Qubes USB handling is somewhat discriminatory against non-laptop users

arkenoi · November 12, 2021, 9:19am

I still feel Qubes USB handling is somewhat discriminatory against non-laptop users. sys-usb is off by default if you don’t have non-usb input devices and is quite fragile when it is on :-/

Sven · November 12, 2021, 1:52pm

@arkenoi:

I still feel Qubes USB handling is somewhat discriminatory against non-laptop users.

That is a strange way to formulate it. There is a technical issue that has no (better) solution.

sys-usb is off by default if you don’t have non-usb input devices and is quite fragile when it is on :-/

You understand why this is – right? How would you improve the current state?

arkenoi · November 12, 2021, 2:56pm

collect more information about how sys-usb may fail and try to diagnose those states early
make a sanity checker that verifies that hid devices are accessible from dom0 and re-attach them directly to dom0 if they are not
with 1. and 2. in place make sys-usb default for all installations

fsflover · November 12, 2021, 3:02pm

Reattaching USB devices from any untrusted qube to dom0 can make your dom0 compromised. And then it’s game over™.

(I moved this discussion to a new thread)

arkenoi · November 12, 2021, 3:12pm

HID devices are bridged anyway by default. And if you do not, you end up with unusable system. However, it might be a good idea to whitelist certain HID devices on the installation phase and do not pass anything else until explicitly approved.

equbes · November 12, 2021, 4:20pm

Since those who use Qubes in computers without internal or PS/2 keyboard (which is almost all newer consumer desktops) still rely on sys-usb with the caveat mentioned here, couldn’t the installer just proceed with installing sys-usb and applying “Enable a USB keyboard for login” automatically? (configurable through a checkbox). At least it would limit dom0 exposure to just luks prompt (which will keep happening anyways on normal usage) and save users some manual effort.

arkenoi · November 12, 2021, 8:49pm

Yes, that would be “good enough” solution. However, whitelisting known HIDs for dom0 access might be a nice security feature.

ppc · November 13, 2021, 12:23am

so how to identify a trusted hids and what about spoofing (ie: they take your keyboard, copy all identifiable info to malicious keyboard that can be used to copy some malware to dom0?)

arkenoi · November 13, 2021, 10:22pm

You cannot really defeat elaborated spoofing. But they need to take your keyboard first. And disconnect the real one. It is already something.