Using a Desktop Computer with Qubes (R 4.0.1)

[John Goold]

I am one of those Qubes newbies. I do have a "computer" background, having started out on Mainframe computers — I have been retired for over 20 years; however, I now use my computer as a tool (though I do some website development to keep the neurons firing). I do not need a highly locked down computer, but do want to use whatever security improvements I can reasonably get with Qubes without the set-up and maintenance becoming a full-time job. I also prefer to using a GUI when possible (spent decades using terminals).
___

Normally I would post each issue as a separate post to a forum such as this; however, these are all related to the "Subject" and my getting started. I always try searching for similar issues before posting, but (here) have not found solutions (either here or in the documentation).
____

1. The NUC is an Intel desktop computer with a nice small foot-print (Intel NUC7i7 BNH with 512 GB SSD and 32GB RAM). The only mouse and keyboard that works are USB (there is no PS/1 port) — possibly bluetooth devices would work but I do not want to get into the issues involved (I do use an Apple bluetooth keyboard with Linux Mint on my HP laptop).

My disk is encrypted and the installation nicely reminded me of the warnings in this forum about setting up sys-usb — so sys-usb is a non-starter. This leads to my first issue:

I seem unable to attach my scanner (it is a ScanSnap ix800 which is not a printer/scanner/copier, just a scanner) to an appVM. It does not appear in the Dom0 devices menu. If I plug in a USB drive, the drive shows up in the menu.

Is there a straightforward way to attach the scanner to an appVM (it will not be a server, but will always be the same appVM, "personal")?

2. I like to listen to a classical music radio station (CBC Music) and, when it is broadcasting other "stuff", streaming classical music from their website.

I can play YouTube videos, including hearing the audio, but the above does not work (the website page gets stuck loading/waiting for an audio stream).

I imagine this has something to do with proxy settings. Is this correct? I have created an appVM ("entertainment") specifically to handle playing music, so I am not worried about it getting compromised because I use less secure settings for it.

[799]

Hello John,

welcome to Qubes ;-)

On Sun, 13 Jan 2019 at 18:49, John Goold <jrg.p...@gmail.com> wrote:

This leads to my first issue:
I seem unable to attach my scanner (it is a ScanSnap ix800 which is not a printer/scanner/copier, just a scanner) to an appVM. It does not appear in the Dom0 devices menu. If I plug in a USB drive, the drive shows up in the menu.
Is there a straightforward way to attach the scanner to an appVM (it will not be a server, but will always be the same appVM, "personal")?

I am not sure if I have understand you correctly, have you chosen to install a sys-usb-qube?

If you didn't you can also do  this after the installation.

If you chose not to use sys-usb, you could try to pass through one of the usb-controllers to the AppVM to which you connect the scanner to.

I have never used an Intel NUC before, but in case that you can run a Qube like sys-usb I suggest doing so.

You can then run the following command from dom0:

qvm-usb

then attach the scanner to the AppVM

qvm-usb attach <SCANNERAPPVM> sys-usb:NR-NR

 

2. I like to listen to a classical music radio station (CBC Music) and, when it is broadcasting other "stuff", streaming classical music from their website.
I can play YouTube videos, including hearing the audio, but the above does not work (the website page gets stuck loading/waiting for an audio stream).

Can you send me the link of the radio station you're trying to listen to?

I'll give it a try to listen to it in my multimedia AppVM which is based on my howto here:

https://www.qubes-os.org/doc/multimedia/

- O

[John Goold]

Just discovered that there is only one USB controller (but 4 USB connector sockets). So when I tried to attach the USB controller to the appVM (had to set it to HVM), I lost the mouse and keyboard :-(

I have got the impression from reading the documentation and posts to this forum that if I have disk encryption enabled, that I cannot create a sys-usb VM without losing the mouse+keyboard (and possibly not being able to enter the pass-phrase when powering up.

The radio station is: https://www.cbc.ca/listen/live/cbcmusic

The streaming music is: https://www.cbcmusic.ca/music-streams

Thank you for responding...

[John Goold]

@799 I followed your multi-media templateVM how-to document. I installed VLC (haven't tried it yet) and Google Chrome.

I do not know if it was the library that was added, but I can now listen to the radio and streaming music.

I prefer Banshee to play my music which is all ripped from physical CDs I have bought over the decades (the sites I mentioned are the only ones I stream). However, I will check out VLC and see if it can handle my music library (it is organized differently than the organizations normally supported by music players, which is why I prefer Banshee -- I organized it using Banshee).

VLC definitely works (tried "opening a folder"). I will have to learn how to navigate my library with it.

THANK YOU.

[js...@bitmessage.ch]

John Goold:

> Just discovered that there is only one USB controller (but 4 USB connector sockets). So when I tried to attach the USB controller to the appVM (had to set it to HVM), I lost the mouse and keyboard :-(
>
> I have got the impression from reading the documentation and posts to this forum that if I have disk encryption enabled, that I cannot create a sys-usb VM without losing the mouse+keyboard (and possibly not being able to enter the pass-phrase when powering up.

Yea with only one usb controller you can't attach the whole controller
to a VM without losing your usb keyboard/mouse. I'm in the same situation.

It sounds like you've already looked at the docs but here's the link:

https://www.qubes-os.org/doc/usb/

You have to have sys-usb to attach a usb device like a scanner to an
appvm (unless you can just attach the whole usb controller, which you
can't).

I haven't done this myself but my understanding from reading the docs is
it's still possible to have sys-usb, you just have to be careful not to
lock yourself out (not able to control the system with usb
mouse/keyboard, or not able to enter encryption passphrase at boot).

According to the docs, if you're using 4.0, you can just use salt to set
up a usb qube with the ability to use a usb keyboard with the command

sudo qubesctl state.sls qvm.usb-keyboard

The doc says that this will create the usb qube if it's not present, and
that it will expose dom0 to usb devices on boot so you can enter the
passphrase. After you do this though you still may want to check your
grub/efi config file to make sure it doesn't have the
"rd.qubes.hide_all_usb" line in it, just in case.

Or you can follow the steps in the docs to do it manually, just make
sure to add the required lines to the qubes.InputKeyboard and
qubes.InputMouse files first, and don't add the "rd.qubes.hide_all_usb
line to grub/efi config file.

Also this has security implications since if your sys-usb is compromised
an attacker could scoop up your keystrokes, but this should still be
safer than attaching insecure usb devices to dom0.

But it should work, unless i'm reading something wrong.

--
Jackie

[Alexandre Belgrand]

Le lundi 14 janvier 2019 à 01:52 +0000, js...@bitmessage.ch a écrit :
> It sounds like you've already looked at the docs but here's the link:
> https://www.qubes-os.org/doc/usb/
> You have to have sys-usb to attach a usb device like a scanner to an
> appvm (unless you can just attach the whole usb controller, which
> you
> can't).

Pardon my ignorance, I am planning to install Qubes on a laptop.

I need to connect to
(1) a USB scanner and
(2) a USB smartcard reader (with OpenSC).

In the documentation it is written:

" Note, you cannot pass through devices from dom0 (in other words: a
USB VM is required). To use this feature, you need to have the qubes-
usb-proxy package installed in the template used for the USB qube "

Does it mean I will have to create a USB VM and then connect it to
other VMs using USB proxy. And I will loose USB keyboard and mouse in
dom0.

So is the only solution to buy a USB card and plug it in the laptop?

Kind regards,

[Ivan Mitev]

You will need a VM with the USB controller assigned to it. Actually that
VM is created by default at install time (it's called "sys-usb"). You
won't "loose" your USB keyboard/mouse in dom0: those are "proxied" from
sys-usb to dom0 with the help of the qubes-input-proxy daemon, which -
if I'm not mistaken - has nothing to do with proxying of USB devices
from one VM to another.

So in theory you would plug your scanner which should appear in sys-usb,
and you'd attach ("proxy") it to a VM where you have your scanning
software installed. If you're lucky it will work that way but not every
USB device works well with proxying and scanners aren't know to be very
plug&play friendly. In that case you will have to use sys-usb directly
(either for firmware loading - most scanners need that nowadays - or for
firmware loading + scanning software).
That's also why you have the option to combine sys-net and sys-usb into
one VM during installation time: some USB networking devices can't be
proxied so the only way to use them is to have the usb controllers in
sys-net (or symmetrically, networking support in sys-usb).

Ditto for the smartcard reader...

Hope this helps...
Ivan

[Alexandre Belgrand]

> So in theory you would plug your scanner which should appear in sys-
> usb,
> and you'd attach ("proxy") it to a VM where you have your scanning
> software installed. If you're lucky it will work that way but not
> every
> USB device works well with proxying and scanners aren't know to be
> very
> plug&play friendly. In that case you will have to use sys-usb
> directly
> (either for firmware loading - most scanners need that nowadays - or
> for
> firmware loading + scanning software).
> That's also why you have the option to combine sys-net and sys-usb
> into
> one VM during installation time: some USB networking devices can't be
> proxied so the only way to use them is to have the usb controllers in
> sys-net (or symmetrically, networking support in sys-usb).

Sounds reasonable. I am using a sane scanner which requires no
firmware, so it should work.

> Ditto for the smartcard reader...

OpenSC is pretty standard. I am using a stock CCID smartcard reader.
Should also work.

Thanks !

[jrg.d...@gmail.com]

I re-read the document you pointed me at (and then re-read it again!). Although I have put several days of work into my transition to using Qubes (I am using Qubes 4.0.1), I would be left with very unappealing options if I could not use the scanner under Qubes.

So, with a great deal of trepidation, I tried the Salt approach.

It worked flawlessly -- my very first test was to shut down my computer and then reboot. I, though I hate to admit it, had my fingers crossed at the point that the Luks request for a pass phrase showed up. But the keyboard worked and the rest of the boot-up ran fine.

I realize there may be some security vulnerabilities because of this set up; however, I am a non-entity as far as some one choosing to invest considerable effort to hack. I doubt any of the USB devices I use pose a threat (to me).

There is one strange thing, but I will start a separate thread for it (I do not seem to be able to configure my mouse as left-handed).

Thank you very much for taking the time to respond.