On Fri, Aug 10, 2018 at 07:39:45AM -0700, joevio...@gmail.com wrote: > Both /etc/qubes-rpc/policy/qubes.InputKeyboard and InputMouse, should say > something like this. > > sys-usb dom0 allow,user=root > > Yes, If you have a sys-usb set up, then the USB keyboard will attach there > first. More specifically, the USB Host Controller that the USB keyboard is > plugged into is attached to sys-usb. But the keyboard device is immediately > sent to dom0 per the rpc policy. Because a keyboard that stays attached to > sys-usb, can only type into sys-usb. And not the interactive window you see > when you open up a terminal for sys-usb... but rather its own session. > dom0 needs the keyboard and mouse. The USB Host Controller still resides in > sys-usb, but the USB raw data passes to dom0 upon boot. > > Unfortunately, the rpc policy is generic based on all USB devices enumerating > as a keyboard. So it may not be able to selectively attach a yubikey to an > AppVM. >
But the point is that the yubikey will be attached to a different qube, and can be treated as a keyboard there. This means that one can selectively link the yubikey to distinct qubes for input there, and the sys-usb policy will not be relevant. The Input.Keyboard policy needs to be set for the qube to which the yubikey is attached. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180810153105.lkoo4vi6a3bduqtk%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.