My convertible tablet contains two USB controllers, and keyboard and mouse rely on USB. To attach an ethernet-USB adapter I understand that it makes sense to do this in a separated USB qube.
I’ve read the docs on USB qubes, the option to use a separate qube is mentioned. During setup one USB qube was already created, everythnig works fine.
Now I tried to create an additional USB qube for the ethernet adapter and for that I need to detach one USB controller from the already existing USB qube. For that, it says, I need to stop the qube.
But how do I do that? As I understand it, stopping would disconnect my keyboard and mouse, so I would get stuck.
sys-usb qube is a HVM disposable system on which all the USB controllers are attached. Qubes OS provides an utility (on the top right corner on the default installation) to safely assign an usb device to a qube through sys-usb, so you never connect directly an usb device to a “trusted” qube.
in your case, you have an usb device (which is an ethernet interface), so it works as usual, it’s connected on sys-usb and you need to pass it to sys-net to make it available for networking
Yes, thank you for the explanation. What I was concerned about is, shouldn’t the ethernet device be separated from the other USB devices (keyboard and mouse)? So that a compromised ethernet driver cannot influence e.g. key input. Since there are two controllers, shouldn’t they kept seperate?
But if you do decide to do so, yes, it’s tricky because you have to shut down the original usb qube at which point you have no keyboard and mouse.
However, all of these commands (shut down, reassign controllers, start both USB qubes) can be put into a shell script and then that script can be run. You can also, before invoking the script, set up a cron job (with crontab–you can do a man on it and experiment with it beforehand) to run in about ten minutes to restart your (main) usb qube, just in case all of this fails.
(I actually have a cron job that runs every minute to start the usb qube, if it isn’t running, just in case I accidentally stop it. It has saved me a few reboots.)
Ok, thank you much for that explanation! I know about such tools, but was unsure whether something like that is really required or whether there’s an easier (and safer, official) way I overlooked. After all, cutting oneself off from the keyboard sounds too stupid.
Every once in a while I find myself completely rebuilding my qubes for some reason or another, and getting past sys-net, sys-wifi, sys-cacher, and sys-usb are always tricky because the first three are part of the pathway used to install software, and sys-usb…well, if the process dies partway through you’ve got a situation, as you know. For the first three, I typically have a script that clones the template, dvm template and actual dvm, then switches everything over to use the clones (that includes qubes that use them for networking, but there are also some global settings (the ones controlled by qubes-prefs) that must be minded). This involves shutting a few things down (but not as many as you might think). Then I can delete and rebuild the originals without issue, and switch back. Once satisfied I haven’t borked anything, I delete the clones. (If something is wrong with the new qubes, the clones are basically the same as the old qubes, so they’re a good backup.)