I am a newbie with some unix/linux experience. I have read everything I can in qubes substack about configuring USB drive and I reinstalled Qubes twice (had a usb connected keyboard first time). I now have Service:sys-usb installed but when I click on Data Devices it still shows my usb thumbdrive as a flash disk() instead of under USB. So I am not sure if that is working correctly.
Secondly, I can’t get my ledger live to install/work correctly and find my ledger and am not sure if it is because my usb is not setup correctly.
When I start LedgerLive I get the following error:
libva error:vaGetDriverNameByIndex( failed with unknow libva error, driver_name = (null)
Any help would be greatly appreciated.
THanks,
David
About to head down this same path with Ledger Live and NanoX Plus. Any help appreciated.
Good luck. I’m on install 4 and still can’t get it to work. If you do please let me know.
When I plug in my ledger and then use the command “lsusb” it does show my ledger but the ledger live app won’t recognize it.
Try this:
-
Make a clone of the debian-11-minimal template.
-
Install these packages in the new template:
qubes-core-agent-networking qubes-usb-proxy openssl fuse libnss3 libasound2 libatk1.0-0 libatk-bridge2.0-0 libgtk-3-0
-
Create a qube based on this template.
-
Download the Ledger Live AppImage from the official site.
-
Authenticate the AppImage according to Ledger’s instructions. The commands should look something like this:
openssl dgst -sha256 -verify openssl-public-key.pem -signature ledger-live-desktop-<VERSION>.sha512sum.sig ledger-live-desktop-<VERSION>.sha512sum
sha512sum -c ledger-live-desktop-<VERSION>.sha512sum
-
Make the AppImage executable:
chmod +x ledger-live-desktop-<VERSION>-linux-x86_64.AppImage
-
Start the AppImage.
-
Start your
sys-usb
. -
Physically plug your Ledger into a USB port.
-
Use the Qubes Devices widget to connect your Ledger device to your Ledger qube.
I’m not sure if special udev rules are still necessary, but this page has information on that and much more:
I made a Ledger StandaloneVM some time ago and the only step I had to do was to install the udev rules to find the Ledger and connect to it after attaching it with sys-usb.
Here’s a script from Ledger: udev-rules/add_udev_rules.sh at master · LedgerHQ/udev-rules · GitHub
If you want to install it quickly use this:
wget -q -O - https://raw.githubusercontent.com/LedgerHQ/udev-rules/master/add_udev_rules.sh | sudo bash
Note that you need to install the rules inside the VM that will use the Ledger.
Thanks for the information adw. I followed your directions and I still get the same libva error. I am giving up on Qubes. It’s just such a POS. I have 25+ hours into this, at least 4 OS installations and lord knows how many ledger installations and still can’t get it to work. Meanwhile today I downloaded Ubuntu and installed it on a thumb drive, booted it up and downloaded ledger live and had my ledger device running and connected in about a half hour. It’s pretty much the same installation but it actually freaking works. I’m sure there is a security benefit to Qubes probably because nooone wants to waste time on getting it to work. lol Sorry, I’m bitter and angry and venting. Maybe I’ll try it again some other day.
Not sure what to tell you. It works for me, so I shared the information I had. There is always a trade-off between security and convenience. You’re trying to do something a bit more advanced that involves a lot of different interacting components. It probably would’ve been even easier on Windows, but that’s fairly meaningless without the context of your goals and threat model.
Thank you for taking the time to reply. I really appreciate that. I am frustrated with Qubes, and definitely not with you or your advice. Thanks again adw.
Came here from google. This thread is the top of seo for “Qubes Ledger Usb”
Anyways having similar issues.
I discovered that the Ledger appimage can’t access
/dev/draw0
I’ve tried from a fedora and debian template. Followed the instructins above.
Will add more details if I can get this working.
"message": "Found a device, creating HID transport instance ...",
"message": "Error while connecting to device: TypeError: cannot open device with path /dev/hidraw0",
"message": "Found a matching Transport: hid",
"message": "Error while opening transport: TypeError: cannot open device with path /dev/hidraw0",
"message": "Sending IPC request",
"message": "Received open transport request",
"message": "Open called on registered module",
"message": "Devices detected during open: 1",
Ok got it working.
The problem is Ledger Live needs root access to /dev/hidraw0
My minimal qubes don’t have qubes-core-agent-passwordless-root installed. So I’m running apps as non root.
The work around is this:
- open xterm in dom0. alt+f2 opens search. type in xterm and hit enter
- in dom0 terminal open the ledger qube like this:
$ dom0 xterm: qvm-run -u root ledger xterm - Now you can open the app image from the ledger terminal
$ /home/user/Applications/ledger-live-desktop-2.92.0-linux-x86_64.AppImage --no-sandbox
A better solution is to install qubes-core-agent-passwordless-root
on the template vm… but security concerns. I have not tried this yet.
Still this is probably more secure then raw-dawging ubuntu on bare metal.
hypervisor for the win