Open marmarta opened 9 months ago
Current early prototype: https://design.penpot.app/#/view/94d0bf99-a273-8157-8003-202ca9b178da?page-id=8a7ef8a5-cf6f-807c-8003-2165f016cdc1§ion=interactions&index=0&share-id=52961d58-0a92-80c2-8003-285ff4e779c2
I’d like to see some more separation between the qube names, to reduce the chances of accidentally clicking on the wrong qube.
Thanks for the preview. Is that a future default font for R4.2 or images are just stretched vertically? Spaces are a bit off, especially on the 3-rd image.
An idea: per-device favorite qube list, even automatic (see at the end).
If user has devices webcamera
, usb printer
, flask disk
, usb-ethernet
they probably want to connect each of them the same qube or qubes, e.g.:
skype
and whatsapp
qubes, or some videoconf
qubeprinter
qube with printer proprietary driversusb-storage
qube that manages flash drives safely without connecting block device to more valuable offline qubes.So, adding all these qubes to favorites will be not great, it will make chances to connect wrong device to wrong qube quite high, including adding network adapter to always-offline qubes and vaults.
Seems better to provide submenu for each device a bit differently, on PER-DEVICE basis.
In can be done automatically without user actions - user connects some device to some qube(s) several times and this/these qube(s) are in the top part of the qubes list for this device, maybe also with different distinctive font color or background.
The problem with per-device favorites is simple: what is a device? There is no good way of actually ID-ing a device; the best we have is what the device introduces itself as, which can be nothing (for many usb sticks it's like that), and device type; I'm think right now a "per device-type" favorites could work.
Thanks for the preview. Is that a future default font for R4.2 or images are just stretched vertically? Spaces are a bit off, especially on the 3-rd image.
That's just a mockup, using Source Sans Pro because it's convenient.
There is no good way of actually ID-ing a device; the best we have is what the device introduces itself as, which can be nothing (for many usb sticks it's like that), and device type; I'm think right now a "per device-type" favorites could work.
lsusb
shows ID for the device model, plus BUS and Device numbers. Those combinations stay unique till hardware configuration change.
udevadm info --name=/dev/bus/usb/001/002 --query=property
shows a lot of properties, too. Here 001
- BUS number, 002 - Device number. That call does not even require root
rights, so OK for user's apps.
Advanced users can modify udev
rules to name devices based on their serial IDs.
Thanks for opening this discussion @marmarta, the mockups look so great. I'm going to try to separate feedback into 'stuff around the UI itself' and 'possible feature changes.'
Possible feature changes
qubes-prefs
would be cool. (For example, if your system default dispvm is fedora-38-dvm, but you want your default USB qube to be a non-networked/otherwise hardened dispvm)Feedback on current UI (sounds like much of this is what's on your mind already to address with these mockups):
sys-usb:X-Y
in the top menu?To @jamke's point, this is something SecureDrop Workstation has discussed a lot (is there any way to "remember" devices that are always attached to certain VMs to make a user's life more convenient), but basically, devices can lie or represent themselves badly, so it seems like a risky idea. It might be OK if you were treating all your devices as default-untrusted and just deciding which untrusted environment to dump them into, but as soon as you are trying to do that to identify trusted devices (and presumably autoattach them to more trusted VMs) it seems risky.
but basically, devices can lie or represent themselves badly, so it seems like a risky idea.
How is it possible for USB device to lie about Bus and Device numbers inside dom0
or sys-usb
? And PCI IDs?
And about name that device provides itself: it simply should be used as an additional factor. If unspoof-able IDs like Bus+Device and PCI id are the same as saved in config and the name is different then consider that device as not favorite to this qube, it simply will be among other devices as it is now.
Here
001
- BUS number, 002 - Device number.
Those do not identify device itself, but rather where and when it was plugged in. If you want to see yourself, unplug a device and plug it back in. It will get a different device number even though it's the same device. Similarly, the current ID used by qvm-block/qvm-usb is only about where device is plugged in (more or less controller/hub number) - if you plug a different device into the same port, it will get the same ID as the earlier one.
udevadm info --name=/dev/bus/usb/001/002 --query=property
Those properties on the other hand is what device says about itself. And most of those can be trivially spoofed by the device itself. This is for example what USB Rubber Ducky and similar products do. Benign device will present some sensible values, but nothing prevents a malicious device (you found on a parking lot for example) presenting the same thing and hoping it will get automatically attached to some sensitive qube.
Those do not identify device itself, but rather where and when it was plugged in.
I see, I thought those stay the same (like in qvm-pci
) until PCI hardware configuration is not changed. Than yes, Bus and device numbers are changed too often to rely on. Unspoofable by device, but not persistent enough.
Those properties on the other hand is what device says about itself. And most of those can be trivially spoofed by the device itself.
Yes, that I understand, that is why I proposed to consider it as an additional factor that can only be considered only as an addition to some unique IDs.
What is the solution in case of usual GNU/Linux? Can it somehow distinguish devices or it is not possible by design (by USB protocol or something)?
Another thought: is it that important to rely on some ID in case we consider adding favorite USB devices in the first place? I mean, if there are favorite USB devices, they still can be spoofed in the same manner, then why use combined favorite device instead of much more convenient per-qube approach I described before?
In other words: What is the advantage of united favorites over per-qube favorites? The latter is more convenient and more error-resistant, and both not secure in the same way. Maybe I do not see something.
What is the solution in case of usual GNU/Linux? Can it somehow distinguish devices or it is not possible by design (by USB protocol or something)?
Generally no, USB specification does not provide any means for unspoofable device identification. And most OSes do not deal with this issue at all - for example if you connect something that presents itself as a keyboard, it can freely type in commands - that's why devices like USB Rubber Ducky are very effective.
I Like the granularity of "device presents itself as this type" (perhaps depending on Linux kernel in sys-usb to categorize):
And creating opt-in or opt-out associations with each Qube.
Yes a device can spoof but maybe you want to always block storage devices from your Vault, say.
Possibly also consider a guard in sys-usb that by default auto-disconnects a device that changes flavors (if not already there), unless that behavior is disabled by the user.
Composite devices exist, as do devices that modify their endpoints (as a non-hacking feature) like some of the older YubiKeys.
Just food for thought. May or may not be a user need for this kind of filtering.
B
I have a brilliant UX idea for this topic! At least I would find it very convenient.
How about showing some label or icon "NEW" near device name in the list that
The device should stay NEW after being shown for the first time for some small time like a minute to prevent it from loosing NEW icon after opening the widget menu fast twice.
Also connecting device to any qube should instantly make the device not NEW.
It should cover the most common case: user inserts device (block device or not) and tries to connect it somewhere. He will instantly find the connected device. And no spoofing is possible if the system can process events of connections and disconnections. When I think about it, I do not know why isn't it a case in all OSes yet. :)
Current early prototype: https://design.penpot.app/#/view/94d0bf99-a273-8157-8003-202ca9b178da?page-id=8a7ef8a5-cf6f-807c-8003-2165f016cdc1§ion=interactions&index=0&share-id=52961d58-0a92-80c2-8003-285ff4e779c2
Small typos: USB Input Devices
-> USB input devices
, diable
-> disable
, Note: in
-> Note: In
To @jamke's point, this is something SecureDrop Workstation has discussed a lot (is there any way to "remember" devices that are always attached to certain VMs to make a user's life more convenient), but basically, devices can lie or represent themselves badly, so it seems like a risky idea. It might be OK if you were treating all your devices as default-untrusted and just deciding which untrusted environment to dump them into, but as soon as you are trying to do that to identify trusted devices (and presumably autoattach them to more trusted VMs) it seems risky.
The only unspoofable information about a device is where the device is plugged in. FIDO2 security keys are an exception because of attestation.
The only unspoofable information about a device is where the device is plugged in.
For the above reason (and also because some people's workflows involve different kinds of block storage devices, some trusted and some decidedly untrusted), it would be nice to avoid a redesign that makes any assumptions or nudges the user towards opening all devices of one type in the same qube. (This is a slight counterpoint to what @brendanhoar is suggesting and/or to the "favorite qube" in the mockups, I think).
For certified hardware, I think Qubes should display a graphic explaining where the device is plugged in, which the user can cross-reference against the physical devices currently plugged in.
Just saw the talk @marmarta gave at the QubesOS Summit today and I love the new device manager idea. My favorite would be concept "Bob" but with all the information concept "Alice" supplies available on mouse hover.
It's brilliant work in the mock-up :). I also like the idea I saw @jamke suggested above about including a marker for "new" devices since the menu was last opened or in the past few minutes.
After a lot of exploration of feasibility, portability to other desktop environments or Wayland weirdness, I figured out that a big part of this approach was not great - menus, as an object type, are not made to be so fancy. We can extend functionality in widget menus, but this remains badly discoverable and awkward to use (also awkward to use without a mouse). Thus, an upgrade of the plan:
After a lot of exploration of feasibility, portability to other desktop environments or Wayland weirdness, I figured out that a big part of this approach was not great - menus, as an object type, are not made to be so fancy.
Can you please explain? Menus that are rendered out-of-process are indeed limited, but I assume that the devices code would render the menus itself via GTK.
Brief summary
Current device UX: not great. Desired state: better.
Main pain points: