What do you all call “pci device”? An internet modem? So, if I’m using an Internet modem, which cube I need to connect the modem to, so I can use the Internet without leaking into the clearnet?
Your Ethernet or Wireless controller (LAN / WiFi) that is using PCI bus. Or it could be USB adapter.
By default your PCI network controllers are attached to sys-net qube that is created by installer by default.
1 Like
I have an internal HDD with ~ 500 MB read/write speed. Is it enough to test Qubes on it? Still want to test Qubes in a safe environment before really use it “in the wild”, but have to choose the drive for the Qubes’ test. At the moment that HDD is the most possible and convenient option.
It’s enough.
1 Like
I tested QubesOS out by running it from a thumbdrive, because that was the only way I could install to that hardware. I knew it would be slow; I just wanted to see how it functioned–what the workflow was and how things interconnected. (Once I knew I wanted it I bought new hardware.)
1 Like
OK, I could install. It’s pretty slow (I suppose because of HDD), but works. There is USB mouse attached and when I entered Qubes it asked me to attach USB mouse to the dom0. As I understand sysnet cube asked this, because that cube was in the window that appeared. Why dirrectly in dom0? I decided do not do this before I ask here. There was written many times that dom0 must be used only for updating and nothing should be attached to it. During installation I checked tick about sysnet using usb cube to make working with modem possible. Is it somehow related (I mean, that it was sysnet who made the request)? So it means all usb devices that I will attach to the computer can connect to the Internet? Is it possible to avoid this?
And how high is risk if I will attach mouse to the dom0 as it asks? Is it better do not use mouse at all and use touchpad instead?
Yes.
Because dom0 needs the mouse input to use it for itself and to pass this input to other qubes.
Yes:
Yes.
If you have multiple USB controllers you can attach one of them to sys-net and use it only for your USB network adapter and attach all other USB controllers to sys-usb to use for mouse or other USB devices.
2 Likes
Thank you very much. Is this the manual how to do this? There also is written:
You said dom0 needs mouse to use it. But how mouse can be used by dom0 if mouse will be attached to sys-usb instead of dom0 so dom0 will not see it?
Yes.
Mouse can be attached from sys-usb to dom0 in the same way as any other USB device can be attached from sys-usb to any other VM.
1 Like
This is not how it works currently. sys-usb can’t attach anything to dom0 for obvious security reasons. In the case of mouse/keyboard, Qubes sends the input through Qrexec using input-proxy-sender and input-proxy-receiver. The sender resides in sys-usb where the mouse and keyboard are, and the receiver runs in dom0 and filters the events sent to it based on a specific list of actions.
2 Likes
Maybe it is simpler to rivert (is it possible?) that step when during installation process I chose sys-net and sys-usb mixing? Can I then manually assign modem to sys-net and leave all other usb devices for sys-usb by default? Maybe it would be simpler?
You can just clone sys-net and call it sys-usb. Then remove all USB controllers except for one from sys-net and remove all network controllers and the USB controller attached to sys-net from sys-usb.
So was enabling sys-net working with sys-usb during installation process a good choice? Now sys-net sends request about attaching mouse to dom0 instead of sys-usb who had do this by delault. It is less secure now to accept this request, am I right?
It’s less secure in the sense that you have both your network controller and your usb controller(s) together in the same qube. If you feel unsafe about this and want to keep them separate, then switch to a sys-net and sys-usb setup instead of the unified one.
If you are using a USB qube, which is your case with the unified setup, it can’t attach anything to dom0. If it could, it wouldn’t make sense to use a separate qube for each USB controller. All events are sent to dom0 through a “proxy” instead.
1 Like
OK. I chose this setup because I’m going to use usb modem for work with Internet instead of Wi-Fi, so if I separate them, then I can’t work with modem? Is there a way to separate them and still be able to work with usb modem? How to do this? I guess it’s: to attach usb modem to usb cube then to attach it to sys-net (net cube)? And if my method works, how to separate sys-net and sys-usb now without re-installing the system? I suspect there’s a simpler and more appropriate method to do this than what apparatus suggested.
Yes, you should be able to attach the modem from sys-usb to sys-net without issues.
First you need to turn off sys-net, detach all selected USB controllers inside the “Devices” tab in sys-net settings and then you will be able to create sys-usb using one of these salt commands (in a dom0 terminal):
# If using an USB keyboard:
sudo qubesctl state.sls qvm.usb-keyboard
# If not using an USB keyboard
sudo qubesctl state.sls qvm.sys-usb
If you are using an USB keyboard, manually verify that you have the following inside /etc/qubes-rpc/policy/qubes.InputKeyboard:
sys-usb dom0 allow,user=root
$anyvm $anyvm deny
Remove the line that references sys-net, if there is one.
Same thing for /etc/qubes-rpc/policy/qubes.InputMouse:
sys-usb dom0 allow,user=root
$anyvm $anyvm deny
1 Like
Thank you very much! No, I don’t have the usb-keyboard. So, if I don’t have it, do I still need make these steps described in quote or not?
I suppose I don’t need first line, but not sure about the rest in quote.
And hallo again, my friends! I connected successfully to my Wi-Fi internet using my test Qubes OS version and discovered few issues.
-
I quickly found where in Qubes you need to edit Tor config (torrc custom analogue). You know, they forbid you to edit torrc directly. So I edited it as I usually did in regular Tor Browser or in Tails and then failed to connect to Tor network. Then removed changes and connected successfully. Need to find out what’s wrong. What I edited:
I tried to exclude some nodes, using command:ExcludeNodes {country code}, {country code}.
Then added the line:StrictNodes 1and the line:EnforceDistinctSubnets 1
Typed them in from memory, so most likely made a mistake in some of the lines. I suspect in the first. First I typed colon after ExcludeNodes, then removed it but it didn’t help. Then removed {} from country codes, then removed spaces after commas - nothing helped. So I suppose there are some special commands, specially for Qubes or I still did something wrong? How to exclude nodes in Qubes Tor connection? Write the correct command for this purpose, please. I edited that special custom user config file from sys-whonix tab so I think it was correct file. -
Is there the mac address spooffing in Qubes OS? When I first tried to connect to Wi-Fi then many times I could not, until I remembered that I turned mac-address filtering in my router on. Then I searched in Qubes net settings tab and found something that I thought was the mac-address spooffing settings and set up true mac-address showing and then connected successfully.
If not, then yes, you don’t need to do the keyboard part at all.
I am not sure about this. I only found this in the whonix documentation:
Qubes automatically spoof the mac address when using wifi. You can turn this off in Network Manager if you’d like.
1 Like