I still feel Qubes USB handling is somewhat discriminatory against non-laptop users. sys-usb is off by default if you don’t have non-usb input devices and is quite fragile when it is on :-/
I still feel Qubes USB handling is somewhat discriminatory against non-laptop users.
That is a strange way to formulate it. There is a technical issue that has no (better) solution.
sys-usb is off by default if you don’t have non-usb input devices and is quite fragile when it is on :-/
You understand why this is – right? How would you improve the current state?
- collect more information about how sys-usb may fail and try to diagnose those states early
- make a sanity checker that verifies that hid devices are accessible from dom0 and re-attach them directly to dom0 if they are not
- with 1. and 2. in place make sys-usb default for all installations
Reattaching USB devices from any untrusted qube to dom0 can make your dom0 compromised. And then it’s game over™.
(I moved this discussion to a new thread)
HID devices are bridged anyway by default. And if you do not, you end up with unusable system. However, it might be a good idea to whitelist certain HID devices on the installation phase and do not pass anything else until explicitly approved.
Since those who use Qubes in computers without internal or PS/2 keyboard (which is almost all newer consumer desktops) still rely on sys-usb with the caveat mentioned here, couldn’t the installer just proceed with installing sys-usb and applying “Enable a USB keyboard for login” automatically? (configurable through a checkbox). At least it would limit dom0 exposure to just luks prompt (which will keep happening anyways on normal usage) and save users some manual effort.
Yes, that would be “good enough” solution. However, whitelisting known HIDs for dom0 access might be a nice security feature.
so how to identify a trusted hids and what about spoofing (ie: they take your keyboard, copy all identifiable info to malicious keyboard that can be used to copy some malware to dom0?)
You cannot really defeat elaborated spoofing. But they need to take your keyboard first. And disconnect the real one. It is already something.