search

QubesOS / qubes-issues

The Qubes OS Project issue tracker
https://www.qubes-os.org/doc/issue-tracking/
541 stars 48 forks source link

`usbcore.authorized_default=0` preventing use of multifunction keyboards to unlock LUKS at boot #8901

Open no-usernames-left opened 9 months ago

no-usernames-left commented 9 months ago

Qubes OS release

R4.2.0

Brief summary

The presence of usbcore.authorized_default=0 in GRUB_CMDLINE_LINUX seems to prevent multifunction keyboards, such as ones with a smart card slot, from being able to enter the LUKS passphrase at boot.

Steps to reproduce

  1. Clean install R4.2.0 on a system with a multifunction keyboard
  2. sudo qubesctl state.sls qvm.usb-keyboard
  3. Verify usbcore.authorized_default=0 is present in GRUB_CMDLINE_LINUX, which it should be
  4. Reboot

Expected behavior

Be able to type your LUKS passphrase

Actual behavior

Sadness

Relevant output of lsusb -v

Bus 002 Device 004: ID 046a:01a2 CHERRY CHERRY SECURE BOARD 1.0
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0 
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x046a CHERRY
  idProduct          0x01a2 
  bcdDevice            1.00
  iManufacturer           1 Cherry GmbH
  iProduct                2 CHERRY SECURE BOARD 1.0
  iSerial                 5 [redacted]
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength       0x00af
    bNumInterfaces          4
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0xa0
      (Bus Powered)
      Remote Wakeup
    MaxPower              500mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         3 Human Interface Device
      bInterfaceSubClass      1 Boot Interface Subclass
      bInterfaceProtocol      1 Keyboard
      iInterface              3 HID
        HID Device Descriptor:
          bLength                 9
          bDescriptorType        33
          bcdHID               1.11
          bCountryCode            0 Not supported
          bNumDescriptors         1
          bDescriptorType        34 Report
          wDescriptorLength      63
         Report Descriptors: 
           ** UNAVAILABLE **
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               4
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         3 Human Interface Device
      bInterfaceSubClass      0 
      bInterfaceProtocol      0 
      iInterface              3 HID
        HID Device Descriptor:
          bLength                 9
          bDescriptorType        33
          bcdHID               1.11
          bCountryCode            0 Not supported
          bNumDescriptors         1
          bDescriptorType        34 Report
          wDescriptorLength      52
         Report Descriptors: 
           ** UNAVAILABLE **
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               4
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        2
      bAlternateSetting       0
      bNumEndpoints           3
      bInterfaceClass        11 Chip/SmartCard
      bInterfaceSubClass      0 
      bInterfaceProtocol      0 
      iInterface              2 CHERRY SECURE BOARD 1.0
      ChipCard Interface Descriptor:
        bLength                54
        bDescriptorType        33
        bcdCCID              1.10  (Warning: Only accurate for version 1.0)
        nMaxSlotIndex           0
        bVoltageSupport         7  5.0V 3.0V 1.8V 
        dwProtocols             3  T=0 T=1
        dwDefaultClock       3685
        dwMaxiumumClock     14320
        bNumClockSupported      0
        dwDataRate           9909 bps
        dwMaxDataRate      848000 bps
        bNumDataRatesSupp.      0
        dwMaxIFSD             254
        dwSyncProtocols  00000000 
        dwMechanical     00000000 
        dwFeatures       000404BA
          Auto configuration based on ATR
          Auto voltage selection
          Auto clock change
          Auto baud rate change
          Auto PPS made by CCID
          Auto IFSD exchange
          Short and extended APDU level exchange
        dwMaxCCIDMsgLen       271
        bClassGetResponse      00
        bClassEnvelope         00
        wlcdLayout           none
        bPINSupport             3  verification modification
        bMaxCCIDBusySlots       1
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x83  EP 3 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x03  EP 3 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x84  EP 4 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               4
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        3
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass         3 Human Interface Device
      bInterfaceSubClass      0 
      bInterfaceProtocol      0 
      iInterface              4 SKM
        HID Device Descriptor:
          bLength                 9
          bDescriptorType        33
          bcdHID               1.11
          bCountryCode            0 Not supported
          bNumDescriptors         1
          bDescriptorType        34 Report
          wDescriptorLength      33
         Report Descriptors: 
           ** UNAVAILABLE **
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x05  EP 5 OUT
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               4
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x85  EP 5 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               4
Device Status:     0x0000
  (Bus Powered)
marmarek commented 9 months ago

Actual behavior

Sadness

Indeed :(

But for this, we need https://github.com/USBGuard/usbguard/issues/67 implemented first.

IOZZYS commented 9 months ago

I wouldn't want an infected keyboard to be able to give dom0 usb access to other devices included within the keyboard as if it were a usb-hub with dom0 access. I might be too much of a noob to understand why this^ isn't an issue but I still wanted to mention why it made my raise my eyebrow.

marmarek commented 9 months ago

I wouldn't want an infected keyboard to be able

If your USB keyboard is malicious (and you allowed USB keyboard), you are in pretty bad situation already. See https://www.qubes-os.org/doc/device-handling-security/#security-warning-on-usb-input-devices

But still, we'd like to not make attacker life easier. If you choose to allow keyboard, lets allow just "keyboard", not "keyboard and everything else provided by the same physical device". But for that, we need interface-level control in usbguard, which is not implemented yet.

3hhh commented 9 months ago

For now users can adjust the dom0 usbguard policy to allow their specific device and re-create initramfs afterwards.

no-usernames-left commented 9 months ago

How's that achieved? It doesn't seem to be anywhere in the documentation.

3hhh commented 9 months ago

On 2/4/24 11:07, no-usernames-left wrote:

How's that achieved? It doesn't seem to be anywhere in the documentation.

Use the standard usbguard rules folder at /etc/usbguard/rules.d/ and check the dracut manpage on how to regenerate your initramfs.

stinethebean3 commented 2 months ago

After I first rebooted my computer after installing Qubes 4.2.2 I ran into this bug. I use a Moonlander keyboard.

I had to remove the usbcore.authorized_default=0 from my Grub config in order to have a bootable system, which I then had to update the grub config via dom0 so that it would be fixed moving forward.