On Friday, 10 August 2018 11:31:08 UTC-4, Unman wrote: > On Fri, Aug 10, 2018 at 07:39:45AM -0700, > > Both /etc/qubes-rpc/policy/qubes.InputKeyboard and InputMouse, should say > > something like this. > > > > sys-usb dom0 allow,user=root > > > > Yes, If you have a sys-usb set up, then the USB keyboard will attach there > > first. More specifically, the USB Host Controller that the USB keyboard is > > plugged into is attached to sys-usb. But the keyboard device is > > immediately sent to dom0 per the rpc policy. Because a keyboard that stays > > attached to sys-usb, can only type into sys-usb. And not the interactive > > window you see when you open up a terminal for sys-usb... but rather its > > own session. > > dom0 needs the keyboard and mouse. The USB Host Controller still resides > > in sys-usb, but the USB raw data passes to dom0 upon boot. > > > > Unfortunately, the rpc policy is generic based on all USB devices > > enumerating as a keyboard. So it may not be able to selectively attach a > > yubikey to an AppVM. > > > > But the point is that the yubikey will be attached to a different qube, > and can be treated as a keyboard there. This means that one can > selectively link the yubikey to distinct qubes for input there, and the > sys-usb policy will not be relevant. > The Input.Keyboard policy needs to be set for the qube to which the > yubikey is attached.
Yeah, that would be nice if it were that granular. I don't have my yubikey set for a static key, but let me test this with my input stick, which is like a USB rubber ducky. It enumerator as a keyboard, and I have just attached it to the app VM I am typing on. I am speech to text on my phone, Bluetooth to InputStick USB and typing into here. It only works with, "sys-usb dom0 allow,user=root" in /etc/qubes-rpc/policy/qubes.InputKeyboard And it does NOT work with "sys-usb APPVM_NAME allow,user=root". No USB device attaching is needed, as the rpc rule simple allows dom0 access to sys-usb keyboard. As I said... Keyboards need to be sent to dom0, or else it cannot type in the GUI. This will work for all USB keyboards as you cannot specify Yubikey keystrokes only type in a single AppVM. Not the most secure... which is why Qubes recommends PS2 keyboards if running on a desktop and using the built in keyboard on laptops. It avoids the USB blanket rule for keyboards going to dom0. And since LUKS encryption passphrases are entered after initramfs hides usb from boot process, a non-usb keyboard is essential for full disk encryption. All that said, it is still a much more secure option to use ykchalresp which comes with yubikey tools. The USB device that does this function is not the keyboard part, and you have to explicitly Attach to the VM you want. Also, no static key to be sniffed or accidentally typed somewhere. I use it for KeePass, LUKS, PAM.d login, OTP tokens, everything. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/150e4742-af7f-4b9c-84b6-4a52faf600e9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
