Locked myself out after creating Sys-USB

I am a beginner to Qubes and Linux.
I created a Sys-USB and locked myself out. I am running Qubes on a NUC set up, without any PS/2 port.
I don’t think I have legacy boot. I see commands that I can press prior to the screen requesting a login, but it won’t register any inputs.
Any idea how to proceed?
Thank you

I see you have already found this thread and the advice given there is sound. There are many ways for you to obtain a “LiveCD” … which means a CD or USB stick with a live Linux system you could boot into. A friend or colleague could create one for you or maybe you can by a Linux magazine … they often have such media attached to them.

Thanks. I saw the other documentation on how to create a LiveCD and used Rufus to create it according to the documentation.
When I plug in the USB, the system does not recognize it and it just skips to the screen requiring the password.

qubes.skip_autostart is the answer you seek :slight_smile:

1 Like

@alzer89 I understand his trouble to be much earlier: actually getting the computer to boot from the LiveCD system.

@rapidtest … did you press F10 and select the media when booting?

Thanks. F10 worked. Was able to select my Live USB.
Now I enter the GMU GRUB version 2.04 menu.

With several options:
Troubleshooting - verbose boot and Install Qubes
-Rescue a Qubes OS system

I could also press c for a command line

Simply add kernel parameter, on grub menu press e to edit, then add qubes.skip_autostart in line that has rhgb quiet, in the same line if there’s rd.qubes.hide_all_usb delete that, then f10 to boot with this parameter.


Thank you!!! This solved it

Would the following two functions recreate the sys usb and allow keyboard to work

qvm-remove sys-usb

sudo qubesctl state.sls qvm.usb-keyboard

EDIT - Removed because it was posted in the wrong thread. My apologies for the confusion.

Yes, @Sven is right. to enter the BIOS.

@rapidtest, there isn’t really any need to do this.

What I would recommend is:

In dom0 add the following line to the file /etc/qubes-rpc/policy/qubes.InputKeyboard:

sys-usb dom0 allow
$anyvm $anyvm deny

This means that you are telling dom0 to automatically accept keystrokes from anything that presents itself as a keyboard on any of your USB buses (including “rubber duckies”, or any other device that you plug in and tells your machine that it has keyboard functionality).

(It’s important that you fully understand what this means, and the secondary consequences of this, to prevent unnecessary avoidable self-pwnage)

After you do this, your sys-usb should function properly.

As long as sys-usb start on boot, you should be fine.

No actually it’s right thing to do to run qvm.usb-keyboard, what he don’t need is, removing current sys-usb vm.

it’s delete the rd.qubes.hide_all_usb from grub config, and add qubes.inputkeyboard policy, then regenerate grub config. He still locked out from entering disk encryption because sys-usb not yet started.

Correct. @51lieal is right. I forgot the rd.qubes.hide_all_usb grub kernel parameter. I knew I forgot something…

This will help many to revive broken qubes systems as I have wasted days and weeks of my time trying to revive my systems many times and nothing worked. I created sys-usb and got locked out few times. None of those instructions found in the internet worked as they may be outdated.

My system: Qubes OS 4.1.1
PC with no PS/2 mouse capability

Recovery process:

  1. Make a bootable USB stick of 4.1.1 for a different computer or from a friend. You can download the iso file and use Rufus tool to make that.

  2. Boot it and enter Troubleshooting and rescue mode.

  3. In rescue mode press 1 and it will say your system is not linux and press Enter will give you a shell. (Directly pressing 3 may also work)

  4. Run lvdisplay command to see all the logical volumes present. (my disk is not encrypted and I can see all of them. If you have encrypted disk you may go through further steps to decrypt it 1st)

  5. All the logical drives seem to be ‘Inactive’ and they cannot be mounted now.

  6. Run vgchange -ay qubes_dom0 to Activate those (please check the _ or - in qubes_dom0 on the lvdisplay, forgot the actual one)

  7. Run lvscan will show them as ‘Active’ now

  8. Run mkdir /mnt/root

  9. Run mount /dev/qubes_dom0/root /mnt/root

  10. Run vi /mnt/root/etc/qubes-rpc/policies/qubes.InputKeyboard and add ‘sys-usb dom0 allow’ as the first line without the quotes

  11. Run vi /mnt/root/etc/qubes-rpc/policies/qubes.InputMouse and add ‘sys-usb dom0 allow’ as the first line without the quotes

  12. Open the file /etc/default/grub and find the line GRUB_CMDLINE_LINUX and remove rd.qubes.hide_all_usb in that line if present

  13. mkdir /mnt/root/etc/boot/grub2

  14. Run grub2-mkconfig -o /mnt/root/etc/boot/grub2/grub.cfg

Item 13 and 14 may not be necessary but I did it.

Now, if you have encrypted disk you may use the following to decrypt the disk 1st and then follow the steps:

1 Like

Where does grub.cfg in 14 come from?
Should be /mnt/root/etc/default/grub in 13?
Does grub2-mkconfig have effect?

Hey thank you for this instruction but I messed up a lot worst. I run my qubes on external SSD and now I am not able to even boot the system after I messed up the sys_usb

This sadly happens to a lot of people (taken from the memes discussion)

One thing that helps…provided of course you remember to do it, and sometimes I do not, is to go into the sys-usb settings and turn OFF start on system boot before starting to monkey with it. That way if you are forced to reboot at least sys-usb won’t cause a problem on restart.

Another, somewhat contradictory one is to have a cron job that (re) starts sys-usb every minute. If your difficulty stems from shutting down sys-usb by mistake or stupidity, this will solve that.

However, you should disable the cron job before monkeying with sys-usb too, or it will start sys-usb very shortly after you log in, just after you thought you were home free because you could type your password after a reboot.

The two tips probably shouldn’t be used at the same time!