Pls HELP. /boot on external usb sys-usb / sys-net

Hello community. hope someone can help figure that out. i have done all as writen in costum installation, but with /boot on external usb device for extra layer of security. i need the sys-usb for yubikey and some extra devices, but if i enable sys-usb, devices are working but my /boot usb also get restricted.

the problem:
create sys-usb: /boot gets restricted. can only access system with enryqubes.skip_autostartin grub, but after system starts my /boot in dom0 is emty. thats not a solution. i can not make rd.qubes.dom0_usb=<BDF>, becouse i only have 1 controller, so all devices would been ignored. it makes me cracy.

my installation:
/boot - external usb drive
all other/ internal ssd

How can i tell sys-usb to ignore my /boot usb device ? Or can i map that device as a system device or how tell sys-usb to that usb device just go like my usb keyboard. Or something with sys-net ? whats that for an option. i get my system perfect configured so i really dont want to destroy it again to install /boot to internal to. hope someone can help. thanks

I don’t think you can. But let’s check what others will say. I’m not best at this.

Run the following in dom0 and tell me the output (should be either 0 or 1, ignore all other text):

$ grep 'hide_all_usb' /etc/default/grub ; echo $?

If it’s 0, before we make permanent modifications, restart your computer and when you get to grub press E and remove the following:

rd.qubes.hide_all_usb

Then proceed with boot.

HI, the actual stage is “CLEAN”. i have no usb-sys more in case of the problems. just for info

$ grep ‘hide_all_usb’ /etc/default/grub ; echo $?
1

If you want you can re-install sys-usb then try the above, and if it works make it permanent.

What stage?

Did you run it with or without the $ at the beginning?

no mate, i had installed sys-usb first time i installed qubes. than all the trobles with the /boot partition, so i decidet to reinstall whole system again. now i have the “clean” install without created the sys-usb. but if you think we gonna make it, i can install sys-usb now.

Did you run it with or without the $ at the beginning?
without

i install it now with ```
sudo qubesctl state.sls qvm.usb-keyboard

Got it, if you’re willing to do some troubleshooting it may play in your favor. Otherwise all usb devices will connect directly to dom0.

Up to you to choose security vs convenience.

That’s for usb keyboard though, doesn’t affect our use-case.
What you’re looking for is: qvm.sys-usb

ok, done. sys-usb is installed now

gep hide all usb is still`= 1

grep 'authorized_default' /etc/default/grub

Do you have that line?

now is addad:
usbcore.authorized_default=0

If nothing shows when you run grep 'hide_all_usb' /etc/default/grub then I think you should be safe to reboot.

If it doesn’t let you boot, you may have to chroot into dom0 from the installer and detach the pci devices from sys-usb.

last time, if i make now without modyfi anything, system will not boot, couse usb is restricted and
the luks partition will not opened after enter passphrase

When you configured QubesOS the first time, sys-usb was automatically installed using the qvm.sys-usb formula.

Now you said you installed sys-usb with the qvm.usb-keyboard formula, which does not add the hide_all_usb parameter to grub.

yes, at first time qubes did not installed sys-usb automaticly couse i have an usb keyboard attached and it was greyed out, but with here: USB qubes | Qubes OS

i install it afterwards

How to create a USB qube for use with a USB keyboard

If you’re reading this section, it’s likely because the installer did not allow you to create a USB qube automatically because you’re using a USB keyboard. This section will explain how to create a USB qube that you can use with your USB keyboard. This section assumes that you have only a single USB controller. If you have more than one USB controller, see how to enable a USB keyboard on a separate USB controller.

First, make sure you have the latest qubes-mgmt-salt-dom0-virtual-machines package by updating dom0. Then, enter the following command in dom0:

sudo qubesctl state.sls qvm.usb-keyboard

if i reboot now, grub will load, i enter the pass, ok up to here. but than in case of sys-usb i think, the luks partition get not fount and unlocked.

with command qubes.skip_autostart i can boot in system again.

at this point i will just that sys-usb ignore my sandisk usb with /boot partition completely. lol

how to do that.

Then what’s the matter?

You can’t. It works on controllers, not single devices.

Then what’s the matter?

yes, it would been ok, but
the problem here is only that /boot in dom0 is empty completely after boot, not mounted. and i think on updates or something qubes need to write dada on /boot or not ?

Read this: