USB Qube on a Desktop Computer

Is anyone using a USB Qube with a USB keyboard and mouse?

The Qube Manager makes it look like I have multiple USB controllers, so could I keep my keyboard and mouse in Dom0 and have all other USB devices in a USB Qube?

Does anyone have experience with a setup like this?

The way to do this is described in docs:

Thanks, but I’d like to hear the experience of someone who has done it.

Perhaps it’s janky, or works well. I don’t know.

I’m using a dedicated USB controller for dom0, works just fine.

Just remove the controller from sys-usb and add the following lines to grub, xx:yy.z being the id of the controller you want to use.


It enables usbguard for dom0, preventing anything but input devices from connecting to dom0. If you want to connect other device types, you need to add their id to /etc/usbguard/rules.d/02-qubes.conf

1 Like

@renehoj is right. It’s not necessarily the concern of someone you don’t know/trust having physical access to your machine (known as an “Evil Maid Attack”, just in case anyone reading this didn’t know that :slight_smile:). but also the fact that the USB devices you own and use regularly might also have some things in the firmware that would slip past most OSes.

For example, quite a lot of USB Bluetooth dongles and USB sound cards also tell your machine that they’re a HID device. This is so that headphones with play/pause/volume buttons can get recognised more easily by your computer. But you can probably easily see how this could be misused :stuck_out_tongue:

Check to see that they’re not the same physical ports, but different versions of USB controllers. Some motherboards will list them as multiple controllers. I have a few machines that list the same 2 ports as 3 different controllers (USB 2.0, USB3.2, and Thunderbolt 4), and it does not like it when they are not all together in the same VM :stuck_out_tongue:

You’re probably going to have to do some experimenting to see which ports are which.

In terms of whether a USB Qube works well with a desktop computer, for sure it works well.

The only issue is that if your computer has a single USB controller, then your machine is pretty much forced to trust at least the first HID device that it encounters. Otherwise you can’t really give it any input. You’ll be stuck at the XFCE login screen :stuck_out_tongue:

On a few laptops that I have with a single USB controller and a USB keyboard and trackpad hardwired to it, I’m forced to automatically trust all USB keyboards (otherwise I can’t log in!), but I have at least told dom0 to ask for all mice and tablet devices. Not the ideal scenario, but at least it’s better than nothing.

You have multiple USB controllers, so while you will avoid this problem, you will also be forced to have USB ports on your machine that trust everything plugged into them.

As long as you remember which ports you’re using exclusively for HID devices (maybe label them?), you should be fine. You’re basically going to be allowing anything that claims to be a HID device direct access to dom0.

You’re also going to have to inherently trust the devices that you plug into those ports, so if you aren’t sure that a keyboard/mouse isn’t doing anything suspicious, I probably wouldn’t plug it into those ports…

What I would recommend is following that guide to allow additional USB HID devices to be passed through to dom0 from your USB Qube with the default of ‘ask’.

This would allow you to establish whether a USB device was doing anything weird, before you then unplugged it and put it straight into those dom0 ports.

Hope this helps :slight_smile: