Anyone want to comment on my insane cable pipeline?
I canât confirm if it will work, but the Tripp-Lite requires the mouse and keyboard to be in specific ports. IIRC, so does the Y-cable. This may prove to complicate the situation. If the Y-cable doesnât care, then neither should the Tripp-Lite (since itâs all being merged back), but even then it could.
1 Like
Okay, thanks for your reply. I am almost at the point of just going with a second set of mouse/keyboard. Why is this so complicated and why does no one from the community have a real/easy answer to this problem? Are all QubesOS users on laptops?
I canât speak for anyone but myself on this, but I donât think many people need a second desktop when they have literally any number of desktops they want on one install.
Even for me, the only reason I use multiple is for very sensitive work that requires physically separate hardware. (i.e.: I have a separate desktop that is air gapped (no wireless, camera, mic, speakers, external LEDs, etc.) for sensitive operations like key generation and master key storage (I never export anything but subkeys barring backups) and information that absolutely cannot be kept as a hard copy or on a non-air gapped machine.)
Another point for me is that I really like gaming mice/keyboards. I like the customizable keyboards because you can replace parts and customize layout as well as macros, etc, and mice because who doesnât like a really fast mouse? Itâs mainly a comfort/convenience, but I have really grown to miss them after I got Qubes and sold them. Sadly, I can find no such things in PS/2. If anyone knows some, please kindly inform me.
1 Like
One tiny comment from the peanut gallery: no, not all Qubes OS users. But in order to get PS/2, you tend to have to build from scratch with the few motherboards that allow for it.
PSA: there are PS/2 PCIe cards.
**PCI and PCIe are two completely different technologies.
This is an excellent point! However, have you tried GPU passthrough? I need some VMs for graphics-intensive work like video editing. I honestly donât care about buying 3 GPUs and cramming them into a server rack. The problem here is that the support is not as good as it needs to be for really anything super productive. I wish the GPU-enabled version of QubesOS was a reality and not just an abstract plan. I know its FOSS and I should do it myself, yadayadayadaâŚ
I agree again! I checked and there are still relatively decent PS/2 keyboards out there, but on the mouse side of things its just pure 5 USD Amazon crap. For keyboards, you might want to check out the Cherry G84-4100 and Cherry G84-4400, but I have not tested them! The latter has a trackball. Could this be the solution to avoid a mouse altogether?
The motherboard is not an issue for me (and in general because the PCI cards). I have a PS/2 combo port available and with a PS/2 combo to PS/2 mouse/keyboard Y splitter cable for 10 USD on Amazon I could easily connect PS/2 hardware. Otherwise you could use one of the PCI cards linked. So this is not a big problem even with modern hardware. My problem is to get modern USB peripherals to work with the PS/2 port so that QubesOS is happy.
Funny how expensive the PCIe card is for something so simple that nobody wants it anymore. Except us retarded QubesOS users. 
So to summarize a bit here and get the thread back on track towards working solutions:
- PS/2 ports are not a problem with modern hardware. PS/2 combo jacks are available or PCIe expansion is possible.
- There are active USB to PS/2 adapters available for connecting a single mouse/keyboard. I would appreciate it if someone could point me to other good options, the best I have seen so far is the Tripp Lite Minicom 0DT60002 PS/2 to USB converter. The problem here is that they are very old, availability is not great, and the last ones available are very expensive.
- There are decent PS/2 keyboards such as the Cherry G84-4100 and Cherry G84-4400. These need to be evaluated, I have not tested them! However, the goal of this thread is to avoid really old-fashioned PS/2 hardware and just use the PS/2 port for modern USB peripherals. For this reason, the question of relatively decent PS/2 hardware is of no interest to me. However, if anyone can confirm compatibility, that would be great. PS/2 mice are crap.
- Good commercial USB-to-PS/2 switches are not available if additional USB and HDMI/Displayport support is also considered/required. Also, unless the firmware is open source and auditable, sending all your sensitive display output and commands to the KVM switch is a security risk.
- There are open source PS/2 to USB converters, but they seem to be more hobbyist projects that donât have much coverage, testing, and I would call them experimental. Here are the best projects mentioned in this thread:
- GitHub - rasteri/HIDman: Adapting USB devices to work on old computers
- GitHub - No0ne/ps2pico: USB keyboard to PS/2 / AT / XT interface converter using a Raspberry Pi Pico
So what is the solution here? Maybe drop the security concerns and use one of the commercial KVM HDMI/USB switches and bridge the USB KVM switch side to the mainboard PS/2 ports via one of the active adapters/open source projects?
Please followup on this thread to find a great solution together!
Iâve spent in all a few hours searching and come up with only the Tripp-Lite. While Iâm certainly not saying someone else couldnât find one, it is unlikely.
The major advantage with PS/2 over USB is not having to deal with USB controllers at all. What you are proposing poses no advantage over directly using a dedicated USB controller assigned to dom0. (Except maybe not having the controllers in dom0? Using active adapters of whatever other hack-fu is still using these USB controllers, even if not handled by dom0. Also, the more hardware that enters the equation equals more points of failure/attack surface. Adapters are specifically a security risk if the area isnât secure (ex.: almost the entire Hak5 lineup).)
Maybe the likes of Purism, Nitrokey, System76, Dasharo, etc. could design a board*? Itâs very unlikely since thereâs not any real demand, but thatâs the only optimal solution I see.
* A board would likely have to be on of these three:
- A good PS/2 keyboard (System72 may could be persuaded to offer the Launch in PS/2)
- A secure USB-to-PS/2 (maybe one of the mentioned companies would make something if thereâs enough demand; open-sourcing and auditing the hardware and software of a HID-only USB controller could relieve many of the concerns here)
- A USB/PS/2 KVM with the above adapter, DisplayPort, and possibly a USB hub. Of everything, a Qubes KVM is probably the least in demand. Many seem to prefer HDMI so thatâs also something to consider.
In general, peripheral security should probably be closer examined since pretty much all are privileged, and I havenât really seen any security features to them (except encrypted links between the peripheral and computer, which is cool, but far from mainstream and definitely not transparent).
1 Like
I might have missed it, by why not use a PS/2 keyboard with a USB mouse? What is your threat model such that this would be unacceptable?
I am aware of this fact. The problem I am trying to solve is not to avoid USB, but to have a solution to conveniently manage all my PCs with a single keyboard/mouse combination, while not relying on sys-usb on my QubesOS system.
This would allow me to unlock my system and then start sys-usb, right? The problem I have here is that it is still a bit of a hassle if I accidentally shut down sys-usb, and at the same time I would just like the flexibility of being able to freely choose any USB keyboard.
Is a mouse less privileged than a keyboard? Probably because no sensitive data is passed through, but maybe you can explain it to me a little better. I know I read something about it in the QubesOS docs, but that was a long time ago. What are the security differences between a keyboard and a mouse?
Correct (or you could set sys-usb to autostart).
Fair enough.
https://www.qubes-os.org/doc/device-handling-security/#security-warning-on-usb-input-devices
1 Like
This topic is indeed madness.
In a way that is stupid or just hard to solve?
I just concur with the topicâs subject. Iâm truly baffled, as some other look they are too.
If you have only a USB mouse connected to a USB qube, but the keyboard is connected directly to dom0 (using a PS/2 connector, for example), you simply need to lock the screen when you are away from your computer (assuming you donât use the virtual keyboard of your screen locker). You must do this every time you leave your computer unattended, even if there no risk of anyone else having direct physical access to your computer. This is because you are guarding the system not only against anyone with local access, but also against possible malicious input from a potentially compromised USB qube.
This was the part I was looking for! Thank you so much!
So, if I only have a PS/2 keyboard, how do I start sys-usb? qvm-start sys-sub should work fine, but how do I open the dom0 terminal if the window is not autofocused?
I disable automatic window focus because I consider it a privacy/security issue. Sometimes I look at my keyboard or somewhere else and am in the middle of typing. Then a new window pops up (due to the VM startup delay) and suddenly I am exposing my information in the new window, which may have a completely different privacy/security context. Thatâs why I disabled it.
So how can I focus/select the dom0 window to start sys-usb without autofocus? Also, is there a better way to start sys-usb than dom0? Maybe QubesOS should include a shortcut for all those users who accidentally locked themselves out?
Yes, it breaks my head. And all I want is secure, multi-device, convenient, USB peripheral usage. Seems like a lot to ask for in the QubesOS world.