt7T7NNfj3xKcavsNcP3-2eou2qcZbrhg1dOfAtRXpTmAg6-VOMVsioLqDBeJh_j2Y9jyCReOOTq4%3D%40protonmail.ch. For more options, visit https://groups.google.com/d/optout.
