I’m using Qubes OS installed on an external SSD connected via USB 3.0 to my laptop. During installation, I chose not to create sys-usb
because my system would crash if the SSD was isolated in a USB Qube. However, I am concerned about the security risks associated with USB devices directly connecting to dom0.
I want to create a sys-usb
to mitigate USB-based attacks, but I need to ensure that my external SSD (which contains the Qubes OS installation) and my USB keyboard remain accessible. How can I set up sys-usb
in this scenario without causing my system to become unbootable?
Here’s the solution by ChatGPT, Is it right?
Solution:
Given that Qubes OS uses LVM + LUKS2, isolating the external SSD in sys-usb
would make the system unbootable. Here’s a detailed step-by-step guide to safely creating sys-usb
while excluding the external SSD and a USB keyboard:
Step 1: Identify Your External SSD and USB Keyboard
- Boot into Qubes OS and open a terminal in dom0.
- Identify your external SSD and USB keyboard using:
orlsblk -f
Take note of your external SSD’s device name (e.g.,sudo dmesg | grep -i usb
/dev/sda
) and the USB keyboard’s device ID.
Step 2: Exclude the External SSD and USB Keyboard from sys-usb
To ensure sys-usb
does not take control of your external SSD or USB keyboard, modify the Qubes OS boot configuration:
-
Edit the GRUB configuration:
-
Open the GRUB configuration file:
sudo nano /etc/default/grub
-
Find the line starting with
GRUB_CMDLINE_LINUX
and add the parametersrd.qubes.hide_all_usb
andrd.qubes.unrestricted=[device_name]
for your SSD and keyboard (e.g.,sda
for SSD and add specific identifiers for the keyboard if necessary).Example:
GRUB_CMDLINE_LINUX="... rd.qubes.hide_all_usb rd.qubes.unrestricted=sda,usb_kbd ..."
-
-
Update the GRUB configuration:
- Apply the changes by updating GRUB:
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
- Apply the changes by updating GRUB:
Step 3: Create sys-usb
-
Create the USB Qube:
- You can now safely create
sys-usb
, which will manage all USB devices except those explicitly excluded. - Run the following command:
sudo qubesctl state.sls qvm.sys-usb
- You can now safely create
-
Verify LVM and LUKS Settings:
- Ensure that the LUKS decryption and LVM mounting processes for your external SSD are unaffected after
sys-usb
creation.
- Ensure that the LUKS decryption and LVM mounting processes for your external SSD are unaffected after
Step 4: Reboot and Verify
- Reboot the system and check that Qubes OS boots normally, with the SSD accessible.
- Test USB Devices: After rebooting, plug in other USB devices to ensure they are controlled by
sys-usb
while confirming your external SSD and USB keyboard are not affected.
This setup will allow you to create sys-usb
to protect dom0 from USB attacks while ensuring that your system remains functional with the external SSD and USB keyboard accessible.