It is not just 'unavoidable surveillance'.
Qubes doesn't just run on Laptops. Think about Desktops. They require USB Keyboards since most modern desktop systems don't have PS/2. And since they require USB Keyboards to enter the LUKS Passphrase, that means the "rd.qubes.hide_all_usb" option in the bootloader will render the whole system inaccessible. So USB security at boot time is not an option, therefore, not a tradeoff with 2FA.
It isn't for the "lazy" people either. 2FA means that I don't have to weaken my passphrase so its memorable. And if snooped by some Evil Maid attack methods, they'll need to pull the token from my cold dead hands too.
I am hoping someone will finish this idea and make it available, especially for desktop users with yubikey.
Unfortunately, I don't have much knowledge on initramfs or dracut to produce something usable myself. I have searched all over, and only find the same abandoned ideas, or directions to using Yubikey for something other than LUKS, or on a Debian based system.
Please help.
Thank you.
almost all motherboards still come with ps/2. only budget gaming ones don't. but even most gaming ones do.
Fair point. I was thinking more in my price range. Dell XPS 8900.
My solution so far is to use YKLUKS from here: https://github.com/the2nd/ykluks
It does include a grub2 "rd.ykluks.hide_all_usb" feature to only temporarily turn on USBs during the
https://groups.google.com/forum/#!msg/qubes-users/hB0XaquzBAg/aPQmmLBwBgAJ
"Besides the yubikey/luks stuff the module handles the rd.qubes.hide_all_usb stuff via its own rd.ykluks.hide_all_usb command line parameter because the yubikey is connected via USB and needs to be accessable until we got the challenge from it. i am still unsure if this is the best method to implement this. So if anyone with a deeper knowledge of qubes/dracut does have a better/more secure solution i happy about any help."
It works. I think its the best I can do since I am more concerned with 2FA than bad USB devices.