Sys-usb documentation unclear

According to the documentation at USB qubes | Qubes OS :

**Qubes 4.1 only:** You should also add the `usbcore.authorized_default=0` option, which prevents the initialization of non-input devices. (Qubes ships with a USBGuard configuration that allows only input devices when `usbcore.authorized_default=0` is set.)

‘usbcore.authorized_default=0’ is missing from the file /etc/qubes-rpc/policy/qubes.InputKeyboard after creating sys-usb with ‘sudo qubesctl state.sls qvm.usb-keyboard’

Is it still possible to enter the LUKS passphrase with an USB keyboard after manually adding usbcore.authorized_default=0 to the config file? The documentation section warns not to proceed if you need to enter the LUKS passphrase at startup, but this line just prevents the initialization of non-input devices which is a good thing. And why is it not entered by the salt procedure, is this a bug?

Since an error here will lock you out of Qubes, but an unsecure sys-usb config is unwanted, how to proceed?

1 Like

Proceed with care, i.e. be ready to edit the kernel command-line back from e.g. grub.

It was added very late to 4.1, i.e. I guess the feature is considered “beta”.