Trezor install on Qubes - USB

OK so I was trying to get the Trezor hardware wallet to work on a debian10 template with Whonix. I followed the instructions here: https://wiki.trezor.io/Qubes_OS
and the command
in sys-usb:
sudo vim /usr/local/etc/qubes-rpc/trezord-service
add this line:
socat - TCP:localhost:21325
However when I try and save that line in Vim, I get:
~
“/usr/local/etc/qubes-rpc/trezord-service”
“/usr/local/etc/qubes-rpc/trezord-service” E212: Can’t open file for writing
Press ENTER or type command to continue

If I exit vim without saving and come back with the same command, I then get the below.

E325: ATTENTION
Found a swap file by the name “/var/tmp/trezord-service.swp”
owned by: root dated: Tue Nov 17 13:27:39 2020
file name: /usr/local/etc/qubes-rpc/trezord-service
modified: YES
user name: root host name: sys-usb-dvm
process ID: 5656
While opening file “/usr/local/etc/qubes-rpc/trezord-service”
CANNOT BE FOUND
(1) Another program may be editing the same file. If this is the case,
be careful not to end up with two different instances of the same
file when making changes. Quit, or continue with caution.
(2) An edit session for this file crashed.
If this is the case, use “:recover” or “vim -r /usr/local/etc/qubes-rpc/trez
ord-service”
to recover the changes (see “:help recovery”).
If you did this already, delete the swap file “/var/tmp/trezord-service.swp”

 to avoid this message.

Swap file “/var/tmp/trezord-service.swp” already exists!
[O]pen Read-Only, (E)dit anyway, ®ecover, (D)elete it, (Q)uit, (A)bort:
<https://www.fastmail.com/mail/search:qubes/Td3f869290933299b.Me1c16c9e7ab9b09639e8c23c?u=07bc41f8

I assume I have to stop a service or something? I only want to use on one AppVM…
I had already installed the Trezor Bridge when I got the error. I also installed the Udev rules too (rpm). My Qubes does not have a ‘my sys-usb’ but it does have the domain ‘my sys-usb-dvm’ - would those be the same? What am I missing?

The vim error message tells you exactly what to do - delete the swap
file.

The “Cannot be found” also points to your original write error. You
probably dont have /usr/local/etc/qubes-rpc/ - if those instructions are
correct, (I have no idea), then you will have to manually create that
directory before trying to write to a file in it.

I think I am making progress - so one thing I noticed is the Trezor materials talk about using the sys-usb service? I only have “Domain: sys-usb-domain”? Is that where I make the additions in vim to /usr/local/etc/qubes-rpc/trezord-service? I am wondering if this is part of the issue - do I need to connect the Trezor to a domain Qube but setup all the rules and the bridge in “Domain: sys-usb-domain”?

OK so I got the bridge installed now properly and the Trezor wallet seems to confirm. However it doesn’t seem to see my device. Is there a way to keep the USB mounted and just “refresh” the connection to the device?

In an effort to hopefully crowdsource setup troubleshooting of Trezor and Qubes I thought I would provide my albeit rudimentary anaylsis of the Qubes+Trezor instructions as they stand.

The wiki Qubes OS - Trezor Wiki from Trezor:

  1. doesn’t mention you may need to create the folder “qubes-rpc” tho this may be obvious to some

  2. talks about intsalling the bridge and udev rules on the sys-usb service; however as I ask here, on my machine, sys-usb is a domain without networking. I am not clear if that matters

  3. on the Udev rules - Trezor Wiki page I tried installing the rpm and deb but didn’t seem to put rules in the same places that the terminal command does. I did this manually by downloading the .rules and copying the file to /etc/udev/rules.d

  4. I install the bridge on sys-usb but also tried on the app-vm too. sometimes seem to need to restart the service immediately after install for status to show running. maybe this is the same effect as closing/opening browser or plugging/unplugging Trezor

  5. another question I had was, the socat command shows “socat TCP-LISTEN:21325,fork EXEC:“qrexec-client-vm sys-usb trezord-service” &” but what if my USB Qube is not just “sys-usb” - does it need to be changed to reflect the actual name of the Qube?

My plan was to use a created Debian Qube as the one I connect my Trezor to. I can get my debian App-vm to see the Trezor and the status page at http://127.0.0.1:21325/status/ shows connected; but as soon as I load the wallet at Trezor Wallet it errors out.

OK I think the sys-usb name does have to be “sys-usb” for the rules as the Trezor wiki shows to work. However the other issue, which seems to come up is if you use whonix or firewall networking on the Qube you connect your Trezor to - doesn’t seem to work. sys-net does! yay me!

small advice qubes is designed for secuirty which makes it great for such things as crypto managment but for a physical trezor wallet it’ll propably be much easier for you to just hold onto a live usb of a secure linux (obviously add a few protections such as encryption and make sure to only use on a secure device but u get the point) because you can easily just block all internet acces other then that of trezors/… official updates/…

it’s secure enought without the pain in the ass qubes can some times be

and by enought i mean… very fairly enough as long as you know what you’re doing only using it for the trezor suit application and well…

(for seed storage/alike may i recommend
using veracrypt to make a hidden volume -obviously memorization is better but u get the point)

I don’t want to complicate things further for anyone, but from my point of view it is not good practice to install services such as trezord in sys-usb. The same goes for directly mounting file systems of external storage devices in sys-usb itself. Instead, you should probably most of the time attach a USB device to the respective appVM of your choice and run the service / mount the file system there.

There is a reason why the standard sys-usb VM has a red colour, just as sys-net. These VMs are sort of “exposed” because they directly interact with physical interfaces of your computer (the USB controllers in this case) and thus they are more likely to be compromised.

Then again, running a service for a hardware wallet in a hypothetically compromised VM should probably not be game over. Due to the nature of hardware wallets, even a compromised host could not extract secrets from it if there is no unexpected vulnerability.

Nevertheless, imho best practice would be:

  • forward/attach your hardware wallet to your AppVM.
  • install all necessary services to interact with it in the AppVM (or in the template that it’s based upon)

Agreed. How could one install the Trezor without the Dom0 and sys-usb changes tho? Could those be made direct to a AppVM and allow for its usage plugged into USB? I guess the other idea is just have a dedicated Trezor machine with Qubes lol.

I don’t have a trezor or some other hardware wallet device so I don’t know how they are working. Can’t you just attach them to the VM of your choice like you would do with any other USB device, e.g., a webcam? See USB Devices | Qubes OS for more information.

In theory, after attaching a USB device to a VM the VM should think that the device is directly connected to it. Just like it would be the case on a conventional Linux or Windows OS, without virtualization.

As mentioned by @phl , installing software in sys-usb is not recommended. Using trezor in an appvm is very straightforward and doesn’t require changing the template. Here are the steps:

  • create the folder udev-rules in /rw/config

  • download trezor udev rules and place it in /rw/config/udev-rules

  • edit /rw/config/rc.local and append this to the script:

    ln -s /rw/config/udev-rules/* /etc/udev/rules.d/

after that just reboot and now electrum will recognize trezor without problems. This was done on whonix-ws appvm

1 Like

Someone should probably tell trezor that their approach documented in the trezor wiki violates the Qubes best practices. Maybe together with a link to this thread?

1 Like

The approach as described in the wiki originates here. It is described to be the better way regarding security, because the trezor device then never is exposed directly to any AppVM and the Wallet client in turn is not exposed to the USBVM.

I originally tried connecting the Trezor directly to my appVM without using the official Trezor recommendations.

As others in this thread mentioned, when using Trezor’s recommended sys-usb configuration, I’m able to detect the bridge, but I’m not able to detect the Trezor itself. However, as others mentioned, it will get detected if I switch the AppVM to sys-net instead of sys-firewall, which I absolutely do not want to do.

Is there anything I can modify with sys-firewall to have it passthrough only what the Trezor needs?

Also, that link that is marked as solution points to the old original instructions, but those are definitely not the solution…