The docs aren’t super specific on a few things so I’m hoping for clarification.
I guess the tool qubes-yubikey-dom0 is an official qubes package and is considered safe to download? Assuming that’s true, I have the following questions.
First, I’m assuming I have to have sys-usb launch at start if I want to use the yubikey at the login screen right after boot? It seems implied but not specifically stated.
Second, I’m not clear on which exact service files I should use. The doc mentions xscreensaver (I know what that one is). But it mentions “login” and “lightdm.” Which screens are those for? And are there any others I should activate as well for general lockdown in xfce?
Third, what threat model is this for? What sort of protections can this provide if the hard drive is already decrypted?
Could someone still harvest data/make OS changes if they’re able to boot the system yet are unable to get past the login screen? (I’m not using a usb mouse or keyboard if that makes a difference for this question.)
And finally, I read in the docs somewhere about the possibility of info leakage with usb devices. Since sys-usb is required at all times if I want to use yubikey 2fa (If I’m understanding correctly), what sort of data could leak if I were to use a usb device later in that session? Could a compromised block device/microphone/camera theoretically detect the key I forwarded to dom0 earlier that day? Or are those not the sort of data that could be siphoned?
(obviously, if the compromised device is plugged in when I sign in, that’s a different story.)
Sorry if these are self-explanatory to some of you. I’m pretty new to thinking about security on this level and want to get it right the first time.