Warning: USB in DOM0 is not restricted

Every time, the system is turned off, there is a warning that USB in DOM0 is not restricted.

Found the following post:

Looking at the following instructions, the defaults were left as is:

So shouldn’t it have created the USB in DOM0?

Is this an error on the installer part or now the following is required?

Research results:


It seems there is no way around this. Nowadays, every system has an USB mouse and keyboard plugged to the PCI. How would one install without the wireless mouse and keyboard? What would be trick to avoid creating manually the ‘sys-usb’ afterwards?

Do you have sys-usb?
Are all USB controllers in your system attached to it or one of them is attached to dom0?
Do you have usbcore.authorized_default=0 in grub config?

You’ll get this warning if you don’t have rd.qubes.hide_all_usb or usbcore.authorized_default=0 option in grub:

if getargbool 0 rd.qubes.hide_all_usb; then
    # Select all networking and USB devices
elif ! getargbool 1 usbcore.authorized_default; then
    # Select only networking devices, but enable USBguard
    warn 'USB in dom0 is not restricted. Consider rd.qubes.hide_all_usb or usbcore.authorized_default=0.'

Exactly. Because it means that everyone with USB access to your device has instant code execution to your dom0.

Whether that risk is acceptable or not is up to you.