I am trying to understand some USB-related things.
I am using Qubes OS 4.1.2. Upgrading to 4.2 is on my TODO list. This system has only USB ports, so PS/2 is not an option. I am aware of the general USB-related security implications.
When I started using Qubes OS and installed it months ago, I followed these instructions mechanically with the idea to review them later again. I say mechanically, because the documentation does not explain what each setting means and why it must be used. It just instructs “do this”, so I am still not quite confident in my own actions. (Unfortunately, the mantra that the documentation is a community effort, implying that I am somehow supposed to fix the docs myself without knowing how, doesn’t help). Anyway, the final result is:
/etc/default/grub in dom0 I have:
GRUB_CMDLINE_LINUX="... usbcore.authorized_default=0 rd.qubes.dom0_usb=00:14.0"
That BDF matches the one of the USB controller shown by
lspci in dom0 .
pvm-device pci ls -v | grep -i usb shows that
sys-usb (no-strict-reset=True). I don’t remember ever setting that explicitly but the docs say it is somewhat insecure.
Now, as I am revisiting the docs, hoping to fill-in the gaps in my understanding, I tried
lspci | grep -i usb in sys-usb and I notice it shows 2 (two) PCI devices - one
Intel Corporation 82801DB/DBM (ICH4/ICH4-M) USB2 EHCI Controller (rev 10) and one
Intel Corporation Comet Lake PCH-LP USB 3.1 xHCI Host Controller. The later matches the one that dom0 shows.
The BDFs of the two controllers in sys-usb are both different from the BDF of the single controller in dom0. I assume this is expected.
When plugging different USB devices and running
lsusb in sys-usb, I notice that any USB2 device always shows connected to the first USB controller, regardless of the port it is plugged in (I tried every port). Similarly, USB3 devices always show up connected to the second controller. As expected,
lsusb in dom0 shows nothing.
Additionally, I notice that
lsusb in sys-usb always shows 3 buses, one of which is always used by some magical device called
Adomax Technology Co., Ltd QEMU Tablet. During my tests, no other device ever connects to that bus.
Why do dom0 and sys-usb show different number of USB controllers?
What is this that 3rd bus in sys-usb?
In case there is only one USB controller, as dom0 says, does this whole procedure, called “How to enable a USB keyboard on a separate USB controller”, bring any actual security benefit?
rd.qubes.dom0_usband what is its purpose?
usbcore.authorized_default=0and what is its purpose?
Which BDF should be used for
rd.qubes.dom0_usb- the one from dom0 or the one from sys-usb?
Why do I have
sys-usb (no-strict-reset=True)? Is that some default for USB, i.e. expected, or have I made a mistake in the past without knowing? What is the right thing to do?
Have I done everything correctly? If not, what should I correct, considering the mentioned specifics of this system?