This command returns: No such file or directory
And these return with PERMISSION DENIED on sys-usb
ln -s /rw/config/trezor/trezord /usr/bin/trezord
ln -s /rw/config/trezor/50-trezor.rules /lib/udev/rules.d/50-trezor.rules
ln -s /rw/config/trezor/trezord.service /usr/lib/systemd/system/trezord.service
ln -s /rw/config/trezor/qubes.Trezor /etc/qubes-rpc/qubes.Trezor
# add user that systemctl service is configured to use
useradd trezord
systemctl start trezord
The issue im having is that i get to he web wallet and it even shows my device name but nothing loads, cannot open any wallets its just stuck on loading forever. Any ideas??
This command returns: No such file or directory
And these return with PERMISSION DENIED on sys-usb
These should be pasted into /rw/config/rc.local, which means they will run as root when the VM starts up (so shouldn’t have permission denied), and you should put the files into /rw/config/trezor/ that it makes links to.
Also, question. I do it in an APPVM is that an issue? And then I pass Trezor from sys-usb to the APPVM
Yes, this is an issue. The whole point of this setup is that the usb device passthrough is complicated and doesn’t work reliably for many kinds of devices. The trezor is one like device that cannot be passed through. Because the client (trezor suite, trezorctl, electrum, etc.) communicates with the bridge (trezord) via TCP, we don’t need to use a usb passthrough. Instead we run the bridge in the usb vm, run the client in an app vm, and use TCP sockets to send the client<->bridge communication through qubes-rpc.
I would update the instructions in the original post to say “First you need the bridge software in sys-usb.” to make that part more clear. I’m new to the forums, and it looks like I can’t edit the original post.
I get it but how do I install bridge in sys-usb then? Could you try explaining it to my further or in private? If it works well I’m willing to pay u for your time.
The steps are in the original post. To summarize, you need to
get the RPM
install it
copy its files (50-trezor.rules, trezord, trezord.service) into /rw/config/trezor
create the qubes.Trezor rpc script
add the lines to /rw/config/rc.local to make the symbolic links and start the trezord service
With that done, trezord should be running in sys-usb whenever you start it up.
Then in dom0, you need to make the rpc policy, so that requests from the client will be allowed.
And in the client you need to add the line to /rw/config/rc.local that listens on port 21325 and forwards TCP packets in the rpc request.
I setup a minimum Qube with Trezor Suite, and everything it requires to connect. I can manually attach the device to Trezor Suite, and see accounts. However, I cannot upgrade firmware when connected through bootloader mode. Have any idea how I can get firmware updates to work?
Sorry to write a bit late. Hmm, I never got it to work in the first place by just attaching the device. So you have trezord running in the appVM where you run the trezor suite, and the trezor is attached through sys-usb? I don’t have a great understanding of what Qubes does to pass usb devices through, but it does seem to mangle some things. The advantage with the setup as I described in this post is that trezord runs in the VM that has direct access to the hardware, and then it talks to the trezor suite via TCP packets that Qubes can pass along without any problems, so you could try it that way. I have done a firmware update on mine and it’s worked.
If you don’t want to though, you could try running the trezor suite app VM in HVM and giving it direct access to the usb hardware (so you’d have to shutdown sys-usb and add the usb controller in the hardware settings for the app VM). On my computer, for some reason trezor suite was too resource hungry or something, and I just couldn’t get it to work in HVM, hence my solution, but maybe it’d work for you.
Hello! Thanks for your awesome guide on using the Trezor Bridge.
Quick one for you - are there any particular settings you recommend for the VM to use to verify the pgp key? (first step)
I keep getting this error - I’m using a VM with a fedora-37 template and sys-whonix networking.