@StuC I was actually trying to forward a whole USB bus (I installed a separate USB controller card), however that didn't work. But thanks to your tip, I googled how to create a USB qube and using that I forwarded the WiFi dongle to sys-net, which now works perfectly 😃

@lx pleased I could help.

@StuC hmm.. so apparently after a reboot the sys-usb VM takes control over all USB controllers even though I explicitly removed the one with the keyboard from the attached devices list. Do you know a way I can stop a VM from booting, so I can enter the disk passphrase at boot again? Otherwise I need to find a PS/2 keyboard since my adapter doesn't seem to work. 🤔

@lx

uuugh Chicken and Egg

did you change the policies?

/etc/qubes-rpc/policy/qubes.InputKeyboard und qubes.InputMouse

to read something like...

sys-usb dom0 allow
$anyvm $anyvm deny

as in the video?

I guess you might mount the Partitions from a live USB distro analog to here

https://dominik-birk.com/2017/08/20/accessing-a-usb-sys-blocked-and-encrypted-qubes-os-partition/

and change the policy files if you didn't do this already

@StuC thanks for your reply. I managed to find a different usb keyboard that works with my PS/2 adapter but I still need to investigate why the actual keyboard doesn't work over USB. I checked and the separate USB controller isn't taken over by sys-usb, yet it doesn't even work once I am logged in. 🤔

@lx maybe you could add the suggested mod to..

/etc/qubes-rpc/policy/qubes.InputKeyboard und qubes.InputKeyboard

and plug your Kexboard into the controller that _is_ controlled by sys-usb

@StuC Wow, okay, partial success! So I still can't use the USB keyboard for unlocking the partition on bootup but afterwards I can use it for logging in to my actual user account. Now I still need to figure out how to make it work for unlocking the partition.. 🤔

@lx so what did you do to exclude the 2nd usb controller?

@lx did you add rd.qubes.hide_all_usb to xen.cfg by any chance?

@StuC maybe the setup command for sys-usb added that automatically, I need to check that..

@StuC you're right, it says it there. Removing that helped, thanks! But do you know a way that I can whitelist a device there instead of blocking all or allowing all USB devices?

@lx no, sorry. During the boot process USB will belong to Dom0, after usb-sys has started this should no longer be the case.

What attack vector are you worrid about specifically?

@lx if you are worried that for a brief time on system your wifi card might be up and attached to dom0, can't you just blacklist the driver module in dom0?

@StuC is there something like USB guard for dom0 where I can whitelist the concrete device?

@lx udev rules?
http://weininger.net/how-to-write-udev-rules-for-usb-devices.html

@StuC that's actually a good idea and I even did this before. I will try that later 😉

@lx I like a person who doesn't quit while they are ahead ;)

@StuC actually I don't have any specific attack in mind, I just felt like there must be a good reason why that option was there before 🤔

@StuC well the second usb controller is a separate card and all I did was remove it from the list of added devices in the Qubes Manager, since it was automatically added when I set up sys-usb.