Hi, When setting up sys-usb and still using usb hid devices, I noted: * setting gets written to xen.cfg on efi partition... right? isn't this an invitation for an easy to do evil maid attack combined with a compromised usb device? If at least it would be part of initramfs so it is not that easy to temper with as starting an text editor. (for sure, it's meaningless if you add proper anti evil maid protection) * it seems you can not define which usb devices are allowed. So I really would appreciate if I would be able to pin hid down to a certain keyboard and a certain mouse. If one of both gets broken, I don't mind to offline boot from a live system mount root and change filter for using the new device if that increases security. again for sure this would not be an absolute protection but would make tempering with the system harder since you'd have to manipulate the keyboard/mouse instead of inserting an internal device into computer case. cloning the permitted ids would not work out well since the system then would find two devices using the same id as soons as you connect the hid devices what might be noted(also system could notify if usb hid's are used or not). then you can easily recognize a tempered with system by seeing that there is a hid used without you having one connected.
BR Ralph -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/1cb9be2d-fa3e-436e-ac34-79bd17b25764%40googlegroups.com.