On Thursday, August 15, 2019 at 8:24:58 AM UTC-4, unman wrote: > > On Wed, Aug 14, 2019 at 04:26:18PM -0700, brend...@gmail.com <javascript:> > wrote: > > 1. That first USB device, which does not state where it can be used is > > either: > > a) The USB 2.0 interface "available" via the expresscard interface (some > > "expresscard" devices are really just USB 2.0 devices). > > b) The USB 2.0 interface available via the docking connector. > > It's the dock. > I use 3 disposable USBVMs, each allocated 1 controller. >
Thanks unman. Thinking about it...that does make the most sense as some of the compatible docks can have quite a few USB 2.0 ports (presumably implemented as a hub) on them, so it make the most sense to have that controller separate. I won't guarantee this, but I suspect that the "alternate" interface (USB 2.0) in the expresscard slot is probably attached to the *primary* USB 2.0 controller on the Thinkpads then. Therefore the best approach in *most* cases where the user wants either best combined throughput or USB controller assignment flexibility is to utilize a 1-lane PCIe 1.0-based expresscard (e.g. with a one-or-two port USB 3.0 controller) instead of a USB 2.0-based expresscard. Brendan PS - The one caveat I will note with the expresscard interface is that it is an external PCIe interface, and may provide direct DMA into memory, similar to Firewire. You can see there are commercial products that utilize the expresscard interface here for memory forensics on running but locked machines: https://www.forensicswiki.org/wiki/Tools:Memory_Imaging I would be curious to see recent experiments showing how well Xen HVM IOMMU enforcement works to limit the scope of attacks using Expresscard, which Qubes + IOMMU *should* protect against. I just don't have the skills to create one or the $7800 it costs to purchase one of these devices (nor really the time) to do some testing... For those overly concerned, they may want to investigate other preventative methods (e.g. Does BIOS disabling of the expresscard interface have a security impact? Are there physical modifications that would prevent usage of acquisition devices? Are there other software mitigation (power-off on attach, etc.)) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/be63f72c-1495-484c-ab32-ed2b82ceb003%40googlegroups.com.