> go with B1 man.  Like I said you can  get a ps2 adapter for your usb keyboard 
> and then can have all controllers in the sys-usb if you
> want. But I don't think there is anything to be worried about having your 
> keyboard in dom0.  Unless you got a real sketchy kb. (anything > is possible)

> As for how to hide all usb controllers except the rear OHCI0, you can't 
> unless its on a separate controller.  Otherwise just add every
> other controller to sys-usb except the OHCI0 one.  Again to make sure you are 
> correctly identifying your controller
> https://www.qubes-os.org/doc/assigning-devices/   You test with a device 
> plugged in the port to identify the controller.

> You can also just go into a vm settings and click on devices to get a list.  
> look for what says usb, to see how many controllers
> you actually have. 




> Like I said you can  get a ps2 adapter for your usb keyboard and then can 
> have all controllers in the sys-usb if you want.

I tried to plug the USB keyboard into a USB-to-PS2 adapter which is plugged 
into PS2 jack.    The keyboard doesn't work this way, probably because it 
doesn't support I2C protocol.




> But I don't think there is anything to be worried about having your keyboard 
> in dom0.  Unless you got a real sketchy kb. (anything is possible)

I am not worried about having the keyboard (and mouse) in dom0, as they are 
persistently attached to 2 USB jacks at the rear panel. 



> As for how to hide all usb controllers except the rear OHCI0, you can't 
> unless its on a separate controller.

dom0$ lspci | grep USB
returns 6 USB controllers:
Bus:Device.Function
00:12.0 ... SB7x0/SB8x0/SB9x0 USB OHCI0 Controller
00:12.1 ... SB7x0 USB OHCI1 Controller
00:12.2 ... SB7x0/SB8x0/SB9x0 USB EHCI Controller
00:13.0 ... SB7x0/SB8x0/SB9x0 USB OHCI0 Controller
00:13.1 ... SB7x0 USB OHCI1 Controller
00:13.2 ... SB7x0/SB8x0/SB9x0 USB EHCI Controller

Are they 6 separate controllers?

How do I hide all controllers except the "00:12.0 ... SB7x0/SB8x0/SB9x0 USB 
OHCI0 Controller"?



> Otherwise just add every other controller to sys-usb except the OHCI0 one.

Yes, that is exactly what I did.




>  Again to make sure you are correctly identifying your controller 
> https://www.qubes-os.org/doc/assigning-devices/   You test with a device 
> plugged in the port to identify the controller.

Yes, I followed this manual.




> > I went forward with the plan "B":

> > B-1) Stay with a single sys-usb qube and remove rear.OHCI0 controller from 
> > sys-usb (using Qubes VM Manager).  I assume that the controller will be 
> > returned back to dom0.  Is it correct?
> > B-2) Remove "sys-usb dom0 ask,user=root" from 
> > /etc/qubes-rpc/policy/qubes.InputKeyboard.
> > B-3) Remove "sys-usb dom0 ask,user=root" from 
> > /etc/qubes-rpc/policy/qubes.InputMouse.
> > B-4) Remove rd.qubes.hide_all_usb from /etc/default/grub and run 
> > grub2-mkconfig -o /boot/grub2/grub.cfg in dom. 
> > With this plan in place, I am able to log in using the USB keyboard. 

> dont' do B2 you need keyboard,
The policy was installed by the SALT management to allow dom0 to use rear.OHCI0 
controller attached to the sys-usb VM.  Given that
rear.OHCI0 controller is no longer attached to the sys-usb VM (see B-1), this 
policy is no longer necessary.



> not sure why you want B-3
Same reason.  The policy was installed by the SALT management to allow dom0 to 
use rear.OHCI0 controller attached to
the sys-usb VM.   Given that rear.OHCI0 controller is no longer attached to the 
sys-usb VM (see B-1), this policy is
no longer necessary. 

Note that the rear.OHCI0 controller handles both, the keyboard and the mouse.




> With b4 that means the usb ports aint hidden from dom0 during boot like luks 

> passphrase I think that would be security risk unless you constantly
> unplugging every usb device except your keyboard when you reboot.
The additional USB devices plugged persistently to this system:
o Web cam 

o CD-RW drive (powered down)
o DVD-RW drive (powered down)
Is there a risk to leave Web cam plugged in?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/465943496.2718897.1476152598876%40mail.yahoo.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to