The PC system has 2 USB hubs: the first one is used for USB jacks on the front panel, the second one is used for USB jacks on the rear panel. Each hub has 3 controllers: front.OHCI0 handles first 3 USB 1.1 devices that are plugged in (nothing at the moment) front.OHCI1 handles next 3 USB 1.1 devices that are plugged in (nothing at the moment) front.EHCI0 handles up to 6 USB 2.0 devices that are plugged in (DVD-RW drive and flash stick at the moment) rear.OHCI0 handles first 3 USB 1.1 devices that are plugged in (USB keyboard and USB mouse are plugged in persistently)
rear.OHCI1 handles next 3 USB 1.1 devices that are plugged in (nothing at the moment) rear.EHCI0 handles up to 6 USB 2.0 devices that are plugged in (Web camera, and CD-RW drive are plugged in persistently) I followed the recommendation at https://www.qubes-os.org/doc/usb/#creating-and-using-a-usb-qube. After running [dom0]$ qubesctl top.enable qvm.sys-usb [dom0]$ qubesctl state.highstate all 6 controllers have been assigned to sys-usb qube. It looks like a very bad idea to mix security sensitive devices such as keyboard/mouse with other devices. Where do I go from this point? A) Split controllers into two groups and assign each group to a different sys-usb qube? Keyboard/mouse shall end up in a first group, while other devices shall end up in the second group. Is this break down in line with the security guidelines (see https://www.qubes-os.org/doc/usb/)? B) Stay with a single sys-usb qube and assign rear.OHCI0 controller back to dom0? Do I need to remove "sys-usb dom0 ask" from /etc/qubes-rpc/policy/qubes.InputKeyboard? Do I need to remove GRUB_CMDLINE_LINUX rd.qubes.hide_all_usb from /etc/default/grub ? How to instruct GRUB to hide all controllers except rear.OHCI0 ? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/791381640.1825127.1476075866991%40mail.yahoo.com. For more options, visit https://groups.google.com/d/optout.