Add a Warning / Confirmation when Attempting to Reassign a USB input device #6811
Description
The problem you're addressing (if any)
The way that USB device to VM assignment is currently handled is prone to user mistakes. On multiple occasions, I accidentally misclicked the menu and assigned my USB mouse (instead of the intended USB device) to an AppVM and lost my input, and I had to physically replug my mouse. If it's a laptop that uses internal USB connections for the mouse, it can potentially be an even bigger headache.
Theoretically, this can also be a security problem - a untrusted VM normally without any USB device access will have full control of the input device for a time period and potentially carry out a firmware-level attack (although this scenario is largely theoretical).
Describe the solution you'd like
If the user attempts to assign an input device from sys-usb, including a mouse, keyboard, or tablet, currently used as a Dom0 input device, to an AppVM, the user should be warned with a confirmation, "You are attempting to reassign input $device to $appvm. If this is the device you're currently using to control Dom0, you may lost your input. Are you sure?" (just an example, the confirmation should be carefully worded to make it easier to understand).
Where is the value to a user, and who might that user be?
A warning message avoids unintentional misassignment of input device, and prevents accidental lost of input to Dom0 that may render a desktop uncontrollable.
Describe any alternative solutions you've considered
This is only one aspect of a bigger problem of the USB assignment feature - it's very easy to misclick and assign the wrong device to the wrong VM. On multiple occasions, I also misassigned my USB security key to the wrong, untrusted VM.
An alternative solution is allow QubesOS to memorize a list of preferred USB device assignments. The current GUI menu for USB assignment looks like this. The list display on the screen can be overwhelming, it's easy to misclick.
- USB device 1
- Qubes1
- Qubes2
- Qubes3
- Qubes4
- Qubes5
- USB device 2
- Qubes1
- Qubes2
- Qubes3
- Qubes4
- Qubes5
But if there's a way to add preferred USB device assignments, the menu may look like this:
- USB device 1
- Qubes3 (preferred)
- Assign to Other Qubes
- USB device 2
- Qubes5 (preferred)
- Assign to Other Qubes
- USB mouse
- (no preferred Qubes)
- Assign to Other Qubes
Such a feature can greatly reduce the risks of USB device misassignments. For best results, this feature can be combined with a warning / confirmation when assigning input devices. However, this feature may have some security (any USB device can pretend to be another one) or privacy (USB devices are logged) implications and should be addressed by further discussion. Perhaps this feature can have its own issue.