Disposable sys-usb creation

Hello!

Because there isn’t too much answer to my question, i’ve thought i have to ask something other. I have 2 questions:

1. Is it possible to create a disposable sys-usb VM so that instead of the two commands in the documentation, the sys-usb VM is immediately disposable? If yes, how should i do it?

2. How can i delete a disposable sys-usb if i’m already connected to it? I’ve checked the documentations, but is there any other way where i don’t have to shut off the existing disp-sys-usb?

Unfortunately i have only 1 USB controller, and there is no PS/2 input on my PC.

Thanks any help!

Create the sys-usb DisposableVM

1. Create the disp-sys-usb :

 [user@dom0 ~]$ qvm-create --template <disposablevm-template-name> --class DispVM --label red disp-sys-usb

2. Set the disp-sys-usb virtualization mode to hvm:

 [user@dom0 ~]$ qvm-prefs disp-sys-usb virt_mode hvm

3. Set disp-sys-usb NetVM to none:

 [user@dom0 ~]$ qvm-prefs disp-sys-usb netvm ""

4. List all available PCI devices:

 [user@dom0 ~]$ qvm-pci

5. Attach the USB controller to the disp-sys-usb :

Note: Most of the commonly used USB controllers (all Intel integrated controllers) require the -o no-strict-reset=True option to be set. Instructions detailing how this option is set can be found here.

 [user@dom0 ~]$ qvm-pci attach --persistent disp-sys-usb <backined>:<bdf>

6. (optional) Set disp-sys-usb to auto-start when Qubes boots:

 [user@dom0 ~]$ qvm-prefs disp-sys-usb autostart true

7. (recommended) Disable the appmenus-dispvm feature, as disp-sys-usb is not itself a DisposableVM template (Note: this is only necessary if you enabled the appmenus-dispvm feature for the DisposableVM template):

 [user@dom0 ~]$ qvm-features disp-sys-usb appmenus-dispvm ''

8. Users should now follow instructions on How to hide USB controllers from dom0.
9. At this point, your mouse may not work. Edit the qubes.InputMouse policy file in dom0, which is located here:

 /etc/qubes-rpc/policy/qubes.InputMouse

Add a line like this to the top of the file:

 disp-sys-usb dom0 allow,user=root

Your pci device like usb and keyboard is connected through this vm, if you delete this sys-usb that mean you need to detach usb device like keyboard or mouse and attach it back to dom0, while your keyboard doesn’t work you can’t attach it right ? that’s why you need to reboot.

1. I dont understand - what “two commands” ?
2. No - you cant delete a template while there are running qubes that
   use it.

since he doesn’t have ps/2 then i assume he just using 2 commands .

sudo qubesctl state.sls qvm.sys-usb
sudo qubesctl state.sls qvm.usb-keyboard

And maybe he want explanation or maybe manual creating for that vm.

Thanks! These are the commands as in the documentation, aren’t they? Can I use this as a substitute for the sudo qubesctl state.sls qvm.sys-usb command? And after this i should use the sudo qubesctl state.sls qvm.usb-keyboard command to enable the keyboard for login? And that’s it? As if i’d followed the normal automata sys-usb creation after install (the 2 commands from the docu)?
sudo qubesctl state.sls qvm.sys-usb
sudo qubesctl state.sls qvm.usb-keyboard

S i just unplug and replug the keyboard and mouse and it will work as if there’s no sys-usb right?

I’ve thought about to copy paste the commands from the documentation, but I thought it was clear from the linked document and the context of the thread which ones I could have been thinking of. Next time i won’t make this mistake!

I know that i can’t delete a template with running qubes, but how should i delete it (the sys-usb VM) if i don’t need it and i have only 1 USB controller attached to the sys-usb VM?

Yeah you can.

In order to use a USB keyboard, you must first attach it to a USB qube, then give that qube permission to pass keyboard input to dom0. Edit the qubes.InputKeyboard policy file in dom0, which is located here:

/etc/qubes-rpc/policy/qubes.InputKeyboard

Add a line like this one to the top of the file:

sys-usb dom0 allow

(Change sys-usb to your desired USB qube.)

You can now use your USB keyboard to login and for LUKS decryption during boot.

If you like manual then do above, otherwise sudo qubesctl state.sls qvm.usb-keyboard

Thanks! I just wasn’t sure if it would work! But it seems simple enough…

I see you edit comment so i’ll add this too.

If you want to attach the USB mouse automatically anyway, you have to edit the qubes.InputMouse policy file in dom0, located at:

/etc/qubes-rpc/policy/qubes.InputMouse

The first line should read similar to:

sys-usb dom0 ask,default_target=dom0

which will ask for conformation each time a USB mouse is attached. If the file is empty or does not exist, maybe something went wrong during setup, try to rerun qubesctl state.sls qvm.sys-usb in dom0.

In case you are absolutely sure you do not want to confirm mouse access from sys-usb to dom0 , you may add the following line on top of the file:

sys-usb dom0 allow

(Change sys-usb to your desired USB qube.)

Thanks! I will try it! I hope there won’t be any “lockout by the keyboard” in the process.

No need to worry. ff you locked out, you don’t have to reinstall qubes. just make change with qubes rescue

GRUB2 :

• mount boot partition to /mnt
• Open the file /etc/default/grub in dom0.
• Find the line(s) that begins with GRUB_CMDLINE_LINUX.
• If rd.qubes.hide_all_usb appears anywhere in those lines, remove it.
• Save and close the file.
• Run the command grub2-mkconfig -o /mnt/grub2/grub.cfg in dom0.
• umount /mnt
• Reboot.

EFI :

• mount boot partition to /mnt and efi partition to /mnt/efi
• Open the file /mnt/efi/EFI/qubes/xen.cfg in dom0.
• Find the line(s) that begins with kernel=.
• If rd.qubes.hide_all_usb appears anywhere in those lines, remove it.
• Save and close the file.
• umount /mnt/efi && umount /mnt
• Reboot.

Boot into Qubes, but interrupt grub to remove the section that hides the
usb controller from dom0.
Stop sys-usb.
Delete sys-usb.
Make the changes to default grub, and rebuild grub.