Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2025-07-30 10:09:23 -04:00
Code Issues Projects Releases Packages Wiki Activity

Reorganize USB-related information

Browse source 
This commit creates a single, central page (/doc/usb/) for all
USB-related information by combining stick-mounting.md with the
manual USB qube (formerly known as "USBVM") creation procedure
from security-guidelines.md. It rewrites the content from both of
those and adds the content requested in QubesOS/qubes-issues#1690.
It also redirects /doc/usbvm/ away from the ancient page on PVUSB.
This commit is contained in:
Axon 2016-01-28 12:02:39 +00:00
parent a22db63b3b
commit 9d59c48aa7
No known key found for this signature in database
GPG key ID: 8CE137352A019A17
6 changed files with 232 additions and 132 deletions
Download patch file Download diff file Expand all files Collapse all files

25
security/security-guidelines.md
View file

@ -119,30 +119,7 @@ If the VM will not start after you have assigned a USB controller, look at [this
Creating and Using a USBVM
--------------------------
The connection of an **untrusted USB external drive to Dom0** may involve some risk because Dom0 reads **partition tables** automatically, and also because the whole USB stack is put to work **to parse** all the USB device info first, to determine if it is a USB Mass Storage, and to read its config, etc. This happens even if the drive is then assigned and mounted in another VM.
To avoid this risk it is possible to prepare and utilize a **USBVM**. However this is not presently recommended for beginners, as Xen does not yet provide a working PVUSB, and so only USB Mass Storage devices can be passed to individual VMs later (via qvm-block). This means that a USBVM cannot be preinstalled and the whole thing cannot be automated. So avoid it if you have doubts.
Also avoid it if you do not have a **USB controller free of input devices** or programmable devices, for the reasons above. However, as already noted most laptops use PS-2 for keyboards and touchpad devices which do not cause problems.
An **USBVM** operates like a dedicated temporary parking area, used just to prevent any contact between dom0 and the USB drive. Then, every time you connect an **untrusted USB external drive** to a USB port managed by that USB controller, you need to attach it to the VM that needs it, using qubes manager or [terminal](/doc/stick-mounting/). Again, this **works only for disk-like USB devices**. Other devices cannot be currently virtualized. So once you assign their controller to your **USBVM** they'll be no more available.
**The process for creating a USBVM** is:
1. In Dom0 terminal type `lsusb` to check if you have a USB controller free of input devices or programmable devices. If you find such free controller, then
2. Create a new AppVM. Call it "usbvm" (or whatever you want).
3. Give it "red" or "orange" or "yellow" label.
4. In the AppVM's settings, go to the "devices" tab. Find your USB controller in the "Available" list. Move it to the "Selected" list.
5. Click OK. Restart the AppVM. (Restarting may not even be required.)
6. Set the VM to start automatically at Boot using the VM Manager, (under VM Settings), or **In dom0 terminal**, run
~~~
qvm-prefs -s usbvm autostart true
~~~
This will cause your new **USBVM** to automatically start when the system starts up. So that in case you forgot to start it and then accidentally plugged a USB stick (or your colleague at work did it while you were at lunch), **it won't compromise the Dom0**.
If the USBVM will not start, look at [this faq](../UserFaq/#i-created-a-usbvm-and-assigned-usb-controllers-to-it-now-the-usbvm-wont-boot)
See [here](/doc/usb/).
Dom0 Precautions