On Fri, Aug 10, 2018 at 07:39:45AM -0700, joevio...@gmail.com wrote:
> Both /etc/qubes-rpc/policy/qubes.InputKeyboard and InputMouse, should say 
> something like this.
> 
> sys-usb  dom0 allow,user=root
> 
> Yes, If you have a sys-usb set up, then the USB keyboard will attach there 
> first.  More specifically, the USB Host Controller that the USB keyboard is 
> plugged into is attached to sys-usb.  But the keyboard device is immediately 
> sent to dom0 per the rpc policy.  Because a keyboard that stays attached to 
> sys-usb, can only type into sys-usb.  And not the interactive window you see 
> when you open up a terminal for sys-usb... but rather its own session.
> dom0 needs the keyboard and mouse.  The USB Host Controller still resides in 
> sys-usb, but the USB raw data passes to dom0 upon boot.
> 
> Unfortunately, the rpc policy is generic based on all USB devices enumerating 
> as a keyboard.  So it may not be able to selectively attach a yubikey to an 
> AppVM.
> 

But the point is that the yubikey will be attached to a different qube,
and can be treated as a keyboard there. This means that one can
selectively link the yubikey to distinct qubes for input there, and the
sys-usb policy will not be relevant.
The Input.Keyboard policy needs to be set for the qube to which the
yubikey is attached.
 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180810153105.lkoo4vi6a3bduqtk%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Reply via email to