I had some testing done. These are the relevant USB controllers:
+-0d.0 Intel Corporation Meteor Lake-P Thunderbolt 4 USB Controller [8086:7ec0]
+-0d.2 Intel Corporation Meteor Lake-P Thunderbolt 4 NHI #0 [8086:7ec2]
+-14.0 Intel Corporation Meteor Lake-P USB 3.2 Gen 2x1 xHCI Host Controller [8086:7e7d]
3 sys-usb qubes were created and mapped the PCI ports:
- sys-usb to 14.0
- sys-usb-tb to 0d.2
- sys-usb-dp to 0d.0
sys-usb was connected to:
- the type A port
- the camera
- Bluetooth
- ALL PORTS USING A USB2.0 DEVICE
sys-usb-tb was connected to:
- the thunderbolt port if a thunderbolt device was connected like a docking hub. Ports on the docking hub like Ethernet and emmc stayed isolated to this port while USB2.0 devices like mice/keyboards were routed to sys-usb. USB3.0 devices connected to the hub like external HDDs stayed inside sys-usb-tb.
sys-usb-dp was connected to:
- the display port USB C port, but all devices were routed to sys-usb, likely because of this issue not being fixed. In the future I suspect this will be available as a third isolated port for USB devices as long as they're not USB2.0 devices.
Overall this is a pretty good level of isolation and is similar to that of the X230 or possibly better if the displayport issue gets fixed. It may be worth disabling the camera/bluetooth in the Dasharo UEFI settings when not needed.
Currently you have to disable both the WiFi and Bluetooth connections together because they use the same chip but I wonder if it's possible to modify the Dasharo firmware to disable WiFi and Bluetooth separately so that you can use WiFi but disable the Bluetooth USB connection in the firmware?
