Locked out of entering LUKS password after creating sys-usb - portable m2 ssd - crypto reward!

Hi all,

Firstly, I am happy to pay $200 in any crypto of their choice to anyone who helps me!

I created a sys-usb qube post-installation via sudo qubesctl state.sls qvm.sys-usb found at USB qubes | Qubes OS

Qubes is on my portable m2 ssd in a sabrent enclosure.

Now I cannot login to my system. Qubes does boot, but where I normally enter my LUKS password the field doesn’t appear and I am effectively locked out.

Please, if anyone thinks they have even an idea of what to do, let me know! Really appreciated.

Thanks a lot.

1 Like

This shouldn’t be difficult.

Firstly, remove rd.qubes.hide_all_usb from GRUB when it comes up. Then, when Qubes boots, remove sys-usb.

If that doesn’t work, then you need to create another install media and boot it. When you do, choose the option that says something like “Recover existing installation.” The first step will likely fix it, but if you get to this step, please check back and I can guide you from there. (I don’t remember the exact steps to take off the top of my head, but you mount the LUKS/LVM and perform a chroot and remove sys-usb, etc.)

1 Like

Hi,

Before I attempt anything, what exactly do I do to use the command rd.qubes.hide_all_usb from GRUB? Do I do this before I select Qubes to boot? Is the full command rm rd.qubes.hide_all_usb ?

I am not super technical (god knows why I tried to setup sys-usb) so that second option sounds scary too haha!

Thanks for your reply!

Honestly, I use coreboot+Heads, which bypasses GRUB. But if memory serves me correctly, you should hover on the selection, and there should be a key to press to edit it before booting.

Thanks, will give it a go!

Press e on a GRUB entry to edit it, then you can press “ctrl+e” to put the cursor at the right and you can type the boot command line argument, and press F10 to validate the input.

Hi,

Just replying to this. I could not find rd.qubes.hide_all_usb , after pressing ‘e’ at the GRUB menu. I found this (second photo is the right half of the screen).

Had to make a new post because new users can only attach one embedded item haha.

Apologies for the dirty laptop…

Remove usbcore.authorized.default=0, that should be the problem.

What it does when it is present is remove all non-input USB devices from dom0, including the M.2 drive, so removing that from GRUB should allow you to access your installation.

1 Like

Progress!

I got excited then - the password field does appear, I entered it and it loaded but hung at this screen.

Thank you so much for responding feel like we are nearly there!

My system is on a USB-C M2 Sabrent enclosure which I think makes this more tricky??

Hi,

Reading this:

What it does when there is remove all non-input USB devices from dom0, including the M.2 drive, so removing that should allow you to access your installation.

I think this is going to be a problem then, as my installation is on the M.2 drive (connected by USB-C sabrent enclosure)!

I’m not exactly sure what is happening here. The fact that tries to mount the fs readonly makes me think that it’s a problem with the drive, but the fact that that fails and Occam’s razor tells me it’s just something missing from the picture. (I’m pretty sure Qubes on an external drive isn’t simple as Qubes isn’t designed to be run this way. Creating a sys-usb likely changed how USB is handled, which we will have to reverse.) Right now I have something important to attend to, but someone else will likely respond and help. If not, I’ll do the looking and get back here when I’m done.

In the meanwhile, I’d recommend trying some little things like testing different USB ports and a different laptop if you have one. If that fails (or you don’t have another laptop), I’d make a new install USB in case it’s needed (if you don’t still have the old one.)

I apologize, what I meant is that having usbcore.authorized.default=0 does all that. I was explaining why it needed to be removed. Removing it undoes these things.

Do you think if I took the actual M2 drive out of the enclosure and put it directly in my laptop that might work? Then I could remove sys-usb if I am able to login, then return the m2 to the enclosure!

I don’t think it’s to do with the ports. I was able to use either of the USB-C ports on my laptop prior to this sys-usb thing.

Please do return - if someone else does find a solution, I will still send you some crypto for your time and effort! Thanks.

I was just about to respond; I remembered why this isn’t working: when it’s booting, sys-usb tries to boot and steals the USB controller.

This will work (taking the actual M2 drive out of the enclosure), but you can also edit GRUB again and add qubes.skip_autostart. Both should get everything running again, but the first thing you need to do when you login is delete sys-usb and:

  • Open the file /etc/default/grub in dom0.
  • Find the line(s) that begins with GRUB_CMDLINE_LINUX.
  • If rd.qubes.hide_all_usb appears anywhere in those lines, remove it.
  • Save and close the file.
  • Run the command grub2-mkconfig -o /boot/grub2/grub.cfg in dom0.
  • Reboot

I do have to go now or I will be late.

3 Likes

They may need to add either qubes.skip_autostart=1 , or possibly qubes.skip_autostart=sys-usb, just mentioning it in case the ‘qubes.skip_autostart’ didn’t work on its own but I’m not entirely sure

1 Like

Hello,

Adding qubes.skip_autostart enabled me to get to the lock screen and in to my system!

I followed those steps after, rebooted with no GRUB edits but it still got locked at LUKS passphrase section. However, removing usbcore.authorized.default=0 allows me to use my system as normal (auto start works too).

Is there any way to permanently edit GRUB to not include usbcore.authorized.default=0?

Please return - need to send you crypto!

2 Likes

I’m glad that Xmachina helped and solved it! :slightly_smiling_face: Now that you are in , i advise to first take backup of data you need on the system, and refer to the documentation to un-deploy sys-usb if there are additional steps I missed besides deleting

In dom0 terminal modify the file of grub with :

sudo nano /etc/default/grub

Remove: usbcore.authorized_default=0 in GRUB_CMDLINE_LINUX , also IMPORTANT : don’t delete anything else there at all

You can then update grub in dom0 terminal by using : sudo grub2-mkconfig -o /boot/grub2/grub.cfg
Reboot system after that to test , once you have taken backup of course

Updated: sorry added corrections