How to add an exception to the USB keyboard?

So when I plug my USB keyboard to my laptop I have to manually give permission whenever I want to use it with a specific VM. Normally this wouldn’t be too much of a problem (I can choose not to do work on the dom0 terminal while having a plugged in keyboard). But the problem is that I can’t allow this keyboard to more than one VM at a time. Hence I have to constantly keep having to manually enabling and disabling it whenever I have to switch to a different VM, also I won’t have any possibility of copy/pasting texts between VMs while I’m working on it.

So I wonder if it’s possible to add an exception in sys-usb for this particular USB keyboard that I trust.

I’m not sure exactly what it is you want.
Is it the case that you only want this keyboard to work in specific
qubes, and not across the whole system? Or something else?
The USB keyboard is controlled at:
/etc/qubes-rpc/policy/qubes.InputKeyboard
and has entries like:
sys-usb dom0 allow

If you don’t want the keyboard in dom0, but do want it attached to
some subset of qubes, you could try installing the receiver package in
those qubes, and then adding individual entries with accept. I haven’t
tried this and have no idea if it will work.
But this would block the keyboard from being used in dom0 - you may be
fine with this, but there’s risk of locking yourself out of the system.
Be very careful unless you have a recovery plan in place.

In the docs:

1 Like

Hi @unman, thanks for all of your Qubes help & contributions,

The opposite. Right now it only works for a single qubes per time, I can’t make it work for more than two qubes at the same time. But I’m fine with connecting it directly to dom0.

My /etc/qubes-rpc/policy/qubes.InputKeyboard has $anyvm $anyvm deny, so is it sufficient to just change it to sys-usb dom0 allow?

Mine has an entry:
sys-usb dom0 allow,user=root
Put that at the top of the file and you should have a USB keyboard
attached to sys-usb, but used in dom0.

2 Likes

The Qubes Documentation covers the USB Keyboard usage options in the section on USB Qubes:

About halfway down the page are the sub-sections:

Enable a USB keyboard for login
Automatic Setup
Manual Setup

2 Likes

Sorry to reopen this old topic, but I will like to enable only the USB Keyboard I use at Home, is it possible to enable just that or as I understand for the USB Qubes document it enable all USB keyboard ?
Thanks

As far as I think I understad, the problem is as follows:
you enable a USB keyboard, then any malicious USB device can say: “hey, I am a keyboard” and then gain acess to dom0… and, GAME OVER. The malicious device can do anything dom0 can do.

I have to disagree , each usb device has an ID to identify the product so the malicious USB device have to know that you have that particular type od Keyborad at home for example this is my keyboard from lsusb command
Bus 001 Device 004: ID 1532:0228 Razer USA, Ltd BlackWidow Elite

well, that makes sense, BUT remember info travels on the bus (UniversalSerialBus)without any protection. So, imagine your laptop webcam, wich is a USB device is compromised. Sure the webcam firmware can potentially be made to sniff the bus and then identify itself not as a webcam, but as a keyboard. game over.
Sure… that is kind of elaborate, but certainly possible.

well, that makes sense, BUT remember info travels on the bus (UniversalSerialBus)without any protection. So, imagine your laptop webcam, wich is a USB device is compromised. Sure the webcam firmware can potentially be made to sniff the bus and then identify itself not as a webcam, but as a keyboard. game over.
Sure… that is kind of elaborate, but certainly possible.

Use udev to restrict the possibilities, so that only valid
devices can be used as keyboard input. This effectively deals with any
malicious USB device. You want to whitelist the exact USB keyboard.

If possible, only use 1 port allocated to the usb qube which handles the
keyboard. Have another disposable USB qube to handle other ports and
connect block devices/webcams etc to that qube.

If you lose control of your machine, then having a rogue usb device is
the least of your problems.

I like the idea @unman , so it my be possible to script the opposite, I mean create a USB whitelisted device when Wifi/Lan ID is “Xyz” and have the Keyboard connected to that USB ??
This will be Cool :slight_smile:

To be clear:

IF network ID is “Xyz”,
(AND keyboard is connected to qubeA),
AND qubeA is permitted to pass through keyboard,
THEN restrict devices attached to qubeA to known keyboard devices

OTHERWISE allow any devices to be attached to qubeA

Is that what you mean?

Yes thanks