How to Create `sys-usb` in Qubes OS Installed on an External USB SSD Without Breaking the System

I’m using Qubes OS installed on an external SSD connected via USB 3.0 to my laptop. During installation, I chose not to create sys-usb because my system would crash if the SSD was isolated in a USB Qube. However, I am concerned about the security risks associated with USB devices directly connecting to dom0.

I want to create a sys-usb to mitigate USB-based attacks, but I need to ensure that my external SSD (which contains the Qubes OS installation) and my USB keyboard remain accessible. How can I set up sys-usb in this scenario without causing my system to become unbootable?

Here’s the solution by ChatGPT, Is it right?

Solution:

Given that Qubes OS uses LVM + LUKS2, isolating the external SSD in sys-usb would make the system unbootable. Here’s a detailed step-by-step guide to safely creating sys-usb while excluding the external SSD and a USB keyboard:

Step 1: Identify Your External SSD and USB Keyboard

  1. Boot into Qubes OS and open a terminal in dom0.
  2. Identify your external SSD and USB keyboard using:
    lsblk -f
    
    or
    sudo dmesg | grep -i usb
    
    Take note of your external SSD’s device name (e.g., /dev/sda) and the USB keyboard’s device ID.

Step 2: Exclude the External SSD and USB Keyboard from sys-usb

To ensure sys-usb does not take control of your external SSD or USB keyboard, modify the Qubes OS boot configuration:

  1. Edit the GRUB configuration:

    • Open the GRUB configuration file:

      sudo nano /etc/default/grub
      
    • Find the line starting with GRUB_CMDLINE_LINUX and add the parameters rd.qubes.hide_all_usb and rd.qubes.unrestricted=[device_name] for your SSD and keyboard (e.g., sda for SSD and add specific identifiers for the keyboard if necessary).

      Example:

      GRUB_CMDLINE_LINUX="... rd.qubes.hide_all_usb rd.qubes.unrestricted=sda,usb_kbd ..."
      
  2. Update the GRUB configuration:

    • Apply the changes by updating GRUB:
      sudo grub2-mkconfig -o /boot/grub2/grub.cfg
      

Step 3: Create sys-usb

  1. Create the USB Qube:

    • You can now safely create sys-usb, which will manage all USB devices except those explicitly excluded.
    • Run the following command:
      sudo qubesctl state.sls qvm.sys-usb
      
  2. Verify LVM and LUKS Settings:

    • Ensure that the LUKS decryption and LVM mounting processes for your external SSD are unaffected after sys-usb creation.

Step 4: Reboot and Verify

  1. Reboot the system and check that Qubes OS boots normally, with the SSD accessible.
  2. Test USB Devices: After rebooting, plug in other USB devices to ensure they are controlled by sys-usb while confirming your external SSD and USB keyboard are not affected.

This setup will allow you to create sys-usb to protect dom0 from USB attacks while ensuring that your system remains functional with the external SSD and USB keyboard accessible.

This parameter is a hallucination:

If your Qubes OS installation is on a USB drive, it will break if you assign the USB controller that it’s connected to to a VM. Unless maybe if you have multiple actually independent USB controllers: Don’t create sys-usb.

Try to find a way to install to an internal drive, or external but connected over (e)SATA instead of USB if that’s an option.

1 Like

Check if you have multiple USB controllers and they are available on the physical USB ports. If you have them then you can dedicate one of the USB controllers to dom0 and connect your USB disk to it.
Run this command in dom0 to see if there are multiple USB controllers available:

lspci | grep USB

Then check if there are different USB controllers connected to the different USB ports:

1 Like