How to combine sys-usb with sys-net

In some cases you maybe need combine sys-usb with sys-net. But it’s less secure than having sys-net and sys-usb separate, so be aware of it before doing it. To do it :

  • In the following file :

nano /etc/qubes-rpc/policy/qubes.InputKeyboard
nano /etc/qubes-rpc/policy/qubes.InputMouse

replace from

sys-usb dom0 allow,user=root

to

sys-net dom0 allow,user=root

  • Shutdown

Go in the sys-net terminal and shut it down, for exemple with init 0
Go in the sys-usb terminal and shut it down, for exemple with init 0

  • Transfer the usb controler from sys-usb to sys-net

Go in the settings of your sys-usb Qube and disable “start on boot” and apply your modification
Go in the settings of your sys-net Qube, and in the devices section, find the usb controler of your computer, selected it and apply your modification.

  • You can start now sys-net
2 Likes

Just to understand this better: what could be the reasons one would want to do that?

If you use a external NIC, it can not work properly sometimes

Since sys-net is an HVM with PCI access, I see it as one of the weakest links in terms of security. A member of the Qubes Team seems to agree with me in the linked thread. I’d recommend creating another sys-usb for all other usb devices not involved in networking.

 


Not technically-trained; consume advice with salt

2 Likes

Like attaching all the USB devices that is not the external NIC by doing ?

qvm-usb attach sys-usb sys-net:{ID of the usb devices}

1 Like

Good point–I have no idea how to assign individual USB ports/devices to separate sys-usbs. There’s probably a way to do it, but someone more knowledgeable will have to show meus

It’s not ports, it’s controllers.
You identify each controller, and then can allocate them using the
Devices tab in Qube Manager settings for each qube.
Sometimes you may find 2 controllers on the same port -this will be if
the port supports USB2 and USB3.
Once you have allocated the controllers, you can easily identify the
ports they control.

Sometimes too, the USB controller may be associated with other devices -
you may find that the qube does not start until you also allocate these
other devices - common on laptops.

3 Likes

So the InputKeyboard and InputMouse are only if USB mouse/keyboard is used, right? So I run all the rest of the steps you mentioned, but when I start sys-net again, it says Start failed: internal error: Unable to reset PCI device blablabla…

I reinstalled Qubes OS already several times now, in the previous time I chose to combine sys-net and sys-usb and it worked like a charm and I could connect to the router/internet. But I don’t want that, I want to be able to control the other usb inputs as well(due to security).

I don’t see the difference but in the name of a qube. If you have separate controller to which is only USB wifi (or USB2eth) device attached, it is irrelevant how you name the qube to which the controller is assigned. Both has to have same prefs and features in order to provide network.

Yes if on the same controller with USB wifi. But I wouldn’t go with what is suggested.

You could consider something like

This is how would sys-net and sys-usb be truly separated. Just note that it can be either wifi dongle or that adapter.

You can also read from here explained more detailed.

1 Like

I think I have exact match situation for what you’re talking about here. I have two USB controllers with 3 type-c ports in total. When at home, I want to use charger in one port, ethernet on another and third as regular usb, but when I’m outside of home, I want to use only the charger. Do you have a guide on what you did or how to do what you did? I’m not sure how to properly create sys-* individually for each port, how to limit them to specific action(charger, ethernet etc) etc.

1 Like

I can try and if I dont succeed, someone else can come up with other suggestions, different in concept than mine. But it is best to open separate topic and prepare for there output of lsusb in dom0 and in sys-usb if you have it.
Also you have to know each port to which controllers belong.

1 Like