Automatically link USB device to AppVM

I cannot find it, but I remember someone posted a way to link automatically an usb device to a dedicated AppVM. i.e. Yubikey / Nitrokey should be always mounted to vault AppVM after Qubes start.

Could someone point me to the doc, chat or explain here the steps for this setup?
Thank you

I can see how that may be convenient for some, I have seen some folks (one example is on reddit) where people use combinations of udev rules which exec qubes rpc scripting to attach the device to a specific qube when inserted.

However, here be dragons

I can see a problem with this idea. A yubikey also functions as a USB HID (like a keyboard does). If you implement auto mounting of the device to vault, and badguy™ were to modify the usb device Id of a standard keyboard (to have it present as a yubikey device Id) - then simply plugging that modified keyboard into any USB port on your machine would suddenly auto mount it into vault. I believe this would then give that keyboard typing rights rights inside of the vault. Im pretty sure (but have not tested to confirm, ymmv) that would be the case even if the screen is locked. A very dangerous situation, IMHO.

Auto mounting of USB devices isnt something im aware of existing in Qubes OS for good reason. even with hacky workarounds, there is great risk.

1 Like

Well, I thought I’m safe since I using a notebook keyboard.
Anyways, thanks for your reply and concerns.

A Yubi will show up a 2nd keyboard, because there has to be a way to convey the OTP into the system when you hit the button (thats why when you hit the OTP button, you see *************** (etc) in the terminal/browser/wherever. its showing up as a 2nd keyboard