Dr. Hax on Nostr: I believe it is per controller, but I haven't personally verified that. For Qubes in ...
I believe it is per controller, but I haven't personally verified that.
For Qubes in particular, I already have USB isolation from dom0, which can control anything, but without a PS/2 keyboard, an exception needs to be made to give the USB device access to dom0. Having a USB -> pS/2 adapter solves that. This provides some protection against a compromised sys-usb VM.
The risk of sniffing a FIDO2 device which is unlocked by entering a pin directly to the device (e.g. Trezor) is pretty minimal. The challenge is sent to the FIDO2 device, it gets back a signed transaction. At most, a malicious USB device that nabbed that could use the one session to each system that you log into.
The risk for a Yubikey, Nitrokey or Signet is a little higher. The attacker could get your device unlock password, but unless they have physical access, they won't be able to use the device or dump the entire database. If an onlykey requires a physical button press to get each password, the same would be true there.
For the password managers, the attacker would also be able to get each password that you actually use, and if you used the device to also provide the URL and username, they'd have everything they need to get persistent access to that account (assuming you don't have any 2FA set up). In contrast the FIDO2 devices only leak tokens that can be used to get a single session, so they're safer than password managers.
Back to the question at hand: should you isolate these devices to their own controller (assuming that works as expected)? That depends on your threat model and risk tolerance.
If you're trying to protect against someone with physical access to all your stuff, then yes. If not, then it depends on how much effort you want to put into it. A $40 USB card for a desktop is pretty reasonable. Trying to do this on a laptop would probably be a huge amount of trouble. For example, many models of the Microsoft Surface only have one USB port and no real room for expansion. So good luck with that one. Only plug one USB device in at a time, I guess?
In any case, you now have the information you need to make an informed decision. 🤓
For Qubes in particular, I already have USB isolation from dom0, which can control anything, but without a PS/2 keyboard, an exception needs to be made to give the USB device access to dom0. Having a USB -> pS/2 adapter solves that. This provides some protection against a compromised sys-usb VM.
The risk of sniffing a FIDO2 device which is unlocked by entering a pin directly to the device (e.g. Trezor) is pretty minimal. The challenge is sent to the FIDO2 device, it gets back a signed transaction. At most, a malicious USB device that nabbed that could use the one session to each system that you log into.
The risk for a Yubikey, Nitrokey or Signet is a little higher. The attacker could get your device unlock password, but unless they have physical access, they won't be able to use the device or dump the entire database. If an onlykey requires a physical button press to get each password, the same would be true there.
For the password managers, the attacker would also be able to get each password that you actually use, and if you used the device to also provide the URL and username, they'd have everything they need to get persistent access to that account (assuming you don't have any 2FA set up). In contrast the FIDO2 devices only leak tokens that can be used to get a single session, so they're safer than password managers.
Back to the question at hand: should you isolate these devices to their own controller (assuming that works as expected)? That depends on your threat model and risk tolerance.
If you're trying to protect against someone with physical access to all your stuff, then yes. If not, then it depends on how much effort you want to put into it. A $40 USB card for a desktop is pretty reasonable. Trying to do this on a laptop would probably be a huge amount of trouble. For example, many models of the Microsoft Surface only have one USB port and no real room for expansion. So good luck with that one. Only plug one USB device in at a time, I guess?
In any case, you now have the information you need to make an informed decision. 🤓