It should be rd.qubes.hide_pci=id1,id2
(e.g. rd.qubes.hide_pci=00:1a.0,00:1b.2
).
there was syntax error in the id, fixed it. lets see if it works now
edited by sudo nano /etc/default/grub
do i need to run this command again after the update?
sudo grub2-mkconfig -o /boot/efi/EFI/qubes/grub.cfg
Yes, you need to run this command after changing /etc/default/grub
file.
updated that but still the same issue, tried different usb ports as well. just in case i might not have identified the id correctly. but nothing
Add all USB controllers in rd.qubes.hide_pci
option for a test.
does it need to be brought into the right coulmn in device tab of sys-usb settings, along with adding it to the /etc/default/grub?
added all the usb to the list now, and updated using the command
sudo grub2-mkconfig -o /boot/efi/EFI/qubes/grub.cfg
nothing changed
it still is not showing any box for disk password, and when you click the right arrow key, where it show s log. on the top it still says Warning: usb in dom0 is not restricted. consider rd.qubes.hide_all_usb or usbcore.authorized_default=0
My bad, adding all the USB controllers was meaningless.
Try to add the USB controllers one at a time to the rd.qubes.hide_pci
to find the one that is used by your USB disk.
E.g. you have three USB controllers 00:1a.0,00:1b.0,00:1c.0.
First add this option to GRUB: rd.qubes.hide_pci=00:1a.0
.
Check if you can boot in dom0 or no.
If you can’t boot then 00:1a.0
is the USB controller to which your USB disk is connected to. Then you need to leave it in dom0 and add this GRUB option: rd.qubes.hide_pci=00:1b.0,00:1c.0
. And add 00:1b.0,00:1c.0 controllers to your sys-usb.
If you can boot then add next USB controller to the GRUB option: rd.qubes.hide_pci=00:1b.0
.
Check if you can boot in dom0 or no.
etc
found the right id by editing it in the grub menu at the start of the boot, removed it and it worked
how do i make sure now that things are how they are suppose to be. like if i want to plug in a mouse and use it how should i go about doing that
and also the warning is still there usb is not restricted in dom0
and when i tried starting the sys-usb it gave an error
start failed: internal error:
unable to reset pci device, no flr, pm or bus reset available
If you want to use a USB keyboard/mouse then it’s better to connect it to the same USB controller attached to dom0 to which your USB disk is connected.
You can shutdown sys-usb qube and try to plug in some USB device to all of your USB ports to know which USB ports are connected to your dom0 USB controller.
You can use lsusb
command in dom0 terminal to see the connected USB devices.
but shouldnt any usb devices should go through sys-usb right thats the whole point?
Since you installed Qubes OS on USB disk then your dom0 is already exposed to USB devices.
The USB controller connected to dom0 should be considered as trusted and you should only connect trusted devices to it.
Your USB disk containing Qubes OS should be a trusted device.
Your USB keyboard/mouse should also be trusted devices.
There is no point to connect the trusted USB keyboard/mouse to the USB controllers connected to sys-usb because if you’ll connect untrusted device to sys-usb then your dom0 can be considered compromised because the malicious device connected to sys-usb can access your USB keyboard/mouse sending input to dom0.
so why use sys-usb at all? if all the usb device has to be trusted. how is it in the case where qubes in installed on an internal drive?
My main aim was to disallow access of any usb device directly to dom0, in the case where it is installed on usb stick. Is it possible?
With sys-usb you can connect untrusted USB devices to USB controllers connected to sys-usb.
Just don’t connect untrusted devices to the USB controller connected to dom0.
It’s not possible in your case.
can editing the usb policy help?
sudo nano /etc/qubes-rpc/policy/qubes.USBAttach
and restrict the access of usb to dom0 there?
You can try to configure USBGuard in dom0 to restrict the initialization of USB devices to only trusted ones. But it’s not a certain way since malicious USB device can pretend to be a trusted one (spoof its ID).
is usbguard different than the usb policy or is it the same thing