search

QubesOS / qubes-issues

The Qubes OS Project issue tracker
https://www.qubes-os.org/doc/issue-tracking/
532 stars 46 forks source link

Add options to qvm-usb to attach a device based on a pattern in the description #8300

Open face opened 1 year ago

face commented 1 year ago

The problem you're addressing (if any)

My Dell dock gives different device Ids for my USB devices on every boot. I have a systemd boot script that uses qvm-usb to attach the NIC with a hard wire to sys-usb after the sys-usb qube starts. I had to modify qvm-usb to attach based on the description to get it to work. --persistent will not work due to the different device ID on every boot.

The solution you'd like

So, I added a -m pattern -i index to the qvm-usb command. The index is needed if multiple matches occur. I'm not a python coder so I had some help by prompting chatgpt4 a few times:

github commit: https://github.com/face/qubes-core-admin-client/commit/5a6dbadae9a5dbd4e09341f38262126ec6ececc7

If that code is close, I would be happy to learn how the automated tests are run, add some, and submit a pull reqeust. However, as I said I'm not a python coder and got help from chatgpt...so no hard feelings if our code is not used by others, I'm getting millage :).

For example: 

BACKEND:DEVID      DESCRIPTION                                          USED BY
sys-usb:7-1.4      Realtek_USB_10_100_1000_LAN_001000001 
sys-usb:8-2.3.3.1  Yubico_YubiKey_OTP+FIDO+CCID 
sys-usb:8-2.3.3.4  Yubico_YubiKey_OTP+FIDO+CCID 
sys-usb:9-2.4      Realtek_USB_10_100_1000_LAN_111000001

As the DEVID changes on every boot, my new options allow the following in a systemd boot script that runs after sys-usb qube boots:

qvm-usb attach sys-net -m 'Realtek.*111000001'

Also I can use it for things in dom0 like:

qvm-usb attach work -m Yubi -i 0
qvm-usb attach personal -m Yubi -i 1

For completness and anyone else who wants to use my modified qvm-usb, change the pattern and drop the following in dom0 /usr/lib/systemd/system/attach-nic.service and then run systemctl enable attach-nic.service. This works great for USB wifi NICs too.

[Unit]
Description=Attach USB NIC
After=qubes-vm@sys-usb.service
ConditionKernelCommandLine=!qubes.skip_autostart

[Service]
Type=oneshot
Environment=DISPLAY=:0
ExecStart=/usr/bin/qvm-usb attach sys-net -m 'Realtek.*111000001'
Group=qubes
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

I'm testing my changes on my sytem and they are working. So far the script seems backwards compatible too.

The value to a user, and who that user might be

Any Qubes user who would like to have persistent networking on boot when their hardware gives them different device IDs for every boot. Also any user who wold like to attach devices based on a name in a single command, withough listing and then adding a device in two steps.

andrewdavidwong commented 1 year ago

If I understand correctly, the main security concern with this approach is that a malicious device could advertise itself by a false description in an attempt to get itself automatically attached or to deceive the user into attaching it.

face commented 1 year ago

If I understand correctly, the main security concern with this approach is that a malicious device could advertise itself by a false description in an attempt to get itself automatically attached or to deceive the user into attaching it.

Good point. This might be a similar security concern as --persistent, which is also supported. I'm not sure if a device can fake advertise itself they way --persistent detects a device?

Which I was actually thinking about last night....it would be nice if --match and --index worked with --persistent too. Then I wouldn't need the attached systemd script. When I have time I'll look at how --persistent works internally, both for the feature and security concerns.