I have Keyboard and Mouse set to “always ask” in Qubes Global Config → USB Devices. Why is that considered safer than setting them to “enable”? Isn’t the end result the same assuming you click “OK” once you’re logged in?
Because one day you might plug in (what you believe to be) a benign USB storage drive, but it turns out to be a USB Rubber Ducky in disguise.
So if I’m using Qubes and I connect a second USB “keyboard” it will prompt me again?
The docs say that if you don’t hide USB controllers from dom0 “there will be a brief period of time during the boot process when dom0 will be exposed to your USB controllers (and any attached devices).” Is that a different type of exposure than “always ask” and clicking OK?
Yes.
That’s a different situation.
When using sys-usb and connecting input devices from sys-usb to dom0 it’ll pass the input events from USB device in sys-usb to the virtual input device in dom0. It’s not actually attaching the whole USB device to dom0.
At Qubes OS boot it first boots dom0 initramfs and there is no sys-usb at this point yet so if USB controllers are not hidden from it (or at least using the USBGuard to disable initialization of non-input devices with usbcore.authorized_default=0
) then USB devices will be directly attached to the initramfs/dom0 and initialized by it. For example, some malicious USB device can use some vulnerability in one of the USB device drivers and pretend to be this device to exploit it and compromise the initramfs/dom0.
I see. So the idea is to wait to initialize USB devices until there is a sys-usb.
For the average person, it is perfectly safe to attach a USB device to Dom0. My mouse and keyboard are always enabled. I don’t allow physical access to my site by anyone with the ability to try something hacky.
I noticed that I get the prompt to accept a keyboard connection even if a keyboard is not connected. Are you sure I’ll be prompted a second time for a second “keyboard”?
I don’t have two keyboards to test, but with two USB mouses I’m getting two separate prompts and if first mouse is accepted and I connect second mouse then second mouse is not working until I accept the prompt.
When I connect a USB keyboard+trackpad I’m prompted once for the mouse and 3 separate times for the keyboard. I tried it again with a different brand and the same thing happened. I also verified that plugging in one after the other initiates all 8 prompts.
Are you prompted for a keyboard after logging in even if you don’t have a keyboard attached? I’m not sure why that happens.
I have a simple USB keyboard and I only have a single prompt for it.
Maybe your USB keyboards contain multiple keyboard devices e.g. main keyboard, separate multimedia keys, something else.
Do you get a keyboard prompt after logging in even without a keyboard attached?
No.
Maybe some other USB device that is connected to your PC has the keyboard function?
For example, when I’m connecting the USB headset I’m getting a prompt to allow keyboard as well, maybe there is a keyboard function for multimedia keys.
You’re right. My mouse has some extra buttons and that must be what’s triggering the keyboard prompt.
Here is a visual example of what @adw means:
That’s exactly what’s happening.
- Some OSes will restrict what a USB device can do, based on what it declares itself as. For example, if a device wants to send keyboard signals, it has to declare itself as a keyboard. This is what your mouse is doing
- Because USB devices can be “daisy-chained”, the computer doesn’t actually know how many “devices” are physically plugged in. It only knows how many declarations have been made
- A USB device can:
- Declare itself as whatever it likes
- Withdraw its declaration and submit a new one at any time
- Declare itself as being multiple devices
Another example of a single physical device that declare itself as multiple devices:
- USB audio devices
- Audio device
- Keyboard (for volume, play/pause, etc.)