Clarify impact of BIOS recommendations on USB-C operation

[eloquence]

As noted in https://github.com/freedomofpress/securedrop-workstation-docs/pull/31#pullrequestreview-394156253 our current BIOS recommendations may interfere with USB-C operation, which seems potentially disruptive of normal use cases. Let's discuss the security benefits of this recommendation in the context of our threat model.

[eloquence]

I'm guessing that the specific recommendation that's causing trouble is:

Disable Thunderbolt ports, or any other ports that allow Direct Memory Access (DMA).

If so, why is this recommendation important? Is it critical that we preserve it? What is its impact on USB-C operation?

[emkll]

I would strongly recommend we preserve that recommendation. Thunderbolt devices connected to the VM can introspect and modify RAM on the host. You can see https://github.com/carmaa/inception for examples of what can be done with these types of attacks. Some operating systems have mitigations in place, but disabling this feature at a firmware level provides strong assurances the likelihood of attacks is either significantly reduced or completely eliminated.

A search in the Qubes issues repo suggests that even with Thunderbolt enabled in the BIOS, Thunderbolt/USB-C ports will not work in Qubes : https://github.com/QubesOS/qubes-issues/issues/5522 . It seems like we should update the documentation to not only recommend, but require the use of USB type A drives.

[eloquence]

Thanks @emkll; it seems problematic to me if an emerging new standard is unavailable to our users in the long run, but given the security risks and lack of Qubes support it looks like there's no way around the USB type A requirement.

Based on a cursory investigation of what's available on Amazon and CDW, it looks like most USB-C flash drives currently on the market are "2 in 1" -- you can use either connector. I'm going to order one of those for testing.

[eloquence]

A search in the Qubes issues repo suggests that even with Thunderbolt enabled in the BIOS, Thunderbolt/USB-C ports will not work in Qubes

Hm, on a closer read this may be more of an issue with PCI hotplug; I'm able to browse files on my Android device via USB-C cable plugged into USB-C/Thunderbolt port on T480 just fine in Qubes (I've not changed BIOS defaults), and @rmol confirms successful use of a YubiKey with USB-C in Qubes.

[eloquence]

I tested disabling Thunderbolt in the BIOS of my T480 (the docs don't specify what to do; here's what I did: "Security -> IO Port access -> Thunderbolt(TM) 3 -> Disabled"). Qubes now no longer starts sys-usb at all, manual attempts to start it fail with Domain sys-usb has failed to start: PCI device dom0:3c_00.00 does not exist.

Is that because I changed the BIOS settings after the install? I'm curious what exact behavior others observe when changing the BIOS settings before the install. Do USB-C devices not get recognized anymore? Fail to attach?

[conorsch]

Is that because I changed the BIOS settings after the install?

Yes! During installation, Qubes enumerated USB & some PCI-E devices and persistently attached those to sys-usb. You can still recover: run qvm-pci in dom0, find the problematic device (the thunderbolt once), and run qvm-pci detach sys-usb <device>. Then you're good going forward.

Do USB-C devices not get recognized anymore? Fail to attach?

More testing required, although several folks are reporting USB-C will continue to work.

(the docs don't specify what to do; here's what I did: "Security -> IO Port access -> Thunderbolt(TM) 3 -> Disabled").

Hmm, good point. There are actually two places in the BIOS where Thunderbolt can be marked as "Disabled" iirc.

[eloquence]

You can still recover: run qvm-pci in dom0, find the problematic device (the thunderbolt once), and run qvm-pci detach sys-usb . Then you're good going forward.

qvm-pci did not list it for me, but I could detach it by specifying the ID from the error message. sys-usb now runs again, but the USB-C/Thunderbolt port does no longer appear to work (USB-A ports do; my T480 doesn't have any other USB-C ones to test with).

More testing required, although several folks are reporting USB-C will continue to work.

Open questions from my perspective:

• Does a USB-C/Thunderbolt port continue to work in Qubes under any circumstances if the Thunderbolt port itself is disabled in the BIOS?
• Do other USB-C ports work? (May be difficult to confirm on most hardware we use, without use of a hub.)
• Do dual USB-C/USB-A flash drives (quite common) work in USB-A mode? I've ordered one to test.

If our BIOS recommendation has narrow impact just on use of the dual Thunderbolt/USB-C port, then I think we can live with it for some time, but should IMO re-evaluate regularly.

[eloquence]

Good news, everyone! With our BIOS settings, at least on the current T480, it turns out that you can use USB-C devices in the port that you'd ordinarily plug your power adapter into. Just plug the power adapter into the Thunderbolt port instead -- it'll still supply power just fine, even if Thunderbolt is disabled (it even has a little power LED).

Did some additional testing:

• Dual USB-A/USB-C device does not work in USB-C mode in Thunderbolt/USB-C port when Thunderbolt is disabled in BIOS (not surprising per previous testing results)
• Dual USB-A/USB-C device does work in USB-A mode when dual Thunderbort/USB-C is disabled
• USB-C device does work with USB-C-to-USB-A adapter

Long term, I do think we should aim to continue to have a laptop recommendation that enables users to use USB-C without adapters, because these devices are becoming increasingly common, especially for hubs (see the selection of USB hubs on Amazon, for example).

[conorsch]

You can see https://github.com/carmaa/inception for examples of what can be done with these types of attacks.

See also the more recent https://thunderspy.io/