[Article Proposal] Setting up USBGuard with GNOME on Fedora Workstation and Fedora Silveblue

Article Summary: This article should point out the need for protecting against unknown or malicious USB devices, teach the user to install and enable usbguard-dbus, teach how to do the initial setup and then how to add extra devices.
It should also point out for the user to be careful as, unless the keyboard and mouse are attached (such as on a laptop) or they can be connected via PS/2, misconfiguration might make the device temporarily unusable.

Article Description:
Nowadays you can’t really trust any USB device, malicious devices that appear to be something but are actually only spoofing a safe appearance and are actually malicious are common.
You might not really trust just anyone to plug a USB device on a important device if you don’t trust them enough.
There’s also the problem where you might for some reason to leave the device unattended and can’t guarantee no unauthorized person might have access.

Well, GNOME has integration with usbguard, which works similar to this:

  • On boot, by default all USB devices are blocked except the ones on the allowlist
  • Once you are logged in, GNOME temporarily disables usbguard (i.e. puts into a state where it allow any new device)
  • On the lock screen the following behavior appears:
    • For devices on the allowlist: the device will work and a notification will pop up on unlock about a known device being reconnected
    • For a device not on the allowlist (possibly similar behavior for the ones on blocklist): the device will not work, possibly a notification pops up as well
  • Once unlocked, GNOME disables usbguard again (the same state as mentioned before)

The user would be required to run a command which gets all current USB devices (inclusing system ones) and they will be taught on how to edit that config to add new devices.

A disclaimer should be available indicating that the procedure is risky on some devices due to the possibility of making the system unable to detect the user’s mouse or USB

The steps for the tutorial will be done on a Fedora (wither Workstation or Silverblue) VM with a mouse being used via spice passthrough

1 Like

This sounds like great content for Fedora Magazine. +1!

This should also be relevant:

https://pagure.io/fedora-workstation/issue/401

Apparently there are fwupd related issues to deal with.

1 Like

Yeah, breaking firmware updates is pretty bad. I’ll leave it up to you whether you want to go through with promoting this on Fedora Magazine. Thanks.

1 Like

Well, it depends.

The issue they might be referring to is to the “always” mode, where it will only allow the ones in the allow list and block any unknown device.

However usbguard-dbus + GNOME uses by default the “lockscreen” mode, where it will allow any device while unlocked but block any unknown device when locked.
That was the behaviour mentioned here:

So, not sure.

1 Like

I’ve opened Pagure Ticket #347 for your article @mateusrodcosta

Please note the request about alerting the reader about potential issues.