Broken system after installing USB qube

That worked. What a silly mistake. Thank you very much.

Ok, wish me luck :smile:

This option allows only input devices such as a keyboard, mouse, or hardware key to work at boot time. This is a security measure to prevent other devices from initializing when the system isn’t ready. This means that if you use an external USB drive, you won’t be able to boot, as it will be blocked by usbguard.

Yes, you’re right, it didn’t work.

I have 2 USB controllers available on the device list, I would like to dedicate one to the usb qube.

When I create new usb qube, how should I configure it?
Should it be a disposable or app qube; and on what template it has to be based?

  1. Find the controller used for input devices.
  2. Open the file /etc/default/grub in dom0.
  3. Find the line that begins with GRUB_CMDLINE_LINUX.
  4. Add usbcore.authorized_default=0 and rd.qubes.dom0_usb=<BDF> to that line, where <BDF> is the USB controller identifier.
  5. Save and close the file.
  6. Run the command grub2-mkconfig -o /boot/grub2/grub.cfg (legacy boot) or grub2-mkconfig -o /boot/efi/EFI/qubes/grub.cfg (EFI) in dom0.
  7. Reboot.
  8. Proceed with creating a USB qube normally. The selected USB controller will remain in dom0.

So this does not apply to my case?

I’ve never tried to install Qubes on an external USB drive, so I’ll try to guess the best way to do it. You could boot without usbcore.authorized_default=0 and rd.qubes.hide_all_usb since both won’t work in your case. You could keep rd.qubes.dom0_usb=X in your kernel boot options to attach the controller with your USB drive to dom0, give sys-usb the other USB controller under “Devices” in the settings and use that one for everything USB related.

1 Like

It’s up to you, it’ll work in any way.

Once you have identified the controllers, you can hide one of them
from dom0 - not the one to which your USB device is attached, obviously.

Try interrupting the boot and editing the command line to include:
rd.qubes.hide_pci 00:1a.00 , or whatever your controller is.
If that works as expected, then you can make the change permanent by
editing the grub config.

This will ensure that one controller is used from dom0, and the other
can be safely allocated to sys-usb and used there.


Now I’m confused. Does rd.qubes.dom0_usb hide or keep the controller in dom0?
From the documentation, it seems to be used to keep (in the doc example) the input devices (keyboard/mouse) in dom0 with the additional restrictions of usbcore.authorized_default=0.

Wouldn’t I achieve the same thing if I just create a sys-usb and add the usb controller that’s free?

On second thought the USB drive will not work with rd.qubes.dom0_usb option.
@unman is right, you need to use rd.qubes.hide_pci for this.
I’ve looked into sources and setting rd.qubes.dom0_usb is equivalent to setting usbcore.authorized_default=0 and exposing the USB controllers specified with rd.qubes.dom0_usb option:

So using rd.qubes.dom0_usb while using USB drive is not an option and you need to hide all the others USB controllers except for the one that will have your USB drive using rd.qubes.hide_pci option.

I see, the last if statement of the file also confirms this.

I’ve seen rd.qubes.hide_pci a long time ago on some github issues, but I can’t seem to find it explicitly anywhere in the Qubes documentation, which is odd since it could be an important option to use for some users.

The most frequent usage of this option is to hide GPU from dom0 to passthrough it.

I meant that it is nowhere explicitly mentioned in the Qubes documentation (not even in the many PCI related documentation pages). The only way to find out about its existence is to browse thought github issues.

Yes, it seems to be undocumented.

I added command like this:
GRUB_CMDLINE_LINUX=“$GRUB_CMDLINE_LINUX rd.qubes.hide_pci 06:00.4”
rub2-mkconfig -o /boot/efi/EFI/qubes/grub.cfg

But it doesn’t seem to work because, when I plug in my external SSD into the usb port that’s supposed to be hidden from dom0 on boot, it still allows me to boot up succesfully.

Also, I created a sys-usb qube and added the second usb controller to the list and allowed it to start on boot; however it’s the same thing as above. But when booted, it works as expected, meaning dom0 don’t see devices in sys-usb.

Try it like this:

 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX rd.qubes.hide_pci=06:00.4"

Yes, this change worked. Thanks!

Why sys-usb did not hide the second usb controller from dom0 if it’s set to start on boot?

Because that’s how PCI passthrough works when you attach the PCI device from dom0 to some qube.

OK, I will have to read up on that probably to understand

I have one more thing to resolve.

Is it possible to create a sys-ssd qube to hide SSDs from dom0. If yes, how should I go about doing that?