The HID masquerade attack seems fairly easy to thwart from the OS. My machines all have full disk encryption enabled. They won't boot unless you enter the password. So the OS shouldn't enable any keyboard that wasn't used to enter the password. If you plug in a keyboard later, simply screenlock. If the new keyboard correctly enters the password, enable it. Otherwise don't.

None of this prevents malware already on your system infecting your legitimate keyboard, but at least random memory sticks or other non-keyboards can't spoof keyboards.