On Wed, Jul 12, 2017 at 6:17 PM, Thomas Jefferson <myd...@mailbox.org> wrote:
> I also forgot to mention, if ultimately the sys-usb will have internet, > then what's the difference between the sys-net or sys-usb? Why using two > separated SysVMs if both can be used as a NetVM? > > > What I noted is that when you install Qubes you are given an option to install sys-usb or not. I suspect that if you select "not" then what happens is that USB controllers are assigned to sys-net. So making it a single sys-vm. Also I wonder which place may a firewall have with that. I assigned my expresscard USB controller to a TrezorVM which uses the standard firewall, but sys-net has no firewall. > > > On 12 July 2017 at 22:52 Franz <169...@gmail.com> wrote: > > > > On Wed, Jul 12, 2017 at 4:09 PM, Thomas Jefferson <myd...@mailbox.org> > wrote: > > Hi, > > I'm trying to use my ledger nano s and trezor with Qubes. I think the best > approach, since I need to attach the entire USB controller for this to > work, would be to use the existing sys-usb. However by default the sys-usb > is not connected with any NetVM, hence I don't know if this would increase > my attack vector. > What's the safest way to use trezor or ledger nano s with Qubes? > > Should I use the sys-usb or should attach the USB controller to a > different AppVM and use my HW wallet there? (The latter option will > invalidate the use of my mouse, so if any other option is available, I'd > glad hear it) > > > I had to buy a working expresscard usb controller and then reboot. But if > you do not have the slot or do not want the extra hassle/battery > consumption probably the best way is to connect sys-usb to sys-net. At the > end they are both considered compromised, so which is the risk of > connecting them? That sys-usb can spread its malware using sys-net? Unless > you use usb block devices for strategic/important things, which is not > advised, then it seems an acceptable risk. > > Regarding specifically Trezor and I suppose also Ledger, they are supposed > to be safe even if the hardware on which they are mounted is compromised. > So even a compromised sys-usb may be acceptable. > Best > Fran > > Thanks > > > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to qubes-users+unsubscr...@googlegroups.com. > To post to this group, send email to qubes-users@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/ms > gid/qubes-users/37511761.234.1499886552897%40office.mailbox.org > <https://groups.google.com/d/msgid/qubes-users/37511761.234.1499886552897%40office.mailbox.org?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > > > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAPzH-qAUfdwgw%3D9LKB-f2T-Aaz-zko7R5NtA5rNSNXPf5E%3D%2BJQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.