From ecea75b8fc3cffb05500c54bca4ea45be7e8c690 Mon Sep 17 00:00:00 2001
From: Vertex X7-53 <vertex@glassway.net>
Date: Thu, 6 Nov 2025 13:31:31 +0000
Subject: [PATCH] Add device serial to qrexec call argument

Some devices (especially high-assurance Common Criteria peripherals)
present a serial number in the device descriptor to prevent substitution.

This patch appends the device serial to the qrexec call argument, if it's present.
It can also be opted out of with the input-proxy-exclude-serial feature.
---
 qubes-rpc/input-proxy-arg | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/qubes-rpc/input-proxy-arg b/qubes-rpc/input-proxy-arg
index 4591d99..2d05701 100644
--- a/qubes-rpc/input-proxy-arg
+++ b/qubes-rpc/input-proxy-arg
@@ -25,5 +25,18 @@ else
     port=
 fi
 
+uniq="$(grep ^UNIQ= "$sysfs_path")"
+# include serial, if present, but allow opt-out
+if [ -n "$uniq" ] && ! [ -e /run/qubes-service/input-proxy-exclude-serial ]; then
+    uniq="${uniq#*=}"
+    uniq="${uniq//\"/}"
+    uniq="${uniq%/*}"
+    uniq="${uniq//:/_}"
+    # separate serial from device with '+'
+    uniq="+${uniq}"
+else
+    uniq=
+fi
+
 mkdir -p "${output%/*}"
-echo "QREXEC_ARG=+$port$product" > "$output"
+echo "QREXEC_ARG=+$port$product$uniq" > "$output"