USB devices in dom0 are listed even though it's impossible to attach them #3564

micahflee · Feb 10, 2018

Qubes OS version:

R4.0

Affected TemplateVMs:

fedora-26, debian-9

Steps to reproduce the behavior:

I have Qubes 4.0 installed on a desktop computer that doesn't have any PS2 ports for a keyboard, so I'm forced to use a USB keyboard. Because of this, I can't use a USB VM. If I did, my keyboard wouldn't work without sys-usb to e.g. login to my account, or power on sys-usb if it were powered off, etc.

When I plug a yubikey into the computer, I get the notification:

Device dom0:1-1 Yubico_Yubikey_4_OTP+U2F+CCID is available

In my fedora-26 AppVM called usb-test-fedora, I see my yubikey isn't seen, as expected:

[user@usb-test-fedora ~]$ lsusb
Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd 
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
[user@usb-test-fedora ~]$

I click the devices icon in the systray and attach the yubikey device to usb-test-fedora. Qubes seems to think the device is successfully attached to the VM. But when I run lsusb again, I don't see the yubikey (I do see more Linux Foundation hubs though):

[user@usb-test-fedora ~]$ lsusb
Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd 
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
[user@usb-test-fedora ~]$

Same with a debian-9 template. Before attaching the yubikey:

user@usb-test-debian:~$ lsusb
Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd 
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

After attaching the yubikey:

user@usb-test-debian:~$ lsusb
Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd 
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

When I run lsusb from dom0 however, I see the device:

Bus 001 Device 012: ID 1050:0407 Yubico.com Yubikey 4 OTP+U2F+CCID

I haven't tested with other USB devices besides yubikeys yet.

Attaching block devices from dom0 appears to work fine.

Related issue: #3524.

andrewdavidwong · Feb 10, 2018

Related issue: #3524.

Because of this, I can't use a USB VM. If I did, my keyboard wouldn't work without sys-usb to e.g. login to my account, or power on sys-usb if it were powered off, etc.

You may want to read this: https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard
I use this on one system (for similar reasons...) and it works fine. Salt method documented there will be available as an update to 4.0 (so - not yet).

marmarek · Feb 10, 2018

Because of this, I can't use a USB VM. If I did, my keyboard wouldn't work without sys-usb to e.g. login to my account, or power on sys-usb if it were powered off, etc.

You may want to read this: https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard
I use this on one system (for similar reasons...) and it works fine. Salt method documented there will be available as an update to 4.0 (so - not yet).

As for actual issue - this is by design, see https://www.qubes-os.org/doc/usb/#installation-of-qubes-usb-proxy

Note you cannot pass through devices from dom0 (in other words: USB VM is required).

The bug is that dom0 devices are listed, even though it's impossible to attach them.

marmarek · Feb 10, 2018

As for actual issue - this is by design, see https://www.qubes-os.org/doc/usb/#installation-of-qubes-usb-proxy

Note you cannot pass through devices from dom0 (in other words: USB VM is required).

The bug is that dom0 devices are listed, even though it's impossible to attach them.

BTW extending qubes-usb-proxy to support also USB controllers in dom0 isn't hard task. We decided we don't want it, because attaching random USB devices to dom0 isn't a good idea, and easing usage of such configuration isn't good for security. But if there are cases impossible to cover with USB VM, we might reconsider this decision.

marmarek · Feb 10, 2018

BTW extending qubes-usb-proxy to support also USB controllers in dom0 isn't hard task. We decided we don't want it, because attaching random USB devices to dom0 isn't a good idea, and easing usage of such configuration isn't good for security. But if there are cases impossible to cover with USB VM, we might reconsider this decision.

@andrewdavidwong I think there was similar discussion somewhere else, but can't find it now. Do you remember?

marmarek · Feb 10, 2018

@andrewdavidwong I think there was similar discussion somewhere else, but can't find it now. Do you remember?

I think there was similar discussion somewhere else, but can't find it now. Do you remember?

Sorry, I don't.

andrewdavidwong · Feb 10, 2018

I think there was similar discussion somewhere else, but can't find it now. Do you remember?

Sorry, I don't.

Thank you @marmarek, I'll try those instructions. I'd much prefer to use a sys-usb and not do USB passthrough from dom0, I just wasn't aware it was an option on computers without a PS2 port.

micahflee · Feb 10, 2018

Thank you @marmarek, I'll try those instructions. I'd much prefer to use a sys-usb and not do USB passthrough from dom0, I just wasn't aware it was an option on computers without a PS2 port.

I tried following those instructions and got an error when running sudo qubesctl state.sls qvm.usb-keyboard. Maybe this is separate bug?

[user@dom0 ~]$ sudo qubes-dom0-update qubes-mgmt-salt-dom0-virtual-machines
Using sys-firewall as UpdateVM to download updates for Dom0; this may take some time...
Last metadata expiration check: 8:13:24 ago on Sat Feb 10 10:45:43 2018.
Package qubes-mgmt-salt-dom0-virtual-machines-4.0.10-1.fc25.noarch is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!
No packages downloaded
Qubes OS Repository for Dom0                     39 MB/s | 209 kB     00:00    
Package qubes-mgmt-salt-dom0-virtual-machines-4.0.10-1.fc25.noarch is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!
[user@dom0 ~]$ sudo qubesctl state.sls qvm.usb-keyboard
[ERROR   ] Template was specified incorrectly: False
local:
    Data failed to compile:
----------
    No matching sls found for 'qvm.usb-keyboard' in env 'base'
DOM0 configuration failed, not continuing
[user@dom0 ~]$

micahflee · Feb 11, 2018

I tried following those instructions and got an error when running sudo qubesctl state.sls qvm.usb-keyboard. Maybe this is separate bug?

[user@dom0 ~]$ sudo qubes-dom0-update qubes-mgmt-salt-dom0-virtual-machines
Using sys-firewall as UpdateVM to download updates for Dom0; this may take some time...
Last metadata expiration check: 8:13:24 ago on Sat Feb 10 10:45:43 2018.
Package qubes-mgmt-salt-dom0-virtual-machines-4.0.10-1.fc25.noarch is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!
No packages downloaded
Qubes OS Repository for Dom0                     39 MB/s | 209 kB     00:00    
Package qubes-mgmt-salt-dom0-virtual-machines-4.0.10-1.fc25.noarch is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!
[user@dom0 ~]$ sudo qubesctl state.sls qvm.usb-keyboard
[ERROR   ] Template was specified incorrectly: False
local:
    Data failed to compile:
----------
    No matching sls found for 'qvm.usb-keyboard' in env 'base'
DOM0 configuration failed, not continuing
[user@dom0 ~]$

Salt method documented there will be available as an update to 4.0 (so - not yet).
Use manual one (same as in R3.2).

marmarek · Feb 11, 2018

Salt method documented there will be available as an update to 4.0 (so - not yet).
Use manual one (same as in R3.2).

Excellent, the R3.2 instructions work. And using a USB VM, I'm now able to attach my yubikey to AppVMs. Thanks!

micahflee · Feb 11, 2018

Excellent, the R3.2 instructions work. And using a USB VM, I'm now able to attach my yubikey to AppVMs. Thanks!

Automated announcement from builder-github

The package qubes-usb-proxy-dom0-1.0.16-1.fc25 has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

QubesOS/qubes-issues

Join GitHub today

USB devices in dom0 are listed even though it's impossible to attach them #3564

Comments

micahflee commented Feb 10, 2018

Qubes OS version:

Affected TemplateVMs:

Steps to reproduce the behavior:

This comment has been minimized.

andrewdavidwong commented Feb 10, 2018

andrewdavidwong added bug C: other labels Feb 10, 2018

andrewdavidwong added this to the Release 4.0 milestone Feb 10, 2018

This comment has been minimized.

marmarek commented Feb 10, 2018

This comment has been minimized.

marmarek commented Feb 10, 2018

andrewdavidwong changed the title from USB passthrough from dom0 (without a sys-usb) broken in 4.0 to USB devices in dom0 are listed even though it's impossible to attach them Feb 10, 2018

andrewdavidwong added C: core C: qubes-manager UX and removed C: other labels Feb 10, 2018

This comment has been minimized.

marmarek commented Feb 10, 2018

This comment has been minimized.

marmarek commented Feb 10, 2018

This comment has been minimized.

andrewdavidwong commented Feb 10, 2018

This comment has been minimized.

micahflee commented Feb 10, 2018

This comment has been minimized.

micahflee commented Feb 11, 2018

This comment has been minimized.

marmarek commented Feb 11, 2018

This comment has been minimized.

micahflee commented Feb 11, 2018

marmarek referenced this issue in QubesOS/qubes-app-linux-usb-proxy Feb 11, 2018

marmarek closed this in marmarek/qubes-app-linux-usb-proxy@6f3a1c3 Feb 13, 2018

This comment has been minimized.

qubesos-bot commented Feb 13, 2018

qubesos-bot added the r4.0-dom0-cur-test label Feb 13, 2018

This comment has been minimized.

qubesos-bot commented Feb 13, 2018

qubesos-bot referenced this issue in QubesOS/updates-status Feb 13, 2018

qubesos-bot added the r3.2-dom0-cur-test label Feb 13, 2018

qubesos-bot referenced this issue in QubesOS/updates-status Feb 13, 2018

qubesos-bot added r4.0-fc24-cur-test r4.0-fc25-cur-test labels Feb 13, 2018

This comment has been minimized.

qubesos-bot commented Feb 13, 2018

qubesos-bot added the r4.0-fc26-cur-test label Feb 13, 2018

This comment has been minimized.

qubesos-bot commented Feb 13, 2018

qubesos-bot added r4.0-buster-cur-test r4.0-jessie-cur-test labels Feb 13, 2018

This comment has been minimized.

qubesos-bot commented Feb 13, 2018

qubesos-bot added the r4.0-stretch-cur-test label Feb 13, 2018

This comment has been minimized.

qubesos-bot commented Feb 13, 2018

qubesos-bot added r3.2-buster-cur-test r3.2-fc23-cur-test r3.2-fc24-cur-test labels Feb 13, 2018

This comment has been minimized.

qubesos-bot commented Feb 13, 2018

qubesos-bot added the r4.0-centos7-cur-test label Feb 13, 2018

qubesos-bot added r4.0-fc24-stable r4.0-jessie-stable and removed r4.0-fc24-cur-test r4.0-jessie-cur-test r4.0-fc25-cur-test labels Feb 27, 2018

This comment has been minimized.

qubesos-bot commented Feb 27, 2018

qubesos-bot added r4.0-fc25-stable r4.0-stretch-stable and removed r4.0-stretch-cur-test labels Feb 27, 2018

This comment has been minimized.

qubesos-bot commented Feb 27, 2018

qubesos-bot added r4.0-fc26-stable and removed r4.0-fc26-cur-test labels Feb 27, 2018

This comment has been minimized.

qubesos-bot commented Feb 27, 2018

qubesos-bot added r4.0-centos7-stable and removed r4.0-centos7-cur-test labels Feb 27, 2018

This comment has been minimized.

qubesos-bot commented Feb 27, 2018

qubesos-bot added r4.0-dom0-stable and removed r4.0-dom0-cur-test labels Feb 27, 2018

This comment has been minimized.

qubesos-bot commented Feb 27, 2018

qubesos-bot added r3.2-dom0-stable and removed r3.2-dom0-cur-test labels Feb 27, 2018

This comment has been minimized.

qubesos-bot commented Feb 27, 2018

qubesos-bot added r3.2-buster-stable r3.2-jessie-stable r3.2-fc23-stable r3.2-fc24-stable and removed r3.2-buster-cur-test r3.2-jessie-cur-test r3.2-fc23-cur-test r3.2-fc24-cur-test labels Feb 27, 2018

This comment has been minimized.

qubesos-bot commented Feb 27, 2018

qubesos-bot added r3.2-stretch-stable r3.2-fc25-stable and removed r3.2-stretch-cur-test r3.2-fc25-cur-test labels Feb 27, 2018

marmarek closed this in `marmarek/qubes-app-linux-usb-proxy@6f3a1c3` Feb 13, 2018