Removing USB qube requires exposing dom0 to USB controllers?

qubes-kernel-5.8 · May 5, 2022, 10:39pm

I accidentally ran sudo qubesctl state.sls qvm.usb-keyboard in dom0 and, according to the docs, dom0 will now be exposed to the USB controllers on boot.

I’d like to undo this command, or at least the exposing dom0 part.

The docs say that I can follow the procedure for removing a USB qube to undo these changes.

However, this procedure also appears to expose dom0 to USB controllers:

Warning: This procedure will result in your USB controller(s) being attached directly to dom0.

I’ve been having problems with sys-usb, so in the end I’d just like to rebuild it using qubesctl state.sls qvm.sys-usb.

What can I do to revert the changes that Saltstack made to /boot/..., /etc/default/grub, and /etc/qubes-rpc/policy/...? I’ve stored the output of the command so I can see the exact diffs.

tzwcfq · May 6, 2022, 4:02am

Do you use USB keyboard or PS/2?
If you use USB keyboard then your dom0 will be exposed to USB controller in any case. If you have multiple USB controllers then you can leave one dedicate USB controller to dom0 for keyboard/mouse and leave other USB controllers to sys-usb and insert potentially malicious USB device only in USB controllers attached to sys-usb.

enmus · May 6, 2022, 7:50pm

You can try to add

rd.qubes.hide_all_usb

kernel parameter to the grub on boot.

But, do not do this if you don’t have non-usb keyboard access to your laptop/PC, otherwise you won’t be able to access Qubes