I’ll update as soon as I find a fix for the keyboard working on suspend wake.
Regarding the handling of the USB modules, all of the expansion cards are treated as USB devices and are handled by sys-usb. This is evident during use as for example wanting to use the ethernet expansion card, requires adding it to sys-net (i.e. your desired network vm).
Running lsusb in dom0 will return nothing.
The one exception to this are the expansion cards for the display ports (HDMI, and display port) as when plugged in I will get a notification from sys-usb that say the HDMI card is active however, the display output is automatically handled by dom0 without needing to add the device or anything. Even then, running lsusb or even lspci in dom0 yields no different results than when the display output is not connected.
The expansion cards are certainly an added attack surface in my opinion and could be an added way to attempt to gain compromise to the device.
Within the BIOS, you can disable USB boot and password lock it which will prevent any low effort AEM attacks using a USB stick but will not protect against more sophisticated attacks.
I added it to the very end of the GRUB_CMDLINE_XEN_DEFAULT line of my /etc/default/grub file.
Make sure you then run sudo grub2-mkconfig -o /boot/efi/EFI/qubes/grub.cfg followed by sudo dracut -f to ensure your grub actually gets updated.
I usually get a black screen on boot until reaching the disk encryption prompt but not afterwards.
Do keep in mind I have a Framework 16, if you have a Framework 13 there are multiple forum threads here for each of the Framework 13 versions and chipsets which may be of additional help.
Okay im not making it that far because the xen commamd line keeps saying “USB in dom0 is not resticted consider rd.qubes.hide_all_usb or usbcore.authorized_default-6.” But im not sure where to put the in the xen commandline. Ill keep looking around. Thanks. I also have a ryzen 7040u
Can you not even get into Qubes and dom0?
Please reply in either one of these threads, whichever one is for your laptop. This thread is for the Framework 16 and I would like to not have this thread get too off topic.
So far I’ve been able to pin the keyboard not working on suspend wake issue to be due to sys-usb not being restarted/unpaused on suspend wake and since the keyboard is registered as a USB device, you can’t use it to unlock the laptop.
I’ve been trying to play around with the Qubes suspend hooks but so far haven’t gotten anywhere.
Due to it being a sys-usb issue though, even using an external keyboard would not work (I also tried before identifying the root cause and to no avail).
A temporary but very insecure workaround would be to disable lock on suspend so when waking up, you aren’t locked out and you can then proceed to manually restart sys-usb.
As for the workaround, do you use touchpad to manually restart sys-usb? If so, would it be possible to use the virtual keyboard to enter the password and avoid disabling lock?
Yep exactly, I use the touchpad since as it is connected over i2c and not usb, it still works, and yes that would absolutely work! Good idea, hadn’t thought of that
Another idea is to re-create the sys-usb qube, but leave the USB controller responsible for the internal keyboard in dom0. The process described in this section of the docs.
Unfortunately, the USB controller that is responsible for the keyboard also handles anything connected via the expansion cards so that would significantly compromise the security and isolation of the laptop. This is because any USB device connected would be exposed directly to dom0.
The actual issue at play is sys-usb not getting restarted on suspend wake and that’s what needs to be resolved.
Haven’t had the chance to do more debugging and try and fix it since my prior comment, I’ve been quite busy and haven’t had the time to.
Does that mean there is only 1 usb controller for the whole device? Like in the Qube Manager for sys-usb it only shows one device selected? That would be a huge dealbreaker for me
No there are 6 USB controllers.
There are 6 devices passed on to sys-usb and you can also see that when running lsusb in sys-usb with no external devices connected:
[user@sys-usb ~]$ lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU Tablet
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 002: ID 05e3:0610 Genesys Logic, Inc. Hub
Bus 002 Device 003: ID 05e3:0610 Genesys Logic, Inc. Hub
Bus 002 Device 004: ID 05e3:0610 Genesys Logic, Inc. Hub
Bus 002 Device 005: ID 0e8d:e616 MediaTek Inc. Wireless_Device
Bus 002 Device 006: ID 27c6:609c Shenzhen Goodix Technology Co.,Ltd. Goodix USB2.0 MISC
Bus 002 Device 007: ID 32ac:0012 Framework Laptop 16 Keyboard Module - ANSI
Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 002: ID 05e3:0625 Genesys Logic, Inc. USB3.2 Hub
Bus 004 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 005 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 006 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 006 Device 002: ID 32ac:0002 Framework HDMI Expansion Card
Bus 007 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 008 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 009 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
This HCL has been very helpful, thanks for putting this together. I just recently got my Framework 16 and am writing this from Qubes.
I can confirm the ioapic_ack=new line in the Xen command line makes the touchpad very reliable,
With respect to the keyboard on suspend, @tegas I can’t find the option for an onscreen virtual keyboard than I can use with a mouse, was this just an idea or something you have had setup?
Aothetlt partial workaround for the keyboard on suspend issue that I tested and have working is a cron script that checks every minute if sys-usb and restarts it if required. When the laptop wakes from suspend, the keyboard does not work immediately, but within a minute it does,
I have tested this both on the built in and external keyboards.
In dom0 execute crontab -e and enter the following:
I had this set up automatically for me when I was using Qubes with KDE and SDDM. There was a “Virtual Keyboard” button in the bottom left corner on login screen. I don’t have it when I use XFCE , but according to the screenshots from their documentation XFCE should have this ability too, although I was not able to quickly find it (no need it myself right now).
To answer my own question I did some testing on this device. There are 6 controllers but it’s not as useful as that sounds.
1 - USB 2.0 Hub, not mapped to any port
2 - USB 2.0 Hub, not mapped to any port
3 - Top Left port
4 - Top Right Port
5 - Keyboard, Mediatek Wireless Device, Fingerprint Reader, Bottom 4 ports
6 - USB Camera
I don’t know what the first two controllers are for maybe the GPU module?
The fifth controller shares the keyboard and internet bluetooth so probably not acceptable for anyone that cares about isolating this. The camera is more isolated than the keyboard. You can maybe share some less important ports with the keyboard (chargers are maybe less likely to be a problem) but if you want ethernet that takes up 1 of the two other isolated ports you have because there is no dedicated ethernet pci port.
There are 3 controllers you can isolate ports with in total.
But maybe a NovaCustom is better for isolation? NovaCustom NV41 Series - #19 by novacustom
It seems to have isolated keyboard/mouse, internet and audio with up to 3 isolated groups of USB ports?