-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify impact of BIOS recommendations on USB-C operation #32
Comments
I'm guessing that the specific recommendation that's causing trouble is:
If so, why is this recommendation important? Is it critical that we preserve it? What is its impact on USB-C operation? |
I would strongly recommend we preserve that recommendation. Thunderbolt devices connected to the VM can introspect and modify RAM on the host. You can see https://github.com/carmaa/inception for examples of what can be done with these types of attacks. Some operating systems have mitigations in place, but disabling this feature at a firmware level provides strong assurances the likelihood of attacks is either significantly reduced or completely eliminated. A search in the Qubes issues repo suggests that even with Thunderbolt enabled in the BIOS, Thunderbolt/USB-C ports will not work in Qubes : QubesOS/qubes-issues#5522 . It seems like we should update the documentation to not only recommend, but require the use of USB type A drives. |
Thanks @emkll; it seems problematic to me if an emerging new standard is unavailable to our users in the long run, but given the security risks and lack of Qubes support it looks like there's no way around the USB type A requirement. Based on a cursory investigation of what's available on Amazon and CDW, it looks like most USB-C flash drives currently on the market are "2 in 1" -- you can use either connector. I'm going to order one of those for testing. |
Hm, on a closer read this may be more of an issue with PCI hotplug; I'm able to browse files on my Android device via USB-C cable plugged into USB-C/Thunderbolt port on T480 just fine in Qubes (I've not changed BIOS defaults), and @rmol confirms successful use of a YubiKey with USB-C in Qubes. |
I tested disabling Thunderbolt in the BIOS of my T480 (the docs don't specify what to do; here's what I did: "Security -> IO Port access -> Thunderbolt(TM) 3 -> Disabled"). Qubes now no longer starts Is that because I changed the BIOS settings after the install? I'm curious what exact behavior others observe when changing the BIOS settings before the install. Do USB-C devices not get recognized anymore? Fail to attach? |
Yes! During installation, Qubes enumerated USB & some PCI-E devices and persistently attached those to
More testing required, although several folks are reporting USB-C will continue to work.
Hmm, good point. There are actually two places in the BIOS where Thunderbolt can be marked as "Disabled" iirc. |
Open questions from my perspective:
If our BIOS recommendation has narrow impact just on use of the dual Thunderbolt/USB-C port, then I think we can live with it for some time, but should IMO re-evaluate regularly. |
Good news, everyone! With our BIOS settings, at least on the current T480, it turns out that you can use USB-C devices in the port that you'd ordinarily plug your power adapter into. Just plug the power adapter into the Thunderbolt port instead -- it'll still supply power just fine, even if Thunderbolt is disabled (it even has a little power LED). Did some additional testing:
Long term, I do think we should aim to continue to have a laptop recommendation that enables users to use USB-C without adapters, because these devices are becoming increasingly common, especially for hubs (see the selection of USB hubs on Amazon, for example). |
See also the more recent https://thunderspy.io/ |
As noted in #31 (review) our current BIOS recommendations may interfere with USB-C operation, which seems potentially disruptive of normal use cases. Let's discuss the security benefits of this recommendation in the context of our threat model.
The text was updated successfully, but these errors were encountered: