In Kicksecure 18 and higher, we're going to be shipping USBGuard, enabled by default, with a configuration that allows all devices that are present in the system on bootup, and blocks all non-whitelisted devices that are plugged in after bootup. By default, the whitelist in Kicksecure will allow USB mass storage devices, and will allow a single mouse and keyboard at a time (additional keyboards are rejected). All other devices are rejected, including devices that combine a USB mass storage interface with anything else, and devices that combine a keyboard or mouse interface with anything (except for "unified" keyboard/mouse devices like are common with some wireless receivers). The goal is to allow a limited subset of common USB devices to work out of the box, while also thwarting devices like the USB "rubber ducky".
This feature set makes good sense for Kicksecure on the desktop, but we're unsure if it makes sense in Qubes OS, if a user chooses to use Kicksecure on sys-usb. On the one hand, USBGuard in sys-usb could substantially increase the security of users who have to pass through USB keyboards and mice to dom0 (only one keyboard and mouse would be allowed, a keystroke injection device would be rejected so long as it was not present when sys-usb booted and a legitimate USB keyboard was already plugged in). On the other hand, USBGuard could frustrate users who need to work with things such as USB headsets, webcams, touchscreens, and other "advanced" devices. In theory a user could reboot sys-usb to get these devices to work (assuming our configuration actually does trust everything present on bootup), but maybe that's too much hassle? The USBGuard configuration we intend to ship in Kicksecure 18 can be seen at [1]. Would enabling USBGuard in Kicksecure's Qubes OS templates make sense, or would this cause too many problems for users? If it should be included, does our default configuration make sense, or is it too restrictive? (On the topic of whether or not the existing configuration is too restrictive, I made a post on the Kicksecure forums asking for feedback at [2].) [1] https://github.com/Kicksecure/security-misc/blob/master/etc/usbguard/rules.d/30_security-misc.conf [2] https://forums.kicksecure.com/t/usbguard-what-should-we-allow-or-disallow-by-default/1248 -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/qubes-devel/20250823214206.1a339002%40kf-m2g5.
pgpVZ6_2IzCma.pgp
Description: OpenPGP digital signature
