Cannot create sys-usb via salt

Summary

I’m waiting for my portion of NONE.

I’m not saying those too much. Basically, the ways of this sys-usb installation, just from experience, that parts of the time, AKA timezone, where they live might effects the installation of sys-usb. The main thing of these installation failure is the CPU encoding fault. Due to this, volatility of these installation failed and need to try again due to machine’s difference from the previous experience. TPM with unknown status might occur when this happens. For servers, this is very different as they need to have sys-gui-vnc (HIGHLY DISCOURAGE) installed in their machines. Thus, this may have some attacks unless they separated them with sub-nets.

@Sven, thank you sir. I will run those cmds tonight when I get home from work and post.

For everyone else thank you for what help you have provided. I am just frustrated and at my wits end here.

So to remove this “sys-usb” that I don’t see after I tried to create it.

Do I in dom0 use…

sudo dnf remove sys-usb

Then run the cmds that sven wants me too

@ sven, here you go on what I did and got…

user@dom0 /] sudo dnf remove sys-usb
No match for argument: sys-usb
No packages marked for removal.
Dependencies resolved.
Nothing to do.
complete

user@dom0 /] sudo qvm-pci | grep USB
dom0:00_14.0 USB controller: Intel Corporation C610/X99 series chipset USB xHCI Host Controller
dom0:00_1a.0 USB controller: Intel Corporation C610/X99 series chipset USB Enhanced Host Controller #2
dom0:00_1d.0 USB controller: Intel Corporation C610/X99 series chipset USB Enhanced Host Controller #1

user@dom0 /] sudo qvm-ls | grep usb
nothing happenes BUT the cursor does some strange stuff and returns nothing

user@dom0 /] sudo qvm-ls | grep TemplateVM
just returns all of my templates, state, color. Don’t see anything about sys-usb

user@dom0 /] sudo cat /etc/default/grub | grep hide_all_usb
does nothing just gives me another “input line in terminal” user@dom0/]

Hope this helps…

@B_ryr, like I said: step by step

sudo dnf remove sys-usb

sys-usb is not a package, so that command makes no sense. If you’d have a sys-usb, you could remove it by qvm-remove sys-usb. However you don’t have any as we can see from your output:

dom0:00_14.0 USB controller: Intel Corporation C610/X99 series chipset USB xHCI Host Controller
dom0:00_1a.0 USB controller: Intel Corporation C610/X99 series chipset USB Enhanced Host Controller #2
dom0:00_1d.0 USB controller: Intel Corporation C610/X99 series chipset USB Enhanced Host Controller #1

These are your USB controllers and they are currently NOT assigned to any qube.

user@dom0 /] sudo qvm-ls | grep usb
nothing happenes BUT the cursor does some strange stuff and returns nothing

There is no qube with “usb” in the name. Hence we know there is no sys-usb and from the previous output we know there is no other qube attached to your USB controllers.

Consequently we do not have to worry about cleaning anything up. The next step would be to truly create sys-usb manually. But before I give you the commands, I need to know what templates you have …

user@dom0 /] sudo qvm-ls | grep TemplateVM
just returns all of my templates, state, color. Don’t see anything about sys-usb

You weren’t supposed to. This was meant for me to know what templates we will be working with. Alternatively you can just tell me which template you want to use to base your sys-usb on.

user@dom0 /] sudo cat /etc/default/grub | grep hide_all_usb
does nothing just gives me another “input line in terminal” user@dom0/]

Excellent. That was another thing the salt recipe you tired to run would do: add a kernel parameter to tell dom0 to ignore your USB controllers even before your sys-usb starts.

However, this can be dangerous with computers that do not have a PS/2 keyboard. However, I think you mentioned that you do.

Please confirm:

  • you have a PS/2 keyboard and it works at all times (also to input the LUKS decryption password when booting)?

  • is there also a PS/2 mouse?

  • which template do you want to use for sys-usb? fedora-34?

  • cat /etc/qubes-rpc/policy/qubes.InputKeyboard

  • cat /etc/qubes-rpc/policy/qubes.InputMouse

Once I know which template you want to use, I can send you the commands to check that the required packages are installed (qubes-usb-proxy & qubes-input-proxy-sender).

This is fun! I’m actually learning something,thank you Sven…

Ok,so yes I have both PS/2 mouse and keyboard. But mouse is buggy, I have to unplug & plug it back in to work sometimes. It’s the mouse I know, it’s OLD!!

Anyway I want my “sys-usb” to be fedora-34. Just like the rest of my
Example…
service:sys-firewall
service:sys-net

Yes I have these files…
user@dom0/] sudo nano cat /etc/qubes-rpc/policy/qubes.InputKeyboard

user@dom0/] sudo nano cat /etc/qubes-rpc/policy/qubes.InputMouse

I added this line at the top of each file…

sys-usb dom0 allow

Was I supposed to do that??

Well hope to get this working soon. So I will do what is next tonight when I get home from work.

@B_ryr wrote:

I have both PS/2 mouse and keyboard

Excellent, then there is no danger of accidentally locking you out.

fedora-34

That has all the packages we need.

sys-usb dom0 allow

Perfect.

Ok, here goes:

qvm-create --template fedora-34 --label red sys-usb

qvm-prefs sys-usb virt_mode hvm
qvm-prefs sys-usb autostart true
qvm-prefs sys-usb netvm ''

qvm-pci attach sys-usb --persistent dom0:00_14.0
qvm-pci attach sys-usb --persistent dom0:00_1a.0
qvm-pci attach sys-usb --persistent dom0:00_1d.0

qvm-start sys-usb

Try this and let me know if it works or if there were any errors. If it fails to work at the qvm-start sys-usb then you can try this:

qvm-pci detach sys-usb dom0:00_14.0
qvm-pci detach sys-usb dom0:00_1a.0
qvm-pci detach sys-usb dom0:00_1d.0

qvm-pci attach sys-usb --persistent --option no-strict-reset=true dom0:00_14.0
qvm-pci attach sys-usb --persistent --option no-strict-reset=true dom0:00_1a.0
qvm-pci attach sys-usb --persistent --option no-strict-reset=true dom0:00_1d.0

qvm-start sys-usb

If that too doesn’t work please share the output / error notification.

1 Like

It wouldn’t surprise me if that xHCI controller would work only in PV mode…

@enmus wrote:

It wouldn’t surprise me if that xHCI controller would work only in PV mode…

Possible. My aim is to establish a full understanding of the environment and a documentation of steps tried with respective error information. Even if we reach the limit of what I can help with, which might be around the corner… we have laid the groundwork for someone like @unman to come in and give it a notch without having to pull all the information from scratch.

Or maybe we are lucky and it’ll just work. :slight_smile:

I totally understand what you aimed and am enjoying it too.

@Sven

qvm-create --template fedora-34 --label red sys-usb
DONE...but why does it make it a a regular qubes and not a service? like service: firewall or service: sys-net

qvm-prefs sys-usb virt_mode hvm
ERROR..... qvm-prefs: error: unrecognized arguments: hvm

THats as far as I got tonight

I deleted this ( qube: sys-usb)
Don’t understand why it makes it a regular qube template and not a service.

That’s just a UI thing and it would have shown as a service would you have followed all my steps.

That worries me a big deal. Are you sure there where no typos? Can you tell me the exact CPU you are using? Does it have IOMMU / Vt-d?

Yes those features are in BIOS and I have them enabled .
Both CPUs are
2678-v3 haswell

https://askgeek.io/en/cpus/Intel/Xeon-E5-2678-v3

It is from this family of CPU’s

Upon researching there isn’t much you will find. When digging deeper in Intel they actually state these are special processors and not much info is available.

To answer how I came across this beast was at a bank auction. Normally these type of servers are destroyed. But being the situation we are in at the moment places are closing up and they (financial and health) industries are trying to reclaim there loses.

Now as for the 4 hot swappable bays. I was told they where used to record activity that happened on the server and changed out regularly. Think of tape drives they said.

The hot swappable flexbay nvme was the key/token used to access the server…

That’s all they told me

One more thing how do I know for a fact those are my processors.

I Tor this beast down and cleaned it. Upon re-thermaling the cpus (2) I researched the numbers stamped on the dies.

Yes I have… (2) 2678-v3 hadwells on this beast!!

Good night everyone, hope to get this sys-usb working.
As for Qubes 4.1 running?
Extremely fast & smooth, i really can’t believe it

This animal is loaded

@sven…Good morning, yes there was a “typo’” so I was able to do the first set of cmds you have me and it work up till this error…

So stuck using PS/2 and my mouse is buggy

For others who do not look at pictures, the error message happened at qvm-start sys-usb and reads Start failed: internal error: Unable to reset PCI device ...

@B_ryr we are VERY close to have it working. In fact the error you see is the one I anticipated and already gave you the solution to in my original post:

qvm-pci detach sys-usb dom0:00_14.0
qvm-pci detach sys-usb dom0:00_1a.0
qvm-pci detach sys-usb dom0:00_1d.0

qvm-pci attach sys-usb --persistent --option no-strict-reset=true dom0:00_14.0
qvm-pci attach sys-usb --persistent --option no-strict-reset=true dom0:00_1a.0
qvm-pci attach sys-usb --persistent --option no-strict-reset=true dom0:00_1d.0

qvm-start sys-usb

Once we confirmed it working, you probably want to add the dom0 kernel parameter to ignore USB devices during startup for security reasons. You would enter your password with the PS/2 keyboard and once the sys-usb starts the USB keyboard and mouse start working.