USB controller discrepancies - questions about correct configuration

User Support General
1

Hi,

I am trying to understand some USB-related things.

Background

I am using Qubes OS 4.1.2. Upgrading to 4.2 is on my TODO list. This system has only USB ports, so PS/2 is not an option. I am aware of the general USB-related security implications.

When I started using Qubes OS and installed it months ago, I followed these instructions mechanically with the idea to review them later again. I say mechanically, because the documentation does not explain what each setting means and why it must be used. It just instructs “do this”, so I am still not quite confident in my own actions. (Unfortunately, the mantra that the documentation is a community effort, implying that I am somehow supposed to fix the docs myself without knowing how, doesn’t help). Anyway, the final result is:

In /etc/default/grub in dom0 I have:

GRUB_CMDLINE_LINUX="... usbcore.authorized_default=0 rd.qubes.dom0_usb=00:14.0"

That BDF matches the one of the USB controller shown by lspci in dom0 .

Also, pvm-device pci ls -v | grep -i usb shows that sys-usb (no-strict-reset=True). I don’t remember ever setting that explicitly but the docs say it is somewhat insecure.

Observed discrepancies

Now, as I am revisiting the docs, hoping to fill-in the gaps in my understanding, I tried lspci | grep -i usb in sys-usb and I notice it shows 2 (two) PCI devices - one Intel Corporation 82801DB/DBM (ICH4/ICH4-M) USB2 EHCI Controller (rev 10) and one Intel Corporation Comet Lake PCH-LP USB 3.1 xHCI Host Controller. The later matches the one that dom0 shows.

The BDFs of the two controllers in sys-usb are both different from the BDF of the single controller in dom0. I assume this is expected.

Connection test

When plugging different USB devices and running lsusb in sys-usb, I notice that any USB2 device always shows connected to the first USB controller, regardless of the port it is plugged in (I tried every port). Similarly, USB3 devices always show up connected to the second controller. As expected, lsusb in dom0 shows nothing.

Additionally, I notice that lsusb in sys-usb always shows 3 buses, one of which is always used by some magical device called Adomax Technology Co., Ltd QEMU Tablet. During my tests, no other device ever connects to that bus.

Questions

  1. Why do dom0 and sys-usb show different number of USB controllers?

  2. What is this that 3rd bus in sys-usb?

  3. In case there is only one USB controller, as dom0 says, does this whole procedure, called “How to enable a USB keyboard on a separate USB controller”, bring any actual security benefit?

  4. What means rd.qubes.dom0_usb and what is its purpose?

  5. What means usbcore.authorized_default=0 and what is its purpose?

  6. Which BDF should be used for rd.qubes.dom0_usb - the one from dom0 or the one from sys-usb?

  7. Why do I have sys-usb (no-strict-reset=True)? Is that some default for USB, i.e. expected, or have I made a mistake in the past without knowing? What is the right thing to do?

  8. Have I done everything correctly? If not, what should I correct, considering the mentioned specifics of this system?

1 Like
2

I hope someone who knows would notice this thread.