On Fri, Aug 10, 2018 at 07:39:45AM -0700, joevio...@gmail.com wrote:
> Both /etc/qubes-rpc/policy/qubes.InputKeyboard and InputMouse, should say 
> something like this.
> sys-usb  dom0 allow,user=root
> Yes, If you have a sys-usb set up, then the USB keyboard will attach there 
> first.  More specifically, the USB Host Controller that the USB keyboard is 
> plugged into is attached to sys-usb.  But the keyboard device is immediately 
> sent to dom0 per the rpc policy.  Because a keyboard that stays attached to 
> sys-usb, can only type into sys-usb.  And not the interactive window you see 
> when you open up a terminal for sys-usb... but rather its own session.
> dom0 needs the keyboard and mouse.  The USB Host Controller still resides in 
> sys-usb, but the USB raw data passes to dom0 upon boot.
> Unfortunately, the rpc policy is generic based on all USB devices enumerating 
> as a keyboard.  So it may not be able to selectively attach a yubikey to an 
> AppVM.

But the point is that the yubikey will be attached to a different qube,
and can be treated as a keyboard there. This means that one can
selectively link the yubikey to distinct qubes for input there, and the
sys-usb policy will not be relevant.
The Input.Keyboard policy needs to be set for the qube to which the
yubikey is attached.

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to