Qubes OS isolates USB devices in a dedicated virtual machine. This prevents a malicious USB device from compromising the entire system. However, this protection fails if USB keyboards and mice are supported in the firmware, because a malicious device can inject keystrokes into GRUB or trigger system recovery.
To prevent this attack, firmware could have a configuration option to ignore all attached USB devices. This blocks the above attack: the malicious device will be ignored by firmware, and Qubes OS limits the damage the device can do.
Qubes OS isolates USB devices in a dedicated virtual machine. This prevents a malicious USB device from compromising the entire system. However, this protection fails if USB keyboards and mice are supported in the firmware, because a malicious device can inject keystrokes into GRUB or trigger system recovery.
To prevent this attack, firmware could have a configuration option to ignore all attached USB devices. This blocks the above attack: the malicious device will be ignored by firmware, and Qubes OS limits the damage the device can do.