> I've a question about if is acceptable (in term of performance, specifically 
> latency) to have some form of signed USB input, from a usbvm. A lot of laptop 
> (the majority?) has only an USB controller and without reset capabilities. 
> The most susceptible device, IMHO, is USB keyboard. So if it's possible to 
> put a proxy USB signer device (e.g. a rPi Zero) between the USB keyboard and 
> the usbvm, Dom0 could verify that input come from the signer device.
> However thanks the Qubes 4.0 flexibility this necessity could be suppressed 
> by "Qubes Air". Unfortunately I cannot try Qubes 4.0-rcX. I hope that the 
> 4.0-rc4 hasn't any major problem. So it became the stable release, <3.

See discussion in https://github.com/QubesOS/qubes-issues/issues/2518

