Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2024-10-01 01:25:40 -04:00
Code Issues Packages Projects Releases Wiki Activity

Adapt security warning from qubes-app-linux-input-proxy

Browse Source 
https://github.com/QubesOS/qubes-doc/pull/310
This commit is contained in:
Andrew David Wong 2017-03-16 20:00:31 -07:00
parent 2992dc8067
commit 54938518f1
No known key found for this signature in database
GPG Key ID: 8CE137352A019A17
1 changed files with 30 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
common-tasks/usb.md
View File

@ -128,21 +128,34 @@ directly to dom0.
7. Run the command `grub2-mkconfig -o /boot/grub2/grub.cfg` in dom0.
8. Reboot.
Security Warning about USB Input Devices
----------------------------------------
**Important security warning. Please read this section carefully!**
If you connect USB input devices (keyboard and mouse) to a VM, that VM will effectively have control over your system.
Because of this, the benefits of using a USB qube are much smaller than using a fully untrusted USB qube.
In addition to having control over your system, such VM can also sniff all the input your enter there (for example, passwords in the case of a USB keyboard).
There is no simple way to protect against sniffing, but you can make it harder to exploit control over input devices.
If you have only a USB mouse connected to a USB qube, but the keyboard is connected directly to dom0 (using a PS/2 connector, for example), you simply need to lock the screen when you are away from your computer.
You must do this every time you leave your computer unattended, even if there no risk of anyone else having direct physical access to your computer.
This is because you are guarding the system not only against anyone with local access, but also against possible actions from a potentially compromised USB qube.
If your keyboard is also connected to a USB qube, things are much harder.
Locking the screen (with a traditional password) does not solve the problem, because the USB qube can simply sniff this password and later easily unlock the screen.
One possibility is to set up the screen locker to require an additional step to unlock (i.e., two-factor authentication).
One way to achieve this is to use a [YubiKey], or some other hardware token, or even to manually enter a one-time password.
How to use a USB keyboard
-------------------------
In order to use a USB keyboard, you must first attach it to a USB qube, then
give that qube permission to pass keyboard input to dom0. Note that allowing
keyboard access from a USB qube gives it great power. In short:
**Caution:** Please carefully read the [Security Warning about USB Input Devices] before proceeding.
* It will see whatever you type on that keyboard (including passwords).
* It will be able to inject keystrokes, which basically means that it will be
able to enter any command. For example, if some malware catches your
screenlocker password, it will be able to unlock the screen when you are not
present. (For more details, see [here][input-proxy].)
If you are sure you wish to proceed, then you must edit the
`qubes.InputKeyboard` policy file in dom0, which is located here:
In order to use a USB keyboard, you must first attach it to a USB qube, then give that qube permission to pass keyboard input to dom0.
Edit the `qubes.InputKeyboard` policy file in dom0, which is located here:
/etc/qubes-rpc/policy/qubes.InputKeyboard
@ -157,19 +170,10 @@ You can now use your USB keyboard.
How to use a USB mouse
----------------------
In order to use a USB mouse, you must first attach it to a USB qube, then
give that qube permission to pass mouse input to dom0. Note that allowing
mouse access from a USB qube gives it great power. In short:
**Caution:** Please carefully read the [Security Warning about USB Input Devices] before proceeding.
* It will be able to change any global and per-domain setting available within GUI
* It will be able to attach untrusted devices to domains that should not
have device access
* It will be able to enable networking in network-disconnected domains
* It will be able to initiate file transfer between domains.
(For more details, see [here][input-proxy].)
If you are sure you wish to proceed, then you must edit the
`qubes.InputMouse` policy file in dom0, which is located here:
In order to use a USB mouse, you must first attach it to a USB qube, then give that qube permission to pass mouse input to dom0.
Edit the `qubes.InputMouse` policy file in dom0, which is located here:
/etc/qubes-rpc/policy/qubes.InputMouse
@ -362,7 +366,8 @@ This feature is not yet available in Qubes Manager however, if you would like to
[AEM]: /doc/anti-evil-maid/
[1618]: https://github.com/QubesOS/qubes-issues/issues/1618
[create a USB qube]: #creating-and-using-a-usb-qube
[input-proxy]: https://github.com/qubesos/qubes-app-linux-input-proxy
[usb-challenges]: http://blog.invisiblethings.org/2011/05/31/usb-security-challenges.html
[project-page]: https://www.qubes-os.org/gsoc/
[project-page]: /gsoc/
[gsoc-page]: https://summerofcode.withgoogle.com/organizations/6239659689508864/
[YubiKey]: /doc/YubiKey/
[Security Warning about USB Input Devices]: #security-warning-about-usb-input-devices