My convertible tablet contains two USB controllers, and keyboard and mouse rely on USB. To attach an ethernet-USB adapter I understand that it makes sense to do this in a separated USB qube.
I’ve read the docs on USB qubes, the option to use a separate qube is mentioned. During setup one USB qube was already created, everythnig works fine.
Now I tried to create an additional USB qube for the ethernet adapter and for that I need to detach one USB controller from the already existing USB qube. For that, it says, I need to stop the qube.
But how do I do that? As I understand it, stopping would disconnect my keyboard and mouse, so I would get stuck.
sys-usb qube is a HVM disposable system on which all the USB controllers are attached. Qubes OS provides an utility (on the top right corner on the default installation) to safely assign an usb device to a qube through sys-usb, so you never connect directly an usb device to a “trusted” qube.
in your case, you have an usb device (which is an ethernet interface), so it works as usual, it’s connected on sys-usb and you need to pass it to sys-net to make it available for networking
Yes, thank you for the explanation. What I was concerned about is, shouldn’t the ethernet device be separated from the other USB devices (keyboard and mouse)? So that a compromised ethernet driver cannot influence e.g. key input. Since there are two controllers, shouldn’t they kept seperate?
But if you do decide to do so, yes, it’s tricky because you have to shut down the original usb qube at which point you have no keyboard and mouse.
However, all of these commands (shut down, reassign controllers, start both USB qubes) can be put into a shell script and then that script can be run. You can also, before invoking the script, set up a cron job (with crontab–you can do a man on it and experiment with it beforehand) to run in about ten minutes to restart your (main) usb qube, just in case all of this fails.
(I actually have a cron job that runs every minute to start the usb qube, if it isn’t running, just in case I accidentally stop it. It has saved me a few reboots.)
Ok, thank you much for that explanation! I know about such tools, but was unsure whether something like that is really required or whether there’s an easier (and safer, official) way I overlooked. After all, cutting oneself off from the keyboard sounds too stupid.
Every once in a while I find myself completely rebuilding my qubes for some reason or another, and getting past sys-net, sys-wifi, sys-cacher, and sys-usb are always tricky because the first three are part of the pathway used to install software, and sys-usb…well, if the process dies partway through you’ve got a situation, as you know. For the first three, I typically have a script that clones the template, dvm template and actual dvm, then switches everything over to use the clones (that includes qubes that use them for networking, but there are also some global settings (the ones controlled by qubes-prefs) that must be minded). This involves shutting a few things down (but not as many as you might think). Then I can delete and rebuild the originals without issue, and switch back. Once satisfied I haven’t borked anything, I delete the clones. (If something is wrong with the new qubes, the clones are basically the same as the old qubes, so they’re a good backup.)
solid question. I actually ran into this problem on my second installation. Sys-net has my USB controllers by default. Since sys-net is least trusted, it would go without question that USB controllers should be in a separate vm right?
I see people here saying they have USB controllers. If so, they should separate each controller to it’s own sys-usb qube. After identifying which USB port is connected to which controller, they should use ports accordingly, especially those that connects directly to internet in order to reduce poisoning controller attack surface which isn’t connected to internet.
Also, the same applies when putting each network device to its own sys-net (and to its own sys-usb when using USB network device - naming here is irrelevant: sys-net that contains only USB network device is the same as sys-usb that contains that very same device while “Provides network” is checked in settings of the latter).
i’ve tried moving usb controllers to a seperate vm but since i checked that sys-net were to have access to usb controllers, dom0 doesnt seem to allow other sys-xxx to have usb controllers. I instead cloned sys-net and gave sys-net-clone access to network devices. However, if i renamed sys-net to sys-usb (as it only has usb controllers now), dom0 still doesnt want to connect to it lol. Dom0 is petty for this but i’ll take this as a W
I have a similar problem:
I want to use the bluetooth controller which is attached by default to sys-usb for pairing a wireless mouse. So what is the best way to do it?
I want to use the bluetooth mouse VM-wide…
