How to hide all except one USB controller?

[Chris]

Hi,

I bought a second internal USB controller (A) to connect a flash drive for booting from SD.

How can I prevent the internal controller(B) (with the keyboard attached) to be recognized during startup? I can still type my boot password with it, that means the controller is visible, right?

So how can I configure Qubes OS to:

1) At boot time, only controller (A) should be attached to dom0. Controller (B) should be unable to affect Qubes OS maliciously

2) After boot, controller (A) should be attached to dom0, controller (B) to sys-usb.

3) hide-all-usb does not seems to support this. How can I configure Grub to ignore all usb controllers except one specific one?

Cheers

Chris

[Yethal]

Instead of rd.qubes.hide.all.usb add xen-pciback.hide=(X)(X) to your grub commandline with X being the BDF address of your usb controller.

[Vít Šesták]

Actually, having a malicious hardware attached at boot time is something hard to defend. Even if Xen does not attach the hardware to dom0, there is some pre-Xen phase of boot – BIOS/UEFI. Qubes cannot affect this phase of boot. If you have attached a malicious device that for example pretends to be a USB keyboard, it can control the computer. It can also try to provide another boot medium or to exploit a vulnerability (e.g., some FS parsing vulnerability in UEFI).

So, I advise some Qubes-unrelated mitigations:

* If possible, avoid having untrusted devices connected at boot.
* Check your boot medium options in BIOS config.
* Set a BIOS password. Even if it can be bypassed by anyone with physical access, your malicious device is unlikely to take a screwdriver and disassembly your computer. :)

That's not to say that Qubes-related mitigations are useless. They are just not enough when you are concerned about boot time.