On Oct. 10, 2016 at 9:27 AM, Unman <un...@thirdeyesecurity.org> wrote

> I wouldn't assign back to dom0.
> There's no reason why you shouldn't adopt some variation on A, and have
> different qubes handling different controllers. Of course, you'd have to
> make sure that you follow a consistent pattern with use of sockets.
> You could enforce this with configuration in the policy file, and by
> some udev rules to block anything except storage devices in the relevant
> ports.

> unman

-------------------------------------------------------------------------



Before trying either "A" or "B" direction, I've stumbled upon the following 
difficulty:- after booting, Xfce popes up a dialog box which invites user to 
log in.  At this time, sys-usb hasn't started yet.  That is why, the USB 
keyboard is not operational.  In essence, it is a chicken and egg problem: in 
order to enter a password, the sys-usb VM shall be started; in order to start 
the sys-usb VM, a valid password shall be entered.  



Unman> There's no reason why you shouldn't adopt some variation on AI was 
leaning to adopt some variation of the plan "A".  Unfortunately, the experience 
(see previous paragraph) demonstrates that it is not possible :(



I went forward with the plan "B":
B-1) Stay with a single sys-usb qube and remove rear.OHCI0 controller from 
sys-usb (using Qubes VM Manager).  I assume that the controller will be 
returned back to dom0.  Is it correct?B-2) Remove "sys-usb dom0 ask,user=root" 
from /etc/qubes-rpc/policy/qubes.InputKeyboard.
B-3) Remove "sys-usb dom0 ask,user=root" from 
/etc/qubes-rpc/policy/qubes.InputMouse.

B-4) Remove rd.qubes.hide_all_usb from /etc/default/grub and run
grub2-mkconfig -o /boot/grub2/grub.cfg in dom.  

 
With this plan in place, I am able to log in using the USB keyboard.  



Further enhancements
--------------------
* In the step B-4, it would be nice to hide all USB controllers from dom0 
except rear.OHCI0.  How to achieve this?

Unman> Of course, you'd have to make sure that you follow a consistent pattern 
with use of sockets.  You could enforce this with configuration in the policy 
file, and by some udev rules to block anything except storage devices in the 
relevant ports. 
* How to achieve this?  Is there some manual?  Do you mind to share an example?


* Correct the policy in 
https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard manual.  It should 
be:

sys-usb dom0 ask,user=root

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1946887460.2653244.1476146051505%40mail.yahoo.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to