defaults: Add USBGuard configuration for Librem 5 (!309) · Merge requests · Librem5 / librem5-base

Sebastian Krzyszkowiak requested to merge sebastian.krzyszkowiak/librem5-base:usbguard into pureos/byzantium Mar 26, 2022

This configures USBGuard to only accept allowlisted USB devices appearing on the internal bus, and to accept everything on the external bus.

Since g-s-d has USBGuard support that rejects devices attached while the screen is locked, let's disable it by default for now to not introduce potentially breaking UX changes. It can be reenabled once it's properly configured and well-tested for our use cases.

WIP because it needs a patched usbguard to work. The ruleset also needs to be augmented with devkit's devices.

This still leaves a short window of time at boot before usbguard gets started where a device could be temporarily accepted, but it will be dropped once usbguard loads. This could be fixed by setting authorized_default in kernel cmdline or initramfs, but it requires additional care to not break booting from SD or USB rootfs, so let's deal with it later.

Edited Apr 04, 2022 by Sebastian Krzyszkowiak

Admin message

defaults: Add USBGuard configuration for Librem 5

Merge request reports