What is the purpose of sys-usb if using a USB Keyboard?

If my mouse and keyboard are usb and I do not use a camera or mic, is there any reason I would need sys-usb for?

Leaving USB controllers attached to dom0 is a security risk in that any
device can be plugged in (not necessarily by you). The USB stack in dom0
will run through the data from the USB device, which may present a
security risk.
Having a USB qube reduces this risk.
Using a disposable USB qube reduces it further.

If all you are using is a keyboard and mouse then the sys-usb will have
effective control over your system. Using a disposable USB qube reduces
risk.
If you use a sys-usb for keyboard you will need to take some extra
steps to handle login - this isn’t ideal but it is better than leaving
any devices attached directly to dom0.
There’s good help in the docs:

Thanks, what if I buy ps/2 devices ? is sys-usb still needed then?

If you have USB ports, then I’d recommend sys-usb, even if you use PS/2
mouse and keyboard.

(I’ve renamed the post to make it more specific and easier to find, if I got something wrong, feel free to change it back @sarah)

The purpose of sys-usb is to protect your system from malicious USB devices. If you have and use sys-usb, and your keyboard and mouse use USB, then you have no choice but to connect them to sys-usb and let them through to control dom0, since otherwise you will not be able to control your own system. This can be a risk, since letting through your own devices risks also letting through malicious devices. However, if your keyboard and mouse use PS/2, then you do not have to connect them to sys-usb, which is less risky. In that case, sys-usb has nothing to do with you using your keyboard and mouse to interact with the system.

1 Like

Hello!

I haven’t found any topic related to my question except this one. If this is not the topic, please point me to the right one!

Do i understand it well, that if i couldn’t create a sys-usb VM during the installation then i should create one after a succesfully installed qubes os? If yes, what if i got this error after trying to start the sys-usb VM? >>
“[Dom0] Error Starting Qube! Start failed: internal error: Unable to reset PCI device 0000:00:14.0 (listing PCI devices with qvm-pci, dom0:00_14.0 is the only USB controller i’ve found): no FLR, PM reset or bus reset available, see log for details.

I’ve followed the documents about USB Qubes and made these steps:

  1. Searched for USB controller with qvm-pci >> USB controller Dom0:00_14.0 found (the only one),
  2. Created a new qube. Name: sys-usb, colour: red, USB controller moved under the Devices tab from Available to Selected list,
  3. Qube type set to HVM,
  4. OK >> start qube and the error message appeared.

Now i have no mouse or keyboard :joy:. It’s not a problem, i’m just playing and getting to know the OS, before i decide to move to it permanently. I’m going to expecting more similar cases like this, so there will be some reinstall from time to time.

The PC is a Librem Mini v1 miniPC, and to make things more complicated the miniPC is connected to the keyboard and mouse by a KVM switch (what i think could worth another topic using qubes OS with KVM switch).

Should it work using the USB Qubes document? If yes, where should i start to investigate the problem?

Thanks any help!

With the 2 commands form USB Qubes documents everything work fine, even with the KVM switch.