install intel platform key, then reboot, then --enable-validation, which prompts for a passphrase that will then be required to disable validation in the future.

requires way more work to be effective, because right now can be bypassed in the bios or grub?

usbguard TL;DR:

sudo apt-get install usbguard usbguard-applet-qt &&
: populate the policy with the currently connected USB devices &&
sudo usbguard generate-policy | sudo tee -a /etc/usbguard/rules.conf &&
: allow the plugdev group to change policy
sudo sed -i '/IPCAllowedGroups=/s/$/ plugdev/' /etc/usbguard/usbguard-daemon.conf &&
: optionnally, set default policy to allow:
: sudo sed -i -e '/ImplicitPolicyTarget/s/=.*$/=allow/' -e '/PresentDevicePolicy/s/=.*$/=keep/' /etc/usbguard/usbguard-daemon.conf &&
sudo systemctl enable usbguard && 
sudo systemctl start usbguard &&

See bug #928032, PR #267 and USBGuard homepage.

Created . Edited .