USB tethering phones in 4.2.0rc5

nealr · December 10, 2023, 11:07am

I have a desktop running Qubes 4.2.0rc5 and I’m trying to figure out how to USB tether phones to it. The machine does not have wifi and I would not use it even if it did, I require a wired solution. I’ve seen discussions about OpenWRT and USB-C to RJ-45 ethernet, these are also not of interest.

I have both an Android and an iPhone that have tethering plans. On Ubuntu+VirtualBox I can simply plug them in, add the new ethernet device that appears as a bridged interface for the VM, and it will get an IP via DHCP when I start it.

I’ve looked at the older support requests but things have changed enough from 4.1 to 4.2 that I’m having a hard time sorting out where things are now located. What I have seen seems to indicate that sys-firewall would need access to USB devices. Is this really something that has to be decided at install time?

The two phones are not interchangeable - I need to make both of them work, each is for a different area of responsibility.

DVM · December 10, 2023, 12:28pm

For this to work, you must have sys-usb installed on your system. Then all you have to do is connect the phone to sys-net with USB forwarding so that Network Manager can initiate the network connection.

tempmail · December 10, 2023, 1:36pm

Is there anywhere guide for this, please? I tried on my own using common sense and what I already knew about Qubes (far from enough, of course and obviously), but eventually didn’t succeed. At the end, my sys-usb took the role of sys-net. I did it without problems with other kind of external USB network devices, though. For example, this.

Step by step guide would be immensely appreciated.

DVM · December 10, 2023, 1:45pm

I found one here:

It’s a little bit complicated for nothing I think, but it shows the main things to do.
Earlier this year, I was able to tether via USB with an iPhone 14 by simply plugging it in and attaching to sys-net with sys-usb. A new network interface appeared in NetworkManager and I was able to connect like any other system.

tempmail · December 10, 2023, 1:51pm

It’s the same as my previous post? No device, or anything else from sys-usb is “forwarded” to any sys-net? On the contrary: sys-usb took the role of sys-net too.

DVM · December 10, 2023, 1:56pm

The link I provided is a community guide, it’s not your previous link.

I’m not sure I understand what you mean. If you chose a unified setup at install (sys-net = sys-usb), then this is expected?

nealr · December 10, 2023, 1:59pm

I pulled the SATA drive out of my Qubes machine so I could try a USB install, someone else asked about this in User Support.

And when I plugged the SATA drive back in … not a bootable system(!)

So I am reinstalling and I set it to include sys-usb in sys-net.

I’m U.S. west coast but I keep really irregular hours, this week I’m in vampire time zone. Sun’s coming up, about time for me to disappear for a few hours. The install will be done adding templates when I return.

tempmail · December 10, 2023, 2:00pm

I was confused first. First you mentioned sys-usb. When we have this, phone is connected to sys-usb, right? Then you wrote to connect phone to “sys-net with USB forwarding”. I don’t know what this means when the phone is already connected to sys-usb.

tempmail · December 10, 2023, 2:02pm

I’d do this only if I don’t have ethernet controller too.

Regards from dusk till dawn.

DVM · December 10, 2023, 2:06pm

What I mean here is that the phone is attached to sys-usb since it has the USB controllers, then you have to “forward” to sys-net using the device widget that Qubes provides. I say sys-net here, but it could be any other qube running with “network-manager” set in services.

tempmail · December 10, 2023, 2:09pm

Great. That’s exactly how I understood it the first time I read it. And I tried that and I didn’t succeed it. As I learned so far, no phone can be attached to any other qube then to sys-usb. Knowing that much, I asked you how to achieve working sys-net to which phone is attached to from sys-usb.

DVM · December 10, 2023, 2:19pm

I just grabbed an iPhone to test it, just in case it stopped working.
I was able to tether using it with a separate sys-tether qube with “network-manager” set in services:

Create new template based on fedora-38
Install usbmuxd in template
Create new qube sys-tether, net qube set to none and network-manager set in services
Plug iPhone via USB (appear on sys-usb via notification)
Go to tether settings on iPhone and enable it
Start sys-tether
Attach phone from Qubes device widget to sys-tether
Trust computer on phone
NetworkManager recognize the network adapter and connect (driver: ipheth)

Might be different for Android, I don’t have one to test.

apparatus · December 10, 2023, 2:35pm

github.com/QubesOS/qubes-issues

Fall back to UEFI shell if Qubes boot entry is missing

opened 09:26AM - 02 Jun 22 UTC

mehrexe

T: enhancement P: default pr submitted C: boot

[How to file a helpful issue](https://www.qubes-os.org/doc/issue-tracking/) #…## Qubes OS release Latest as of posting, 4.1.0 ### Brief summary I manually unplugged every drive on my computer except for the target drive for the installation, which was all free space unpartitioned. Installer ran typically, chose automatic for the installation type. Booted into the OS' configuration and then the full OS. GRUB is verified to have worked because I managed to see it when initially booting for configuration and because of a later restart due to a display artificating and then system lockup problem I had that I attribute to Nvidia. After using another drive and then unplugging it, and plugging the Qubes drive back, there was no detectable boot source. I booted a live OS and found that the partition structure was intact but didn't investigate further and reinstalled Qubes. I then got the idea to see if this issue happened if I BIOS disabled drives instead of unplugging them. I disabled my Qubes drive and enabled another, and booted into it fine. I then disabled my other drive and reenabled the Qubes drive and the same issue happened again where my system does not see any boot entries. The system does see the drive, and switching on CSM and legacy boot I can boot from the drive but get an error screen saying to boot from proper media. This second time, I _kind of_ fixed it but I must do these steps every time I remove the drive or disable it in BIOS. I lose the option to boot without the Xen hypervisor and the boot hiccups. I essentially have to boot my install media, run Anaconda rescue and: 1. Mount the bootloader partition 2. Copy the contents of /mnt/EFI/qubes/ to /mnt/EFI/BOOT/ 3. Rename grubx64.efi to bootx64.efi 4. Rename grub.cfg to bootx64.cfg 5. efibootmgr -v -c -u -L Qubes2 -l /EFI/BOOT/bootx64.efi -d /dev/sda -p 1 ### Steps to reproduce I believe the best way to reproduce this issue is to do a fresh install of Qubes on hardware similar to mine: Asus Prime Z-390-A Motherboard Intel i7-9700K CPU 16GB DDR4 RAM 1TB HDD Most notably, this motherboard. I will be filing a compatibility report soon, but I believe this motherboard may have something to do with how it reads the GRUB bootloader as it's configured for Qubes. Further, these are the only non-stock BIOS settings: - Disabling the Intel LAN Controller (it causes a PCI reset error and ends the last step of the configuration, doesn't matter since I don't use it, and I believe the fact that it's unplugged is the reason this issue happens) - Enabling Virtualization - Enabling Vt-d - Disabling all other drives ### Expected behavior The GRUB bootloader is supposed to appear after the BIOS initializes regardless of whether the drive was previously unplugged from the system or not (safely of course). ### Actual behavior Please read above. After unplugging the drive or disabling it in BIOS, the entry for GRUB is missing.

github.com/QubesOS/qubes-issues

Raw disk backup of Qubes EFI is unbootable

opened 02:53PM - 15 Jul 23 UTC

adrelanos

T: bug P: default needs diagnosis affects-4.1 C: boot

### Qubes OS release R4.1 and R4.2 ### Brief summary When making a raw …disk backup from a Qubes installed to an internal hard drive to an external hard drive, the external hard drive is unbootable. raw disk backup means a backup using `dd` or 1 to 1 exact copy. ### Steps to reproduce 1. install Qubes normally on a computer that only support EFI booting on the internal harddrive 2. reboot 3. brief test that Qubes is working normally (yes) 4. shutdown Qubes 5. boot from an external drive, boot a live DVD or live USB such as Debian Live 6. perform a raw disk backup from the internal disk to the external disk 7. unplug that disk and try to boot from it in a different computer (or the same Qubes computer) ([example instructions for raw disk backups](https://www.kicksecure.com/wiki/Raw_Disk_Backup)) ### Expected behavior The raw disk backup of Qubes is bootable. ### Actual behavior The raw disk backup of Qubes is unbootable. ### Additional information According to my research that might be because of missing entries in the EFI firmware's NVRAM which is stored on the motherboard. Unfortunately, the EFI boot process doesn't seem by default to be self-contained on 1 harddrive but require extra settings stored outside harddrives on the motherboard (EFI NVRAM). Using `grub2-install` with options `--removable` / `--force-extra-removable` during Qubes installation might help? > [--removable](https://manpages.debian.org/bookworm/grub2-common/grub-install.8.en.html#removable) > the installation device is removable. This option is only available on EFI. > [--force-extra-removable](https://manpages.debian.org/bookworm/grub2-common/grub-install.8.en.html#force~2) > force installation to the removable media path also. This option is only available on EFI. Qubes does not have good support for multiboot support anyhow: * https://github.com/QubesOS/qubes-issues/issues/8351 * https://www.qubes-os.org/faq/#can-i-install-qubes-os-together-with-other-operating-system-dual-bootmulti-boot * It's "patches welcome". (And that's okay.) This ticket is not a feature request to improve multiboot support. Why do I mention this? Because otherwise, when considering options `--removable` / `--force-extra-removable` one *might* argue "but that breaks mutliboot support". I would argue that being able to boot a raw disk backup of Qubes is more important than mutliboot support. [Why do I like full raw disk backups? See this link.](https://forum.qubes-os.org/t/how-do-you-organize-your-backups/3986/16?u=adrelanos) Manually updating the NVRAM can be challenging: * It's vendor dependent because of many different EFI BIOS versions. * Some BIOS don't even have such an option. * Might require booting into an operating system installed on USB and running console commands to fix it. * Difficult, impossible for far most users to do or even to find instructions for it. Qubes with legacy BIOS booting as far as I remember didn't have this issue. However, never notebooks sometimes (or often, dunno) don't even support legacy BIOS booting anymore. Therefore "use legacy BIOS booting" is a non-solution. Also not a good long term solution in either case because of Qubes planned Secure Boot support. This bug might also make Qubes "non-portable". Meaning, Qubes installed to an external drive such as a USB SSD might be bootable on the computer where it was installed but unbootable when attempting to boot the same Qubes USB SSD on another computer. I didn't test this very part mentioned in this very chapter. Anaconda by Fedora might be using `grub2-install` with options `--removable` / `--force-extra-removable` already when installing to external devices (USB) instead of internal harddrive. Where is the Qubes code which defines bootloader / grub2 / EFI installation? Or is this currently all done by upstream's Anaconda?

tempmail · December 10, 2023, 3:39pm

Thanks! I have android and I’m asking myself if there’s an analog to this for android if needed at all, and if that’s the culprit…

tempmail · December 10, 2023, 3:46pm

Nope

DVM · December 10, 2023, 4:08pm

usbmuxd is only for Apple’s devices.

This might be a good starting point for Android:
https://wiki.archlinux.org/title/Android_tethering
It mentions usb_modeswitch in the “USB Tethering” part.

It works ootb with iPhones then.

nealr · December 10, 2023, 10:24pm

My systems are HP Z420 workstations, so one built in ethernet. I have a couple USB ethernet dongles for various purposes, a number of wifi USB devices, and I periodically try to get networking using bluetooth adapters working … for reasons.

The need to have a USB attached phone that a VM can pull an IP via DHCP and use the phone as its network is a specific use case. Part of what I do includes “ride along” duties. I get a burner phone, a Google Voice number, a Signal account for it, perhaps some social media accounts, then I embed with a group I’m advising. The carrier number only shows up in creating Signal and perhaps the social media registrations.

The burner never has any access to anything that can be attributed to me, it doesn’t get on wifi, its number is never shared with anyone, and the Signal number I known only to those who need it. This is a specific remedy for frivolous litigation and malicious prosecution, which are big problems in the U.S. This construct would not stand up to a full throttle national security FISA 702 warrant investigation, but I am aware of the rules and I avoid those situations.

When I started doing this I had an elderly Toshiba laptop, 2.5KG with a 1366x768 display, a really floppy hinge, and I’d physically swap small SATA drives. I recently spent some time creating VirtualBox VMs for this work. Now I want to shift my desktop to full time Qubes without losing that capability.

There is something to be said for sitting somewhere other than one’s desk using nothing but a single isolated operating environment, it’s a way to “get in character”. My use cases these days are limited to groups that knowingly lean on me for support, so this is much less of an issue. Once the workstation solution behaves, I’ll do the same with a Xeon laptop, then I can go on the road if that’s needed.

An Ubuntu VM with just Authy, Discord, Signal, Telegram, etc would quickly balloon to over 10GB. A Debian Qube when running is about 6GB and when idle they’re under 150 meg. There’s a strong capital incentive in addition to the security angle.

nealr · December 10, 2023, 10:34pm

I need to know more about the UEFI shell, it’s another gap in my knowledge. In this case the machine wedged, black screen with a single blinking underscore at the upper left.

It’s not the end of the world. That setup was better than the one that came before it. I’m assuming the rest of this month will be me trying things, then maybe full time Qubes use come January.