Cannot get USB qube with keyboard to work

User Support
1

I have a desktop PC with USB keyboard and mouse so USB qube was not created with installation of Qubes.

I found this: USB qubes | Qubes OS

So I run sudo qubesctl state.sls qvm.usb-keyboard in dom0. It seemingly succeeded and created a usb qube. Once I started it though, it locked me out of my keyboard and mouse. After reboot too, so I found this solution:

I added qubes.skip_autostart to GRUB parameters, and it still didn’t work (endless loading screen on decryption menu).

So, I tried also removing usbcore.authorized_default=0 and now keyboard works.

Okay, I’m no longer locked out.

But still can’t get usb-qube to work with the keyboard.

In dom0 I checked /etc/qubes-rpc/policy dir and there was a file named qubes.USB containing just $anyvm $anyvm deny. Also, there are no /etc/qubes-rpc/policy/qubes.InputKeyboard or /etc/qubes-rpc/policy/qubes.InputMouse files at all!

But that deny rule seemed like a problem, so I changed it to:

sys-usb dom0 allow
$anyvm $anyvm deny

still no luck, keyboard is unavailable as soon as usb qube starts.
So I tried creating the /etc/qubes-rpc/policy/qubes.InputKeyboard and /etc/qubes-rpc/policy/qubes.InputMouse files manually with just sys-usb dom0 allow but this didn’t help either.

Is the docs wrong or outdated, or am I doing something wrong?
My goal is to allow USB keyboard and mouse in dom0 while having other devices like webcam be able to be passed to any other qube.

2

Are you currently on Qubes 4.1 or 4.2?

3

4.2

4

The doc still point to the old policy directory. The new policy file is /etc/qubes/policy.d/50-config-input.policy
You can change the values from Qubes Global Config under “USB Devices”.
Make sure it’s allowed there.

5

It contains

qubes.InputMouse * sys-usb dom0 ask default_target=dom0
qubes.InputKeyboard * sys-usb dom0 allow
# not configurable by this state
qubes.InputTablet * sys-usb dom0 deny

is this ok? what should I change?

6

Did sys-usb started successfully or was there an error message?
Maybe there is some problem with your USB PCI controllers attached to sys-usb.

Yes, the policy is configured properly.
That is if there is no policy config file with higher priority that overwrites this config file.

7

The policy looks correct. You can switch to “allow” for the mouse too if you want to (remove default_target=dom0 if you set it to allow).

The next step is to make sure you have your USB controllers attached to sys-usb (do you have “no-strict-reset” set to True?):

# dom0
qvm-pci ls | grep USB

Also, what is the template for sys-usb? Make sure you have the qubes-input-proxy package installed in the template.

8

IMG_20240312_182432_231
IMG_20240312_182432_2311920×714 183 KB

(upload://7NYiHN5SA789p42YCF7rk7wwgDT.jpeg)
there is this error message when I started usb qube manually from already-booted Qubes

9

Did you install Qubes OS on external USB drive?

10

OMG yes! I have it installed on an external SSD connected via USB… :person_facepalming:
so that explains my problem, now I only need to fix it while still using external SSD

11

You can use sys-usb only if you have multiple USB controllers available so you can dedicate one of them to dom0 to connect your external USB drive to it.
Then you can hide all other USB controllers from dom0 and use them for sys-usb:

1 Like