Here is another customer question that was addressed to me that should have been addressed to the forum for obvious reasons, being Qubes OS related:
Sys-net stopped starting
I checked pci devices and reset.After that it started to boot but it wasn’t searching for networks so I was unable to connect to the WiFi network I use.
I thought that maybe it was missing a PCI device so I then checked and that didn’t work as I was unable to know which one to add or not.
Some interesting bits here are
- Why would a PCI device would be missing? Why would that have changed?
- Most probable cause here is driver problems linked to kernel upgrade
- Otherwise, Fedora probably having grown in memory footprint and drivers “disappearing” and wifi stack being messed up. Logs would help. Solution here would be to switch sys-net to debian instead of fedora template, or assign more memory to sys-net (Fedora is known to increase in memory footprint at every release, which a lot of other posts on the forum refer to and where I also have replied. The solution is definitely not assigning all unrelated to network PCI devices to sys-net.
- User decided to go wild without asking questions, leading to even more problems with the belief that free support should cover his mistakes on top of mistakes
- What if… the wifi slider was simply slide to off?
- What else could explain behavior, prior of doing not-so-easy-reversible and dramatic changes on the system?
This makes me think of the Qubes mini-summit 2022’s talk “Qubes Support stories” where Certified hardware sellers are considered liable for Qubes OS user related configuation errors.
This sometimes lead to user even reinstalling Qubes by themselves and still request direct free support instead of coming to the forum; even if their system is now Qubes OS, not having anything related to the OEM deployment.
This user report is such report, done on user’s behalf since doing 1:1 support simply doesn’t scale and doesn’t help anybody. Giving a fishing line is one thing, giving unlimited supplies of fish is another and the latter is not possible. But some users learn slower then others. And those users should be more careful doing massive and dramatic changes on their systems but they do not understand the impacts of what they are doing.
Later on the 1:1 discussion evolved a bit to:
I then moved all PCI devices from the left side to the right
side sys-net to see if that would fix the problem. Low and behold all of a sudden screen goes black and I am unable to see screen of qubes when I boot into it.I have tried restarting the pc several times. Just doesn’t work now.
Why on earth those customers do not contact at first problem being:
- sys-net is not detecting any network anymore?
No. Those users contact us when they assigned all their PCI devices to sys-net thinking this is a logical thing to do.
Why we love Heads
Going back to basics. Heads users have the possibility to boot from a trusted measured firmware state into Tails DVD ISO verified integrity/authenticity image using distribution detached signature verification, since Heads contains Tails distribution public signing key in the firmware (same applies to Qubes OS and Archlinux’s).
Users can consequently boot directly from a trusted firmware state to an amnesiac and verified ISO image directly, thanks to Tails doing things right with good privacy defaults, without having to install anything, while insalling things in RAM and through enforced Tor is also possible if Administrative passphrase is defined at boot, see below. This makes Tails ISO a good thing to have on a USB Thumb drive. Do that today if your platform is inisitalized through coreboot’s Heads linux payload.
For the end user, that means having a USB Thumb drive, formatted into ext3/ext4, where Qubes ISO and Tails ISO can be dropped there alongside of their distribution detached signature (basically iso and iso.asc files need to be dumped on the USB thumb drive.) This means that untrusted USB Thumb drive can have latest ISO alongside with your needed untrusted stuff, and your Heads booting platform will be able to boot from it when you need to.
As of today, that means end user can download and put on that USB Thumb drive, from an untrusted system (unfortunately, another Linux/MacOS system, Windows do not support Ext3/Ext4) the following files:
- https://tails.hivane.net/tails/stable/tails-amd64-5.4/tails-amd64-5.4.iso
- https://tails.boum.org/torrents/files/tails-amd64-5.4.iso.sig
That’s it.
Heads will verify authenticity+integrity prior of permitting to boot into Tails through Options → Boot Options → USB boot.
Heads verify it and propose ISO’s boot options:
Magical. Powerful. Useful.
Now the issue at stake.
This issue could also be named “I passed all my PCI devices to sys-net, now what” but could also be named “my network adapter stopped working, is it hardware related or Qubes related?” or again “How can I recovery my Qubes installation” which this post would permit users to boot into Tails and use that as a good base to do all kind of stuff, where shutting down the machine will leave no trace and where Heads will pick up any boot related changes that were previously verified.
Having another way of booting/recovering the system is always needed. So at this point, I consider Heads user being able to boot Qubes installer or Tails from actual Heads documentation.
To go back to this user support request, how to actually follow upstream documentation’s Autostart troubleshooting | Qubes OS under Heads? The only hint there is
For Qubes OS R4.0 in UEFI mode, there is no GRUB, so manual boot from another operating system is needed.
Under Heads, grub files are parsed and used to boot the system, where the guidelines there should be used to modify grub.cfg config from a booted operating system (the easiest solution) otherwise requiring individual hacks to get around protections that would be one-fits-all if you had a recovery system to be able to boot from USB for whatever other problem you might come into in your lifetime using Qubes). You could edit config file from heads, remounting /boot in rw (mount -o remount,rw /boot) and then learning vi to edit grub.cfg, saving changes and remounting in read only to sync changes on the disk. Who has technical knowledge to resolve this since the user who did the initial user error was not knowledgeable enough to understand that passing all PCI devices to sys-net would break the system?
Botting into Tails and have graphical editor fits the bill here. Otherwise, requiring unlimited supplies of fish fixing unlimited number of issues.
How to disable autoboot of system qubes (sys-net/sys-usb/sys-gui from another bootable system?
From Autostart troubleshooting | Qubes OS, the solution to the problem is pretty straigthforware: add qubes.skip_autostart
as a kernel option.
Ok… But… How?!
-
Boot into verified Tails from Options → Boot Options → Boot from USB
-
Cutomize Tails by adding additional functionality (+)
-
Add Administrative password to be able to do changes on the system
-
Start Tails. Here you can also connect to network to see if any hardware faults are present
-
Launch a Administrative Terminal (Root Terminal)
-
Mount main disk (sda is USB, so main drive is sdb, boot is sdb1) into /mnt
-
Launch a graphical text editor, here gedit, to edit /mnt/grub2/grub.cfg. Good additional advice here would be to
cp /mnt/grub2/grub.cfg to /mnt/grub2/grub.cfg.bak
so that it can easily be moved back when we finish our surgical operation here and everything is working as expected again)
-
We add
qubes.skip_autostart
in the first grub entry found, appending to the firstmodule2
line we see.
-
We save the changes. We just tampered with grub.cfg, which Heads will complain about later on
-
We reboot
-
Launching default boot option will have Heads complain. We won’t update checksums now. Say No!!!
-
We will instead boot in unsafe mode the first option we modified
-
We can see if we check carefully that our added
qubes.skip_autostart
is passed to Qubes
-
We see that no qubes are automatically started
-
We fix things and make sure that things are as expected. We can then start a normal workflow here. We are under Qubes, we just prevented any qubes from starting automatically. We can start things manually here, which is the goal of the operation.
-
We Apply, save and reboot, and boot again with second boot option (unmodified)
-
We see our option not being passed to kernel
-
Typing
ESC
keyboard’s key show qubes are starting
-
We make sure the wifi slider is in ON state
-
Reboot into Tails to move grub.cfg.bak backup into its original location to be able to boot the normal way into verified Heads detached signed configuration by re-doing steps 1-7 above, and then do from terminal :
mv /mnt/grub2/grub.cfg.bak /mnt/grub2/grub.cfg
as a replacement to step 8’s command. Reboot default boot Heads’s configuration. ( You just undid all the bold and too wild move of assigning all your PCI devices to sys-net. Congratulations).
If there is a different issue, that your network devices are actually working inside of Tails but not under Qubes OS, that you are suffering from a change that happened after upgrading your kernel, or upgrading your Fedora template or whatever else, please search the forums and qubes issues over github and do not hesitate to open an issue/new forum post that doesn’t exist yet or to comment on one that already exists, even tagging (@people) if you need direct involvement.
But please. Do not contact me directly for Qubes OS support. Tagging me in the forum on something that will benefit someone else then yourself alone should be the way. And yes, I might become angry if you do that over and over and do not understand when I say to open an issue on the forum and I make the searches at your place and you ask forever more for free… I love Qubes, as many others, and I rely on the forum myself to have the community think/collaborate on issues I cannot resolve myself. You should do the same so that it benefits all.
Where matters of Heads related discussions here will lead into proper entrees under Heads wiki. I am not a documentation expert. Learned a lot but most of the times, others will be better then myself at being short and spot-on, where I propose sometimes longer solution and become tired of saying the same things all the time. This is why I’m answering to this question here. Fishing line, not unlimited supplies of fish. Aho.