On 15/05/2026 10:18 am, Stefan Monnier wrote:
To bring this discussion back to Debian: does someone here know of a way
to configure Debian so it asks for explicit confirmation before
accepting new USB devices?
I am realizing that actually it does not address your question, but it
is still a kind of USB. Once I noticed the following:
<https://docs.kernel.org/admin-guide/thunderbolt.html>
"USB4 and Thunderbolt"
The security levels are as follows:
[...]
user
User is asked whether the device is allowed to be connected.
Based on the device identification information available through
/sys/bus/ thunderbolt/devices, the user then can make
the decision. In BIOS settings this is typically called Unique ID.
secure
User is asked whether the device is allowed to be connected.
In addition to UUID the device (if it supports secure connect)
is sent a challenge that should match the expected one based on
a random key written to the key sysfs attribute. In BIOS settings
this is typically called One time saved key.
