Broken system after installing USB qube

sigma · December 19, 2023, 3:44pm

Wouldn’t I achieve the same thing if I just create a sys-usb and add the usb controller that’s free?

apparatus · December 19, 2023, 4:49pm

On second thought the USB drive will not work with rd.qubes.dom0_usb option.
@unman is right, you need to use rd.qubes.hide_pci for this.
I’ve looked into sources and setting rd.qubes.dom0_usb is equivalent to setting usbcore.authorized_default=0 and exposing the USB controllers specified with rd.qubes.dom0_usb option:

github.com

QubesOS/qubes-core-admin-linux/blob/main/dracut/modules.d/90qubes-pciback/qubes-pciback.sh#L8-L18


      
          if getargbool 0 rd.qubes.hide_all_usb; then
              # Select all networking and USB devices
              re='0(2|c03)'
          elif ! getargbool 1 usbcore.authorized_default; then
              # Select only networking devices, but enable USBguard
              re='02'
              usb_in_dom0=true
          else
              re='02'
              warn 'USB in dom0 is not restricted. Consider rd.qubes.hide_all_usb or usbcore.authorized_default=0.'
          fi

github.com

QubesOS/qubes-core-admin-linux/blob/main/dracut/modules.d/90qubes-pciback/qubes-pciback.sh#L34-L41


      
          dom0_usb=$(getarg rd.qubes.dom0_usb)
          if [[ "$dom0_usb" == *[!0-9a-f.:,]* ]] ; then
              warn 'Bogus rd.qubes.dom0_usb option - fix your kernel command line!'
              dom0_usb=""
          elif [ -n "$dom0_usb" ] ; then
              dom0_usb="${dom0_usb//,/ }"
              usb_in_dom0=true
          fi

So using rd.qubes.dom0_usb while using USB drive is not an option and you need to hide all the others USB controllers except for the one that will have your USB drive using rd.qubes.hide_pci option.

DVM · December 19, 2023, 5:10pm

I see, the last if statement of the file also confirms this.

I’ve seen rd.qubes.hide_pci a long time ago on some github issues, but I can’t seem to find it explicitly anywhere in the Qubes documentation, which is odd since it could be an important option to use for some users.

apparatus · December 19, 2023, 5:11pm

The most frequent usage of this option is to hide GPU from dom0 to passthrough it.

DVM · December 19, 2023, 5:18pm

I meant that it is nowhere explicitly mentioned in the Qubes documentation (not even in the many PCI related documentation pages). The only way to find out about its existence is to browse thought github issues.

apparatus · December 19, 2023, 5:22pm

Yes, it seems to be undocumented.

sigma · December 19, 2023, 6:35pm

I added command like this:
GRUB_CMDLINE_LINUX=“$GRUB_CMDLINE_LINUX rd.qubes.hide_pci 06:00.4”
Then:
rub2-mkconfig -o /boot/efi/EFI/qubes/grub.cfg

But it doesn’t seem to work because, when I plug in my external SSD into the usb port that’s supposed to be hidden from dom0 on boot, it still allows me to boot up succesfully.

Also, I created a sys-usb qube and added the second usb controller to the list and allowed it to start on boot; however it’s the same thing as above. But when booted, it works as expected, meaning dom0 don’t see devices in sys-usb.

apparatus · December 19, 2023, 6:38pm

Try it like this:

 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX rd.qubes.hide_pci=06:00.4"

sigma · December 19, 2023, 6:56pm

Yes, this change worked. Thanks!

Why sys-usb did not hide the second usb controller from dom0 if it’s set to start on boot?

apparatus · December 19, 2023, 7:09pm

Because that’s how PCI passthrough works when you attach the PCI device from dom0 to some qube.

sigma · December 19, 2023, 7:37pm

OK, I will have to read up on that probably to understand

I have one more thing to resolve.

Is it possible to create a sys-ssd qube to hide SSDs from dom0. If yes, how should I go about doing that?

apparatus · December 19, 2023, 7:44pm

If they are NVMe then they should be listed in lspci as PCI devices and you can hide them.
Not sure about SATA SSDs, maybe there will be a PCI SATA controller as well.

sigma · December 19, 2023, 8:45pm

There is 2 NVMe SSDs installed on my laptop
From device list I can see there is also 2 Non-volatile memory controllers.

What is the correct syntax to add additional devices to line?
I have tried:
GRUB_CMDLINE_LINUX=“$GRUB_CMDLINE_LINUX rd.qubes.hide_pci=06:00.4, rd.qubes.hide_pci=02:00.0, rd.qubes.hide_pci=03:00.0”
and:
GRUB_CMDLINE_LINUX=“$GRUB_CMDLINE_LINUX rd.qubes.hide_pci=06:00.4 rd.qubes.hide_pci=02:00.0 rd.qubes.hide_pci=03:00.0”

But they’re still attached to dom0 after boot.

apparatus · December 19, 2023, 9:25pm

Use comma:

 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX rd.qubes.hide_pci=06:00.4,02:00.0,03:00.0"

sigma · December 20, 2023, 6:19am

That worked, but if I try to to start sys-ssd it gives me an error:
“cannot connect to qrexec agent for 60 seconds, see /var/log/xen/console/guest-sys-ssd.log for details”

apparatus · December 20, 2023, 7:04am

I don’t know, maybe it’s booting from your SSD?
Check the logs in dom0 to see if there is any relevant info:
/var/log/xen/console/guest-sys-ssd.log
/var/log/xen/console/guest-sys-ssd-dm.log
Try to connect to VM console with this command in dom0:
qvm-console-dispvm --autostart sys-ssd

sigma · December 20, 2023, 8:04am

When running:
qvm-console-dispvm --autostart sys-ssd
I get:
Error: domain ‘sys-ssd’ does not exist or cannot be started

Checked the logs with nano like this:
nano var/log/xen/console/guest-sys-ssd.log
but they’re empty

What you mean by that? I’m booting Qubes from external SSD.
Is it even possible to attach internal SSDs like usb drives in Qubes?

apparatus · December 20, 2023, 8:42am

What if you run this command instead?

sudo xl console sys-ssd

And this one:

sudo xl console sys-ssd-dm

You can exit the console by pressing Ctrl+].

I meant that when you attach your internal SSDs to your sys-ssd it could be that sys-ssd trying to boot from these attached internal SSDs instead of its virtual disk.

It’s possible to boot from attached device in your qube.

sigma · December 20, 2023, 8:55am

I get:
sys-ssd-dm is an invalid domain identifier (rc=-6)

Oh ok, I would like to configure sys-ssd to just mount them like when attaching a removable flash drive to sys-usb.

apparatus · December 20, 2023, 8:57am

How did you create sys-ssd? Maybe its virtualization mode is not HVM?
Change its Settings to be the same as sys-usb.