I’m currently running Qubes-OS 4.0.3 over a 120GB USB SSD, have a USB mouse and keyboard, and it’s working great. I do have a question though before proceeding to create a USB Qube for other USB devices, such as USB Webcam and Microphone. Does one have to connect the keyboard and mouse every time you start up a VM that uses the USB Qube, or is there some sort of an “auto-use USB Qube” feature that one can set on particular VMs, such as personal or work? When I installed Qubes-OS my keyboard and mouse were accepted just fine and I leave them connected, of course, while using Qubes. I’m never prompted to disconnect and reconnect them. The option to create a USB Qube on install was grayed out. I’m assuming the USB Qube is designed to prevent security attacks in dom0 which is not in force if the USB Qube isn’t created as an AppVM. I realize from the documentation that one must perform some steps in the Terminal to prevent USB keyboard lockout if a USB Qube is created after installation. Please assist where possible on the “auto-use USB Qube” question that I have. Thank you.
Hi Datapioneer,
i am using a USB-qube with microphone and whatnot.
When i boot the usb-devices are shown in the device manager. So for a teleconference i connect the microphone to the qube that needs it.
You will not have to connect your mouse/keyboard any time you start as this is done automatically.
For your setup (using USB-HID’s) you will have to do the following (as documented here)
sudo qubesctl state.sls qvm.sys-usb
for the setup of a normal usb-qube and
sudo qubesctl state.sls qvm.usb-keyboard
to prevent lockout when using USB-HID’s
Thank you. I appreciate you letting me know. I will attempt to implement this.
wishtohope,
One thing that I just realized that I failed to mention was that I’m currently running Qubes-OS 4.0.3 via attached USB 3.0 250GB SSD, not internally via the SATA bus. I did this for testing purposes and boot into the Qubes-OS via the attached SSD in the BIOS when I want to get into that OS.
If I create a USB-qube will that lockout 250GB SSD containing Qubes after I reboot even if I run the command to prevent keyboard lockout?
This is a very good question indeed.
If would say, make a backup of your SSD and just try it. I would guess tho, that the automatic installation (with the commands i supplied and are in the documentation) will not work and you would need a manual setup where the USB Bus your SSD is connected to is attached to dom0.
Does your computer has more than one USB hub?
To check this, you can try lsusb and look for your SSD.
Wishtohope,
Yes, my system has 2 USB3.0 and 4 USB2.0 ports. I tried creating the USB qube using the directions fo prevent keyboard lockout and that did work, but it destroyed my Qubes 4.0 installation as I was not able to reenter it since the block device was not prevented from lockout.
For now, I’m not going to pursue this any further. My system was a test system anyway, not my daily driver for now. I would suspect that I would have to replicate the instructions for preventing the keyboard lockout and point it to the block device which is the SSD running qubes to get around this. That will be for another day.
Thank you.
Dan,
For the next time, some things to remember:
It isn’t a question of how many ports you have but how many USB
controllers you have. You can have many ports with one controller.
You need to identify how many controllers are on the system.
If you are installing to a USB device, you have to be very careful about
allocating any controller(s) - you’ve already discovered this.
My advice would be to manually create a USB qube, and then allocate
controllers based on what you have on the system.
If you inspect the USB salt code in
/srv/formulas/base/virtual-machines-formula/qvm/sys-usb.sls
you will see that you can create it with:
qvm-create sys-usb -l red
qvm-preferences sys-usb memory 300
qvm-preferences sys-usb netvm ''
qvm-preferences sys-usb virt_mode hvm
qvm-service --disable network-manager
qvm-service --disable meminfo-writer
Although salt may seem confusing, most people can fairly readily
understand the simple formulae used by Qubes. It’s well worth looking at
how the basic qubes on your system are created in this way.
Install qubes-input-proxy in to the relevant template.
Set the entry in /etc/qubes-rpc/policy/qubes.InputMouse and
/etc/qubes-rpc/policy/qubes.InputKeyboard
and then allocate the controller as you will.
Make sure you have dealt with the grub entry for rd.qubes.hide_all_usb.
If you have many controllers you can selectively hide some from dom0 -
this is covered in the documentation.
You should also be aware that you may have two controllers serving
one port - one for USB2 and USB3 - you must be very careful in
allocation in this sort of setup.
Unman,
Thank you. This is great information. I will try to work through the documentation and figure it out down the road. If I were to make Qubes my daily driver, I would take it off the USB controller and place it on the SATA controller internally and I wouldn’t have this issue at all.
I appreciate your response. Very thorough.
Datapioneer