q-dev: avoid zombie USB device#55
Conversation
After detaching from the frontend vm, the device remained under the control of the usbip driver. This caused the device to remain visible in the backend vm but unusable there (zombie). The issue is that, for example, a USB stick would not expose its partitions to the backend, preventing us from using them (e.g. attaching partition to frontend vm).
OpenQA test summaryComplete test suite and dependencies: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.3&build=2026070101-devel&flavor=pull-requests Test run included the following:
New failures, excluding unstableCompared to: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.3&build=2026050504-devel&flavor=update
Failed tests32 failures
Fixed failuresCompared to: https://openqa.qubes-os.org/tests/176874#dependencies 16 fixed
Unstable testsDetails
Performance TestsPerformance degradation:31 performance degradations
Remaining performance tests:80 tests
|
|
I have some doubts about safety of this - if a qube leaves device in a weird state that would try to attack sys-usb. Here, the hope is device reset (like, re-plug) would restore it to a good state, but before that it would remain attached to usbip driver (that does nothing if device is not attached to any qube). But that's really a wishful thinking, no proof of that really helping. And device with persistent memory (like updateable firmware) could still perform an attack like this. And maybe even a compromised device could simulate re-plug event itself (to get attached to the default driver). |
|
I see a problem. Yes, it's some attack surface on sys-usb. In such a case, however, we need to specify what exactly the user should expect. Currently, we have: VM2 is less protected than sys-usb. I think we should choose one of the following: |
|
I have two ideas of a middle ground solution:
The second one is mostly heuristic, based on assumption that popular drivers are better reviewed/tested and more resilient against malicious hardware. But maybe first one is good enough already? (still depends on how much device cooperates, but all of this has this caveat...) |
After detaching from the frontend VM, the USB device remained under the control of the usbip driver. This caused the device to remain visible in the backend vm but unusable there (zombie). The issue is that, for example, a USB stick would not expose its partitions to the backend, preventing us from using them (e.g. attaching partition to frontend vm).