Request clarification on using a USB-qube vs all USB devices on dom0

[Ole]

I cannot seem to figure this out on my own:

If I have a USB-qube and use a USB keyboard and mouse, obviously the USB-qube will have full control over my system.

But is this any worse than having all USB devices on dom0? (The general tone in the documentation[1] makes it sound like it is, but I cannot find a mention of a concrete problem that could arise.)

If I forward USB devices from the USB-qube to other qubes, does this open up the USB-qube to attacks from those qubes? (This would be the only reason I could think of why using a USB-qube with input devices would be less secure. But I cannot find whether this is true or not.)

[1] https://www.qubes-os.org/doc/usb/#security-warning-about-usb-input-devices

[awokd]

On Tue, July 31, 2018 2:26 pm, Ole wrote:
> I cannot seem to figure this out on my own:
>
>
> If I have a USB-qube and use a USB keyboard and mouse, obviously the
> USB-qube will have full control over my system.
>
>
> But is this any worse than having all USB devices on dom0? (The general
> tone in the documentation[1] makes it sound like it is, but I cannot find
> a mention of a concrete problem that could arise.)

I think it's more about bad USB devices that drop a compromise into the
system. If you're using dom0 to handle USB, getting it compromised is very
bad vs. just bad if using sys-usb. The documentation is saying a PS/2
keyboard in dom0 is preferable to a USB one in sys-usb.

> If I forward USB devices from the USB-qube to other qubes, does this open
> up the USB-qube to attacks from those qubes? (This would be the only
> reason I could think of why using a USB-qube with input devices would be
> less secure. But I cannot find whether this is true or not.)

I think some USB commands are filtered out on device forwards, so I expect
they've considered the possibility but I'm not familiar with the exact
mechanisms involved.