An OS level policy is what I think would be best. Notify the user, "Did you just insert a USB keyboard?", and wait for their approval to enable the HID.
This can be worked upon, e.g., automatically allowing the first keyboard and pointer devices, or allowing all devices if the user feels lucky etc.
One large problem I see, that can be be rectified by perhaps only the USB standard-setters, is whitelisting. Currently, the best handle are the idVendor and idProduct properties, but a BadUSB can easily spoof those too. Cryptographic signatures for identification is what I'm thinking would be best.
This can be worked upon, e.g., automatically allowing the first keyboard and pointer devices, or allowing all devices if the user feels lucky etc.
One large problem I see, that can be be rectified by perhaps only the USB standard-setters, is whitelisting. Currently, the best handle are the idVendor and idProduct properties, but a BadUSB can easily spoof those too. Cryptographic signatures for identification is what I'm thinking would be best.