The PC system has 2 USB hubs: the first one is used for USB jacks on the front 
panel, the second one is used for USB jacks on the rear panel. Each hub has 3 
controllers:
front.OHCI0 handles first 3 USB 1.1 devices that are plugged in (nothing at the 
moment)
front.OHCI1 handles next 3 USB 1.1 devices that are plugged in (nothing at the 
moment)
front.EHCI0 handles up to 6 USB 2.0 devices that are plugged in (DVD-RW drive 
and flash stick at the moment)
rear.OHCI0 handles first 3 USB 1.1 devices that are plugged in (USB keyboard 
and USB mouse are plugged in persistently)

rear.OHCI1 handles next 3 USB 1.1 devices that are plugged in (nothing at the 
moment)

rear.EHCI0 handles up to 6 USB 2.0 devices that are plugged in (Web camera, and 
CD-RW drive are plugged in persistently)
I followed the recommendation at 
https://www.qubes-os.org/doc/usb/#creating-and-using-a-usb-qube.  After running 
[dom0]$   qubesctl top.enable qvm.sys-usb

[dom0]$   qubesctl state.highstate 

all 6 controllers have been assigned to sys-usb qube.  It looks like a very bad 
idea to mix security sensitive devices such as keyboard/mouse with other 
devices.  Where do I go from this point?

A) Split controllers into two groups and assign each group to a different 
sys-usb qube? Keyboard/mouse shall end up in a first group, while other devices 
shall end up in the second group.  Is this break down in line with the security 
guidelines (see https://www.qubes-os.org/doc/usb/)?


B) Stay with a single sys-usb qube and assign rear.OHCI0 controller back to 
dom0?  Do 
I need to remove "sys-usb dom0 ask" from 
/etc/qubes-rpc/policy/qubes.InputKeyboard? Do I need to remove 
GRUB_CMDLINE_LINUX rd.qubes.hide_all_usb from /etc/default/grub ?  How to 
instruct GRUB to hide all controllers except rear.OHCI0 ?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/791381640.1825127.1476075866991%40mail.yahoo.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to