On 8/23/25 22:43, Aaron Rainbolt wrote: > In Kicksecure 18 and higher, we're going to be shipping USBGuard, > enabled by default, with a configuration that allows all devices that > are present in the system on bootup, and blocks all non-whitelisted > devices that are plugged in after bootup. By default, the whitelist in > Kicksecure will allow USB mass storage devices, and will allow a single > mouse and keyboard at a time (additional keyboards are rejected). All > other devices are rejected, including devices that combine a USB mass > storage interface with anything else, and devices that combine a > keyboard or mouse interface with anything (except for "unified" > keyboard/mouse devices like are common with some wireless receivers). > The goal is to allow a limited subset of common USB devices to work out > of the box, while also thwarting devices like the USB "rubber ducky". > > This feature set makes good sense for Kicksecure on the desktop, but > we're unsure if it makes sense in Qubes OS, if a user chooses to use > Kicksecure on sys-usb. On the one hand, USBGuard in sys-usb could > substantially increase the security of users who have to pass through > USB keyboards and mice to dom0 (only one keyboard and mouse would be > allowed, a keystroke injection device would be rejected so long as it > was not present when sys-usb booted and a legitimate USB keyboard was > already plugged in). On the other hand, USBGuard could frustrate users > who need to work with things such as USB headsets, webcams, > touchscreens, and other "advanced" devices. In theory a user could > reboot sys-usb to get these devices to work (assuming our configuration > actually does trust everything present on bootup), but maybe that's too > much hassle? > > The USBGuard configuration we intend to ship in Kicksecure 18 can be > seen at [1]. > > Would enabling USBGuard in Kicksecure's Qubes OS templates make sense, > or would this cause too many problems for users? If it should be > included, does our default configuration make sense, or is it too > restrictive? (On the topic of whether or not the existing configuration > is too restrictive, I made a post on the Kicksecure forums asking for > feedback at [2].) > > [1] > https://github.com/Kicksecure/security-misc/blob/master/etc/usbguard/rules.d/30_security-misc.conf > [2] > https://forums.kicksecure.com/t/usbguard-what-should-we-allow-or-disallow-by-default/1248
My personal setup is: - sys-usb has usbcore.authorized_default=0 and USBGuard is set to only allow my YubiKey and the internal camera. The USBGuard configuration includes the port number, so USB devices plugged into other ports can't impersonate devices I have chosen to trust. - All other VMs allow all USB devices, but have none assigned by default. - The firmware USB stack is disabled via a Dasharo feature. Generally, I recommend using USB device assignment rather than handling devices in sys-usb directly. The only exception is devices (like the aforementioned camera and YubiKey) which are known to be trusted. -- Sincerely, Demi Marie Obenour (she/her/hers) -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/qubes-devel/0f5d04a2-ecfb-4b0e-9c1e-d19fb3241eaf%40gmail.com.
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
