Broken system after installing USB qube

Does this mean my laptops keyboard has internal USB connection?

If I remove this line:
usbcore.authorized_default=0
Does it mean all of my USB devices will be visibale to Dom0 during boot only, or all the time?

Did you execute:

sudo qubesctl state.sls qvm.sys-usb

Or:

sudo qubesctl state.sls qvm.usb-keyboard

?

I’m not sure if qvm.sys-usb checks whatever you have USB keyboard or not and switching to qvm.usb-keyboard if you do.

I don’t know, you can check it:

All devices will be initialization and accessible in dom0, after boot as well.
If you have multiple USB controllers then you can dedicate one of them to dom0 to be used for your USB external drive and keyboard/mouse if they are connected to USB controller as well.
And you can attach other USB controllers to sys-usb.

But don’t add usbcore.authorized_default=0 because you’re booting from USB drive.

Blockquote

I used the first command. Interestingly, I cannot find the documentation page where I got that command from.

Running the comman xinput --list I get this output:

AT Translated Set 2 keyboard Does this mean I have PS/2 keyboard?

And lsusb gives this:
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 004: ID 0489:e0cd Foxconn / Hon Hai Wireless_Device
Bus 003 Device 003: ID 06cb:00fd Synaptics, Inc.
Bus 003 Device 002: ID 3938:1047 MOSART Semi. 2.4G Wireless Mouse
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 002: ID 154b:8001 PNY AXAGON USB External HDD
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 003: ID 13d3:56ff IMC Networks Integrated Camera
Bus 001 Device 004: ID 043e:9a39 LG Electronics USA, Inc. Integrated Camera
Bus 001 Device 002: ID 0bda:5411 Realtek Semiconductor Corp. RTS5411 Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

It’s PS/2 keyboard. And touchpad seems to be PS/2 as well.

OK, that’s good I guess.

I would like to isolate all other usb devices from dom0 except my wireless mouse and external SSD.

Add usbcore.authorized_default=0 and rd.qubes.dom0_usb=<BDF> to that line, where <BDF> is the USB controller identifier.

If I remove usbcore.authorized_default=0 and only add rd.qubes.dom0_usb=<BDF with BDF for mouse and external USB, would this work? Or is there a better way?

Yes.

I don’t know of one.

What would happen if I added usbcore.authorized_default=0 as well?

You can try to find out for sure but I’d guess your USB drive won’t work. But I’m not 100% sure.

I want to try with usbcore.authorized_default=0, but there is a problem.

GRUB_CMDLINE_LINUX=“$GRUB_CMDLINE_LINUX” usbcore.authorized_default=0 rd.qubes.dom0_usb=06:00.3
Would this be correct?

Because when I run this command:
grub2-mkconfig -o /boot/efi/EFI/qubes/grub.cfg
I get:
/etc/default/grub: line 11: usbcore.authorized_default=0: command not found

You need to add it like this:

GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX usbcore.authorized_default=0 rd.qubes.dom0_usb=06:00.3"

That worked. What a silly mistake. Thank you very much.

Ok, wish me luck

This option allows only input devices such as a keyboard, mouse, or hardware key to work at boot time. This is a security measure to prevent other devices from initializing when the system isn’t ready. This means that if you use an external USB drive, you won’t be able to boot, as it will be blocked by usbguard.

Yes, you’re right, it didn’t work.

I have 2 USB controllers available on the device list, I would like to dedicate one to the usb qube.

When I create new usb qube, how should I configure it?
Should it be a disposable or app qube; and on what template it has to be based?

1. Find the controller used for input devices.
2. Open the file /etc/default/grub in dom0.
3. Find the line that begins with GRUB_CMDLINE_LINUX.
4. Add usbcore.authorized_default=0 and rd.qubes.dom0_usb=<BDF> to that line, where <BDF> is the USB controller identifier.
5. Save and close the file.
6. Run the command grub2-mkconfig -o /boot/grub2/grub.cfg (legacy boot) or grub2-mkconfig -o /boot/efi/EFI/qubes/grub.cfg (EFI) in dom0.
7. Reboot.
8. Proceed with creating a USB qube normally. The selected USB controller will remain in dom0.

So this does not apply to my case?

I’ve never tried to install Qubes on an external USB drive, so I’ll try to guess the best way to do it. You could boot without usbcore.authorized_default=0 and rd.qubes.hide_all_usb since both won’t work in your case. You could keep rd.qubes.dom0_usb=X in your kernel boot options to attach the controller with your USB drive to dom0, give sys-usb the other USB controller under “Devices” in the settings and use that one for everything USB related.

It’s up to you, it’ll work in any way.

Once you have identified the controllers, you can hide one of them
from dom0 - not the one to which your USB device is attached, obviously.

Try interrupting the boot and editing the command line to include:
rd.qubes.hide_pci 00:1a.00 , or whatever your controller is.
If that works as expected, then you can make the change permanent by
editing the grub config.

This will ensure that one controller is used from dom0, and the other
can be safely allocated to sys-usb and used there.

Now I’m confused. Does rd.qubes.dom0_usb hide or keep the controller in dom0?
From the documentation, it seems to be used to keep (in the doc example) the input devices (keyboard/mouse) in dom0 with the additional restrictions of usbcore.authorized_default=0.