Marek Marczykowski-Górecki: > On Mon, Aug 01, 2016 at 07:35:26PM +0000, 468ezc+5r0fnwy87qeag via > qubes-users wrote: >> Hi, > >> My MicroSD while attached is assigned to dom0 and not sys-usb as is >> supposed. Notwithstanding, USB devices are still assigned to sys-usb. > >> Is this the intended behavior? Doesn't this increases, in the same manner as >> usb devices does, the surface attack in dom0? > > Your (micro)SD card reader is probably not a USB device, but PCI device. > Yes, it's better to assign it to some VM - sys-usb is ok. You can do > this in VM settings - "Devices" tab.
Seems to me that assigning the SD controller to a different VM than sys-usb would eliminate some attack vectors, since if they're assigned to the same VM, IOMMU won't prevent software accessing the SD card from attacking software accessing the USB devices (and vice versa). A doomsday scenario that comes to mind is when the USB controller is being used to connect to the Internet via a phone tether, and the SD card is storing some high-value data. (My doomsday imagination is limited; perhaps there are better doomsday scenarios.) Is my intuition on this corect? Of course, using a separate VM means increased RAM usage, which may or may not be worth it. Cheers, -Jeremy Rand -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/33219161-b369-6ddc-b4b2-f9e75310881d%40airmail.cc. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature