[qubes-users] How to hide all except one USB controller?
Hi, I bought a second internal USB controller (A) to connect a flash drive for booting from SD. How can I prevent the internal controller(B) (with the keyboard attached) to be recognized during startup? I can still type my boot password with it, that means the controller is visible, right? So how can I configure Qubes OS to: 1) At boot time, only controller (A) should be attached to dom0. Controller (B) should be unable to affect Qubes OS maliciously 2) After boot, controller (A) should be attached to dom0, controller (B) to sys-usb. 3) hide-all-usb does not seems to support this. How can I configure Grub to ignore all usb controllers except one specific one? Cheers Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/qMRVLcTfS-Ee22yK7-KkyQI3Vcip4jG0BPZoJwfw1aqktnG4oiorKcqptVXAy7apco97G8ziafgZ2HApa4JEfsTQtnR2gH1-PJDMb0bJPPQ%3D%40protonmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] DMA attacks are possible not only via USB?!
Hi, I am wondering a bit what this USB & NetVM shielding are really buying me. I am switching from a laptop to a desktop, so it may remain unattended for quite a while and thus could be exposed to hardware access... The hardware access will be mild, meaning I could imagine someone to compromise a bootloader or install a malicious device. Now say that install an internal USB controller to which I connect an SD-Card reader, which in turn uses Anti-Evil-Maid to boot the machine. This controller needs to be whitelisted. But since it is internal and will only provide one slot for the card reader, the machine will not boot properly without this setup. Still, someone could compromise this setup. So lets say I had a PCI-Express card reader, which seems to not be available for desktops... Wouldn't this pose the same problem? PCI-Express also has DMA access. How does Qubes know that a particular PCI-Express device can be safely attached to Dom0 (like a SD card reader on a laptop, which is usually PCI-Express)? If the PCI-Express device is compromised, wouldn't it compromise Dom0? Anyway I am trying to wrap my head around what I can and can not protect against. It seems as if Qubes OS is useless in protecting against hardware access. Even with TPM, I am not sure how realistic it is. Will AEM be triggered when changing USB controllers or adding hostile USB devices to the one whilelisted controller that manages the AEM device? If not, what is the point of AEM? How is AEM any better than simply putting the bootloader on a separate disk? Okay, it gives a bit better piece of mind that really MY bootloader was used, but that is about it, right? It won't help against someone adding compromised devices to a PCI-E slot or USB?! Any links or help here? Btw, its really hard to find any useful information via Google about most topics regarding Qubes OS. Is Qubes OS somehow downranked intentionally? Cheers Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/suUnD0yJpvEF22zlFlIRDF10NkbqtaPsbbmZwiQz0lErvA9-HmGLGX49d_s7GjytL7x3hy84XNR33F_Ip6P3pOzaNtWFHqAkfuw9FM1qX-E%3D%40protonmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Qubes OS and latest hardware (8700K)
Hi, will Qubes OS 3.2 work with the 8700K desktop CPU that was just released? I've heard conflicting reports. If not, will 4.0 support it? I read that you need Kernel 4.12 (I believe) but even Qubes 4.0 seems to be stuck with 4.8... Is this just a matter of "perfect" support or are they talking about not even running on 8700K with a lower kernel version? The same question popped up for the new DELL XPS, which runs then 8th gen mobile CPUs. I guess the support question is similar here?! Thanks! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/Qbt2a6hGMaom2QKS7mKmDbAQeuwwwySXQnFTJa57-SceRR0kffjK0wjaIZuF8DNKZE-9M1nikKJJLAXT850xwJU7e0s9j1GtoDv4Xu39Ckg%3D%40protonmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: What are the disadvantages of NOT having vt-d?
I see.. But currently I am using Qubes 3.2 and 4.0 last time I tried was VERY unpolished, I am not sure I am going to look at it before support for 3.2 expires... It's not like I would not have the money to buy a 7700k, but I want to avoid spending money if not necessary that is why I want to get a clear picture... > Original Message > Subject: [qubes-users] Re: What are the disadvantages of NOT having vt-d? > Local Time: December 14, 2017 1:40 AM > UTC Time: December 14, 2017 12:40 AM > From: vigilian.pira...@gmail.com > To: qubes-users > > Le jeudi 14 décembre 2017 01:27:23 UTC+1, Chris a écrit : > >> Hi, >> I am an avid user of Qubes OS and I love what you have done. Finally I have >> a feeling of security and a peace of mind... I am not a security person but >> I kinda do care about it and have some basic understanding and am slightly >> paranoid. >> I am currently running a DELL Precision 5520, which has vt-d. But it is >> owned by my company which I am leaving soon, and then I will have to switch >> back to my desktop, an old Intel 3700K without vt-d. >> I am wondering, compared to my precision laptop with vt-d, what attack >> vectors will open up? The desktop will be connected to an Ubiquity router >> via Ethernet cable (no WLAN) which is in turn connected to a normal Cable >> modem. Is this reasonably safe? Is the NetVM mostly useful for WLAN or also >> for Ethernet? >> I am a normal person, soon working as a developer at Amazon (so I would say >> while I am not high-profile, people might have interest in attacking me to >> gain access to AWS or any other Amazon service)... >> Cheers >> Mara >> >> Well for what I remember, you may not have any choice since for R4.0 you >> won't be able to install without vt-d activated. I have kinda the same >> problem. I will have to change the CPU from mthe laptop where qubes is >> installed to make it compatible. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "qubes-users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to qubes-users+unsubscr...@googlegroups.com. >> To post to this group, send email to qubes-users@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/qubes-users/02c07ac0-1578-4b33-96ff-1412de3ba133%40googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/S_X6ylPGCA7Uo4UtwpudNnYCWivvWd2frBgsaGn4rQgehtQHEzfaxArst4HhSn25_yj-fde1TtkoP1jAVlRq4TIpyIW6zEakoMLHIiep8DM%3D%40protonmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] What are the disadvantages of NOT having vt-d?
Hi, I am an avid user of Qubes OS and I love what you have done. Finally I have a feeling of security and a peace of mind... I am not a security person but I kinda do care about it and have some basic understanding and am slightly paranoid. I am currently running a DELL Precision 5520, which has vt-d. But it is owned by my company which I am leaving soon, and then I will have to switch back to my desktop, an old Intel 3700K without vt-d. I am wondering, compared to my precision laptop with vt-d, what attack vectors will open up? The desktop will be connected to an Ubiquity router via Ethernet cable (no WLAN) which is in turn connected to a normal Cable modem. Is this reasonably safe? Is the NetVM mostly useful for WLAN or also for Ethernet? I am a normal person, soon working as a developer at Amazon (so I would say while I am not high-profile, people might have interest in attacking me to gain access to AWS or any other Amazon service)... Cheers Mara -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/o3W8BIjswS5l71z7DsPde5dvkSlTh5lrmP2wQ33q-soegwXfj74acGjIqCt8oxDaKXPHUanHVXu1qIztTkaXBkhfzuq4NJ1RIQ03yFrJN1E%3D%40protonmail.com. For more options, visit https://groups.google.com/d/optout.