If you have a non-usb keyboard (generally found on laptops, or some older desktops), a kernel option gets added, disabling the USB driver from dom0. The system is also configured so that on startup, a "sys-usb" qube is started. The usb controller is then "passed through" to the USB qube, so that it no longer appears in dom0, but is now only accessible (and can only access) the usb qube.
To protect the system from malicious USB devices. These typically come in a few different flavors:
- A malicious filesystem image (with a kernel exploit)
- A malicious filesystem image (with an autorun script)
A device that looks like a USB key but is actually an emulated USB keyboard as well as a USB key (see the Rubber Ducky as an example.)
The last point is interesting because it requires no operating system exploits - because it's emulating a USB keyboard it can simply type in commands as the logged in user to then mount and run the malware embedded on the USB stick. As such it's an easy and accessible attack.
As the USB controller is in it's own VM, attacking it doesn't attack dom0 and doesn't compromise the rest of the system.
It is possible to connect USB keyboards/mice, however you must accept a dom0 confirmation box using your existing keyboard/mouse in order to add in a new one. This prevents an unexpected device from being able to add itself and infect the machine before you can stop it. Currently USB keyboards work by default, USB mice require editing some config files. This is likely a bug that will be fixed upstream.