After giving a desperate try to sys-gui, and spending several hours recovering things that broke, I want to rise this question again:
can we introduce (optional on the installation phase) a set of fallback scripts that would make sure there is always at least one keyboard and one mouse accessible to the system and not locked out by policy misconfiguration? Like, run a check every 5 minutes and doing “emergency attach” to dom0?
Also if you ask me, having a dedicated dom0 usb controller adds nearly nothing to security unless you have all ports and wires on said controller epoxy sealed.
1 Like
It won’t change anything if the attacker has physical access to your PC but it can protect you from malicious devices.
Here is an example:
You have printer that is connected to your network with Ethernet/WiFi and to your Qubes PC with USB.
If you don’t have dedicated USB controller for USB keyboard/mouse in dom0 and if it’s a really smart printer with some linux inside and has the ability to reconfigure it’s USB function then if your printer will be hacked over network and reconfigured as USB keyboard then printer will be connected to dom0 and attacker can have remote access to your Qubes.
1 Like