Usbguard doesn't apply to early boot stages

[genodeftest]

In early boot, i.e. before mounting the root filesystem, usbguard doesn't work. To fix this, it probably needs to be saved into initramfs and loaded pretty soon in the boot process.

I ran into this issue because of another bug where usbguard would disable all USB devices but allow USB keyboard to insert the cryptsetup HDD password. After that, the keyboard goes dark.

Caveat: Fixing this bug might be hard because you'll need to make sure that the initramfs is regenerated every time USB device rules change.

[genodeftest]

Workaround: Remove all unused kernel modules from your initramfs, e.g. for removable USB storage drivers.

[mroethke]

Another option is setting usbcore.authorized_default=0 on the kernel command line.

[genodeftest]

Another option is setting usbcore.authorized_default=0 on the kernel command line.

This is a nice workaround, but it only works if you don't need USB devices to unlock your disk. Having an USB keyboard, adding this option to kernel command line renders me unable to enter my LUKS password.

It seems like having usbguard plus its config files in initramfs is required in combination to what you suggested above.

[mroethke]

You are right of course, I did not stumble upon this because I use grub to unlock my luks device.