Explain hiding USB devices from dom0

See:
https://groups.google.com/d/msg/qubes-users/wc0-RK1alx4/p_-VIV5NDAAJ

common-tasks/usb.md

@@ -209,6 +209,31 @@ Alternatively, you can create a USB qube manually as follows:
 
 If the USB qube will not start, see [here][faq-usbvm].
 
+### Hide all USB devices from dom0 ###
+
+Even if you create a USB qube, there will be a brief period of time during the
+boot process during which dom0 will be exposed to your USB devices. This is a
+potential security risk, since even brief exposure to a malicious USB device
+could result in dom0 being compromised. There are two approaches to this
+problem:
+
+1. Physically disconnect all USB devices whenever you reboot the host.
+2. Hide (i.e., blacklist) all USB devices from dom0.
+
+**Warning:** If you use a USB [AEM] device, do not use the second option. Using
+a USB AEM device requires dom0 to have access to the USB controller to which
+your USB AEM device is attached. If dom0 cannot read your USB AEM device, AEM
+will hang.
+
+The procedure to hide all USB devices from dom0 is as follows:
+
+1. Open the file `/etc/default/grub` in dom0.
+2. Find the line that begins with `GRUB_CMDLINE_LINUX`.
+3. Add `rd.qubes.hide_all_usb` to that line.
+4. Save and close the file.
+5. Run the command `grub2-mkconfig -o /boot/grub2/grub.cfg` in dom0.
+6. Reboot.
+
 
 Supported USB device types
 --------------------------
@@ -303,6 +328,7 @@ This feature is not yet available in Qubes Manager.
 [1072-comm2]: https://github.com/QubesOS/qubes-issues/issues/1072#issuecomment-124119309
 [1082]: https://github.com/QubesOS/qubes-issues/issues/1082
 [faq-usbvm]: /doc/user-faq/#i-created-a-usbvm-and-assigned-usb-controllers-to-it-now-the-usbvm-wont-boot
+[AEM]: /doc/anti-evil-maid/
 [1618]: https://github.com/QubesOS/qubes-issues/issues/1618
 [input-proxy]: https://github.com/qubesos/qubes-app-linux-input-proxy
 [usb-challenges]: http://blog.invisiblethings.org/2011/05/31/usb-security-challenges.html