On Wed, 17 Jan 2018 03:38:39 -0500
> > > Is there a method to detect and halt additional USB devices being > > > added after initializing connections? Concerned about widespread > > > vulnerability of keystroke injection. > I am struggling to remember the details and will have to re-check but if you are worried about intels debug port then I *think* it may suffice to disable the USB3 ports or controller in the bios. The congatec skylake bios atleast allows you to disable particular ports. OEMs may hide this bios option from you though. I believe access via PCI-EX will vary per board. > There's no such way. Maybe something like this > https://usbguard.github.io/ but that's for Linux only. > > There can be hw attacks over DisplayPort too. Some Linux people were > discussing a possibility to disallow adding new DisplayPort based > devices after boot to prevent physical attack on fully booted > (physically unprotected) computer. I assume their aim is to raise the bar for easier detection but protecting a physically unprotected computer isn't possible.
