Does qubes block usb on thunderbolt port?

[Ryan Tate]

Does qubes block USB data on Thunderbolt ports?

On my ThinkPad X1 Carbon gen5, I can use my thunderbolt 3 ports fine for
display and for power. However, Qubes does not seem to recognize a usb-c
flash stick or a usb-c yubikey plugged into these ports (the only usb-c
ports). (The flash stick has usb-a as well, on the other side, and it
shows up fine in sys-usb when I plug it in that way.)

I poked around in the BIOS to ensure there is no BIOS issue but even at
the "no security" setting I encounter this issue.

I thought I would just double check to see if Qubes might be involved in
this issue since there are various security considerations around
Thunderbolt in play (and I couldn't quite follow prior discussions of Qubes +
Thunderbolt). I'm on 4.0.1 or
4.0.2.

Thanks for any help.


Ryan

[brenda...@gmail.com]

On Wednesday, January 8, 2020 at 6:19:54 AM UTC-5, Ryan Tate wrote:

Does qubes block USB data on Thunderbolt ports?

So a few things:

1. Qubes has pcie hotplug disabled in the dom0 kernel, which TB uses for PCIe-based thunderbolt devices. This is disabled for security reasons.

2. The TB alternate mode that supports USBs might not instantiate the PCIe USB controller it connects through *until a USB device is connected to that port*.

3. Therefore...depending on BIOS support...you *might* be able to have a USB device seen by qubes if the USB device is plugged in at power-on. Even if that works, it might be on a USB PCIe controller that is not already attached to your sys-usb (if you have one).

4. If it does work, you might want to create a sys-usb-c which you run only after connecting a device to the port at boot time, and assign the (usually hidden) PCIe USB controller that that VM only.

Brendan

[Ryan Tate]

Ryan Tate <ryan...@ryantate.com> writes:
> On my ThinkPad X1 Carbon gen5, I can use my thunderbolt 3 ports fine for
> display and for power. However, Qubes does not seem to recognize a usb-c
> flash stick or a usb-c yubikey plugged into these ports

I think I got this figured out. ThinkPads apparently do not show the
USB-C controller on these Thunderbolt ports to the OS unless and until
something is physically plugged in. I was clued into this by this
thread; don't be fooled by the subject line it is about more than hubs -
see bit where the user also was not able to connect the drive directly -
https://groups.google.com/forum/#!searchin/qubes-users/usb-c$20thunderbolt%7Csort:date/qubes-users/VIqnIcubq9Y/-gmRME7qBgAJ

Per the thread above, Qubes does not (seem to) handle controllers that
pop up after boot.

When I booted with a usb-c flash drive already in the Thunderbolt port,
I was able to finally see the USB-C controller via lspci in dom0. I was
able to shut down sys-usb and attach the controller to sys-usb (Devices
tab in Qubes Settings for sys-usb) and USB-C items then became visible
when I started sys-usb again.

But, on a reboot, if no USB was plugged in to the port, sys-usb would
fail to start up at all because the controller (aka the "device" I had
attached) was no longer there. (Also, even when a usb-c item was plugged
in at boot and mounted, disconnecting the item and connecting something
else (like a displayport cable for external monitor, which worked) left
me unable to re-connect the usb-c item, but this may be because I did
not set "no-strict-reset" -- I never bothered to fiddle with that when I
realized the prior mentioned boot issue).

This is all kind of a bummer because it means that effectively I can't
use usb-c to attach anything like a storage device, yubikey, etc on this
machine with Qubes. On the other hand I realize the Thunderbolt system
generally and perhaps specifically the way Lenovo/ThinkPad machines
handle exposing USB buses on Thunderbolt raise some unique challenges.

(The one thing that I do wonder is if is neccesary for sys-usb to bail
out on boot when an assigned device is not present, maybe there could be
a system for transient but assigned devices to be allowed to come online
post boot? No idea how feasible this is.)

[brenda...@gmail.com]

On Wednesday, January 8, 2020 at 4:29:57 PM UTC-5, Ryan Tate wrote:

(The one thing that I do wonder is if is neccesary for sys-usb to bail
out on boot when an assigned device is not present, maybe there could be
a system for transient but assigned devices to be allowed to come online
post boot? No idea how feasible this is.)

PCIe attach has to happen at startup, and Xen will fail to start it up if the named device isn't there.

My suggestion: create a *second* sys-usb style VM (e.g. called "sys-usb-c") with the "extra" usb pcie device attached and *remember* to have the USB port populated at boot if you want to use devices from that second device VM.

The regular sys-usb will always start up for the other ports (regardless of whether you have a device plugged in or not).

Brendan

[ryan...@ryantate.com]

On Wednesday, January 8, 2020 at 3:14:03 PM UTC-5, brend...@gmail.com wrote:

1. Qubes has pcie hotplug disabled in the dom0 kernel, which TB uses for PCIe-based thunderbolt devices. This is disabled for security reasons.

2. The TB alternate mode that supports USBs might not instantiate the PCIe USB controller it connects through *until a USB device is connected to that port*.

3. Therefore...depending on BIOS support...you *might* be able to have a USB device seen by qubes if the USB device is plugged in at power-on. Even if that works, it might be on a USB PCIe controller that is not already attached to your sys-usb (if you have one).

4. If it does work, you might want to create a sys-usb-c which you run only after connecting a device to the port at boot time, and assign the (usually hidden) PCIe USB controller that that VM only.

Thanks for the reply! I took a break in the middle of typing my own reply, for a meeting, so your message came in as I was completing it.

All of your points seem to line up with what I discovered poking around. Yes, I can get usb-c seen if device connected at power on.

Thanks for the idea of an secondary sys-usb for usb-c! I had not considered that. If I discover I really need something Usb-c, which seems likely in time, I will probably do that. For now it's really just my new yubikey, which I am going to give to someone else and replace with a USB-A/NFC.

[Amir Omidi]

Did any of this ever work? I have a USB C Thunderbolt based hub and I'm unable to get it to output Displayport screens.

All the USB/ethernet/etc on it work fine though.

[Matthias Horn]

I find the thunderbolt/usb-c hardware compatibility a mess[1]

The USB-C dock I have uses DisplayLink[2] for output its a pain to get to work with Linux and ~impossible on cubes without compromising security of Dom-0[3] 

As far as I know Thunderbolt Docks use DisplayPort pass-through so should just work assuming the thunderbolt port your using supports the feature (it may need to be enabled in the bios), though I haven’t used any of these so nit sure.

[1] USB (various versions), PCIe, DisplayPort and PowerDelivery all can use the same physical plug, and it’s very much not obvious which subset happens to work on any given port.

[2] proprietary compressed frame buffer over high bandwidth USB, or apparently also (wireless) network.

[3] you need to attach the ports usb controller directly  to Dom-0, and then recompile + install the binary blob Display Link driver see https://github.com/displaylink-rpm/displaylink-rpm , and then significant massaging of the Xorg configuration to get it to play nice.

Sent from my iPad

On 13 Oct 2020, at 05:34, 'Amir Omidi' via qubes-users <qubes...@googlegroups.com> wrote:

Did any of this ever work? I have a USB C Thunderbolt based hub and I'm unable to get it to output Displayport screens.

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/baf0e219-7c29-473b-ad76-3ba36a44ae8cn%40googlegroups.com.