Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support disabling UEFI USB and network support #589

Open
DemiMarie opened this issue Feb 21, 2024 · 0 comments
Open

Support disabling UEFI USB and network support #589

DemiMarie opened this issue Feb 21, 2024 · 0 comments
Labels
priority:low

Comments

@DemiMarie
Copy link

In Qubes OS, USB devices are considered untrusted. Allowing USB devices to inject keystroke input is not allowed by default. Furthermore, vulnerabilities in the USB stack and drivers are mitigated by running them in a dedicated Xen VM.

However, Qubes OS cannot isolate the firmware USB stack. Injecting keyboard input into firmware can be used to e.g. change the boot order or edit the kernel command line. Therefore, it is a security risk in the Qubes OS threat model.

Dasharo supports disabling the firmware USB stack, and I would like System76’s open firmware to also do so. This is necessary for secure use of potentially-compromisd USB devices on System76 hardware.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority:low
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@crawfxrd @DemiMarie