I think the idea is the machine only allows one keyboard and one mouse, and if you insert another input device you have to explicitly enable it. This would probably stop 90% of attacks.
If the computer requires a password to log in, then just look for the right password from the keyboard on a restart, and at that time tell the user that this keyboard is new. Sure, it's possible for evil keyboards to do bad things, but at least the user would be aware that there is now a new HID plugged in.
With a bit of refinement it could contribute to the overall solution.
The responses here are also interesting: https://news.ycombinator.com/item?id=10203913