USB Keyboard Hardening? For Desktops

I read a post where this was explained but i cant find it again.

Im using qubes on a desktop with no PS 2 inputs, so i need to use USB keyboard and mice directly attached to dom0, i didnt have the option to setup sys-usb when installing and when booting a message appears saying that usb is not restricted in dom0.

As i suppose that i have more than 1 usb controllers, i would like to restrict all except one in which i intend to just have mice and keyboard connected.

In a previous installation i did for testing, i tried to do this and broke my system since I couldnt use the keyboard again, that time reinstalling wasnt a problem but now i prefer not to have to.

If someone can help me find the guide to do this it would be a great help.

This is from a year ago, but it may help. There’s a section halfway down called USB. (Note, it is on the Purism forum page).
Good luck.

1 Like

When you create sys-usb you can in the settings>devices remove the USB controller that you want dom0 to handle.

sys-usb only handles the USB controller it has in the devices list.


Thanks a lot!!

Thats what i tried the other time, when i lost access to the system, i will be more careful this time.

If you use a USB keyboard, there is a high risk of locking yourself out of your system when experimenting with USB qubes. For example, if a USB qube takes over your sole USB controller (to which your USB keyboard is connected), then your keyboard will no longer be able to control dom0.

Its well explained here:

If you’re reading this section, it’s likely because the installer did not allow you to create a USB qube automatically because you’re using a USB keyboard. This section will explain how to create a USB qube that you can use with your USB keyboard. This section assumes that you have only a single USB controller. If you have more than one USB controller, see how to enable a USB keyboard on a separate USB controller.

If you lose access to the system you need to disable autostart

1 Like

I also created a post for the same topic (Sys-usb verify correct usb controler attachment).
So regardless wether sys-usb is installed or not, I am able to insert the disc encryption password via an usb keyboard?

And if I messed something up there is a way to restore it?


From what i have read in your post, and whit what I have understood so far. I would tell u that YES, since u seem to have propperly " authorized" the right controller to work in dom0, also i think u wont be able to use any other usb’s attached to any other controllers until u install sys-usb since what i understand that u have done is to restrict all usb in dom0 except the one for the keyboard. And as far as i know, after creating sys-usb, the keyboard controller will remain attached to dom0.

I think this

is the solution for those cases but i havent tried it yet.

If you have rd.qubes.hide_all_usb in your GRUB commandline, you might also have to disable that to get your USB keyboard working again.
You can edit the GRUB command line from the GRUB prompt right during any boot.

So yes, there’s always a way back without having to reinstall.

1 Like