I am new to Qubes OS and trying to understand USB security advices, especially concerning usage of USB keyboards.
Following statements confuse me:
If you connect USB input devices (keyboard and mouse) to a VM, that VM will effectively have control over your system. […] In addition to having control over your system, such a VM can also sniff all the input you enter there (for example, passwords in the case of a USB keyboard).
By “connect USB input devices to a VM”, is the USB qube meant by “VM”? My assumption is, there are two viable ways of connecting USB devices: 1) either to the USB qube - storage devices 2) directly to dom0 - an USB keyboard, otherwise we lock ourselves out of the system.
If the USB keyboard is connected to dom0 and not malicious, any compromised AppVM or an infected USB qube won’t be able to sniff keyboard inputs. So we should be safe and not “lose control over the system”. Am I right here?
Is it possible to embed the USB keyboard inside the USB qube, without locking us out of our own system (docs reference appreciated)? Would this make any sense at all? My assumption so far is, the keyboard is more safe in dom0.
Given I wanted to use a PS/2 keyboard - don’t the protocol stack and drivers have their own risc, when connecting to dom0? Why is it apparently considered to be more safe than USB?
By default, yes; but you technically can connect them to other qubes as well.
To your questions list:
Yes. But keep in mind that you are connecting not a single device, but the whole USB hub. So any other device on the same hub may see the keypresses and potentially can compromise the system.
I think that it should be possible in principle, but here comes the quote above which you did not understand: the qube with the keyboard will have control over that keyboard and therefore can read everything you type and can introduce its own keypresses. Which, as the quote says, means full control over your system. Same with mouse, but the mouse cannot (usually) type passwords. This is why AFAIK such option is not implemented.
From your link about recommendation, I read that separate USB controllers are an alternative, where one might attach the USB controller containing the keyboard to dom0 and the controller responsible for other (block) devices to USB qube.
I found these docs about moving an USB host controller to a specific VM. From what I have read, one cannot explicitly/permanently assign an USB device to a controller. So it seems a bit “unstable” under the assumption that assignments of devices to controllers potentially can change.
Are both variants (PS/2 vs separate controllers) regardless considered as equally recommended by the Qubes team or experts using the OS?