Doesn't understand sys-usb controllers

Im new to this : So if i have a usb qube , my mouse and keyboard are connected to the usb qube. If i insert a usb stick its also connected to the sys-usb.
How can i make sure the mouse and keyboard only have access to dom0 and the usb devices only to the sys-usb?

Here are the resources:

If you have several USB controllers, you can create several sys-usb qubes and isolate the devices.

1 Like

Do you have a PC or a laptop? If you have PC you can use multiple USB controllers adding new ones if needed to PCIe slots. In case of laptop - you are mostly limited with what you have.

If you have the sys-usb vm, which sounds like you do, you are already good to go. Mouse and keyboard can only connect to dom0 through some pre-defined policies, all other usb devices cannot connect to dom0 by default.

For extra peace of mind, you could separate the use of the usb controllers, as mentioned in previous replies, but if your only goal is to prevent a usb stick from connecting to dom0, that’s already achieved.

You can check what’s attached to dom0 through a usb port with lsusb. Otherwise, run qvm-usb to see where the various usb devices are attached.

1 Like

How can i make more sys-usb’s? i dont see it in the documentation

sudo qubesctl state.sls qvm.usb-keyboard
( makes a sys-usb) if i use it multiply times it still creates 1.
If i clone the sys-usb on GUI than i cant run multiply sys-usb’s at the same time.

If my sys-usb is compromised then the attacker can have access to my dom0 keyboard and mouse right?
Thats why i want the keyboard and mouse to only have access to dom0 never to an sys-usb but it does that automatically.

sys-usb is disposable, which means that when you restart it, it goes back to its original state, so as long as the template (and the controller) are not compromised, that shouldn’t be an issue. To further mitigate this, you can create a sys-usb-2 and assign it a different usb controller (if you have it).

It’s not recommended because then you’d have direct access to dom0 through a usb port.

# Get the template used for the current sys-usb
[user@dom0 ~]$ usb_tmpl=$(qvm-prefs sys-usb template)
# Create the new sys-usb
[user@dom0 ~]$ qvm-create --disp -t $usb_tmpl --prop netvm='' --prop provides_network=True --prop virt_mode=hvm sys-usb-2

Finally attach the usb controller of your choice as I explained in the last bit here: WiFi network missing from Connections - #2 by BEBF738VD

Tip: to get a list of available USB controllers: qvm-pci | grep USB

Note: if you want both sys-usb and sys-usb-2 running at the same time, you need to detach from the former, the usb controller that you attach to the latter, otherwise one of them won’t start.


So if i plug a compromised usb into a sys-usb where my mouse and keyboard is connected tho.
Then the attacker can compromise my dom0 because he can use my keyboard right?
If he can , will i see it on my screen? or can he do it undetected?