Qrexec policy is different. It’s a policy that can allow or disallow the qrexec connections between qubes. E.g. allow or disallow USB attachment from sys-usb to some other qube.
so what do you suggest using the qubes usb policy a viable option for those who have installed qubes on usb sticks?
No.
just blindly trusting and hoping that usb you attach is not malicious is just not a safe approach
You only need to trust your USB disk where you installed Qubes OS and USB keyboard/mouse.
All other USB devices can be malicious but you need to connect them to USB controllers attached to sys-usb.
yes that’s only what i wish to do. its okusb mouse and keystroke can be read is sys usb gets compromised but atleast the mouse and keyboard input should passthrough sys-usb and not directly to dom0 and same for any other usb devices attached to the system.
Now my problem is the PCI pass through, giving the error i mentioned. I might have to start a new thread or post for that. but thanks for the support, appreciate it.
It can read and send input to dom0. So malicious device connected to sys-usb that has USB keyboard connected to is as well can basically control dom0.
I’ve linked to the doc that describes how to fix it above:
is this same for any scenario even when the qubes is installed on internal drive. Irrespective of anything you should not connect usb mouse or usb keyboard to sys-usb?
Yes:
i was able to get the password box but now when i plug the usb stick in any port the password box shows , why is that? when i hid the other ports?
Multiple physical USB ports can be connected to the same USB controller.
That’s why I’ve suggested you to check which USB ports are connected to which USB controller:
ok i just did that and bunch of details showed how do find the data i want?
You mean in the lsusb output?
Just compare the lsusb output when the USB device is not attached to specific USB port to the lsusb output when the USB device is attached to specific USB port.
If you’ll see additional line there with the attached device then it means that this USB port is connected to the USB controller attached to dom0.
for each usb used there is a new line added to the lsusb output. wht should be done next. But if that shows, theres seperate terminal for each usb port. Then why the issue?
That means that all your USB ports are connected to the same USB controller.
Do you have a laptop or a desktop?
laptop. so what needs to be done now and wat does it mean in context of hiding usb ports?
Then you can’t use sys-usb to safely connect the untrusted USB devices since all your USB ports are connected to the same USB controller.
It seems that other USB controllers are used internally in your laptop.
Maybe you can add additional PCI USB controller to your laptop with PCI Express or Thunderbolt if your laptop supports it.
but in the sys usb devices tab it shows more than one usb controller. is that actually usb port and not controllers?
The devices in sys-usb devices tab lists PCI USB controllers.
But it could be that USB controllers are not wired to the external USB ports and only used inside the laptop.
is there a way to findout for sure. like lspci | grep -i usb command
or some other command