USB VM
Drew White
I want to get the USB VMs to work, but I use keyboard and mouse via USB, not PS/2, so it will not permit me to configure it.
I wish to attach specific USB Ports to Dom0, which is 1 of the bus's. And the other USB bus's to the USBVM, but I can't find out what device to attach to Dom0 to allow this.
I know what my USB3 is because that's a PCIe card. So that's easy enough to push to a USBVM. But the others, not so easy.
Is it possible to assign specific USB ports instead of whole USB bus's?
johny...@sigaint.org
typically a single PCI device) to a VM, but you can't split it up beyond
that, other than the default of having dom0 relay specific devices to
specific VM's (which isn't dom0 USB isolation at all).
My mobo has 8 USB ports, but they're all on a single bus, so it's all or
nothing.
It's worth looking into whether your keyboard/mouse support PS/2.
It may no longer be the case, but it used to be that most USB keyboards
and mice had controllers that also automatically auto-detected and
supported PS/2, with a simple passive passthrough dongle between the
USB->PS/2 connection.
http://www.ebay.com/itm/Cool-PS2-Female-to-USB-Male-Port-Mouse-Adapter-Converter-Connector-for-Keyboard-/321935935564?hash=item4af4e0884c:g:F98AAOSwgApW-yRg
$0.75 each, including international shipping.
You or someone you know may even have such dongles kicking around; if so,
given them a try. The common logitech ones seem to work for most every
keyboard/mouse I've tried.
Or, if you're handy with a soldering iron, make your own.
https://imgur.com/a/n3BJ0
I've chopped up an old PS/2 cable and soldered it to a USB keyboard
successfully in the past. (Even just cut and twisted the wires together
in a pinch, lol. Worked great.)
Worst case, splurge the <$10 each on getting a nice PS/2 mouse and
keyboard, and proceed with far greater confidence/security, and more
easily isolate your USB to a VM.
(Heck, I'd send you a free PS/2 mouse/keyboard if it didn't cost more to
ship than to it would be for you to purchase new.)
Maybe it's less common these days for keyboards/mice to support that
feature, but it's hardly difficult even today to buy or find a good PS/2
mouse and keyboard for dirt cheap.
JJ
johny...@sigaint.org
> and mice had controllers that also automatically auto-detected and
> supported PS/2, with a simple passive passthrough dongle between the
> USB->PS/2 connection.
>
> http://www.ebay.com/itm/Cool-PS2-Female-to-USB-Male-Port-Mouse-Adapter-Converter-Connector-for-Keyboard-/321935935564?hash=item4af4e0884c:g:F98AAOSwgApW-yRg
>
> $0.75 each, including international shipping.
>
> You or someone you know may even have such dongles kicking around; if so,
> given them a try. The common logitech ones seem to work for most every
> keyboard/mouse I've tried.
individual, or simply have a psycho on your butt, you may want to do a
good check of such a dongle with a ohmmeter or scope.
Or even better, wire your own.
It's a wonderful place to hide a keylogger. :)
http://www.keydemon.com/ps2_hardware_keylogger/
https://www.keelog.com/usb_hardware_keylogger.html
http://www.instructables.com/id/How-to-build-your-own-USB-Keylogger/
I have a couple of these in my "JJ's Meseum of Dodgy Devices."
Thankfully I didn't have to pay for them myself, but they were graciously
snuck into my inventory of parts by secret admirers. So very kind of
them, and without even wanting credit. :)
Cheers
JJ
Drew White
> Pretty sure the answer is "no." You can assign a whole USB bus (which is
> typically a single PCI device) to a VM, but you can't split it up beyond
> that, other than the default of having dom0 relay specific devices to
> specific VM's (which isn't dom0 USB isolation at all).
>
> My mobo has 8 USB ports, but they're all on a single bus, so it's all or
> nothing.
>
Hi JJ,
My PC has 10 USB Bus's.
My keyboard and mouse are on bus 10, which is PCI device XXXX.XX.X and I left that one on Dom0.
However I now have another issue...
"Error starting VM 'sys-usb': Requested operation is not valid: PCI device 0000:00:1a.0 is in use by driver xenlight, domain sys-usb"
What does this mean?
It does this for each PCI device. I have removed them 1 by 1 just to verify.
Why won't it just assign the device?
FYI: I have plenty of adapters lying around. But thanks for thinking about that.
johny...@sigaint.org
>
> My PC has 10 USB Bus's.
> My keyboard and mouse are on bus 10, which is PCI device XXXX.XX.X and I
> left that one on Dom0.
I'd be very surprised if that were the case. But also very impressed, and
wanting such a motherboard for myself. It'd be awesome for Qubes.
But it's more likely that it's a single USB controller with 10 ports.
If you do a "lspci" do you see 10 different USB PCI devices? (Well, it
would probably be 20, as each USB bus usually shows up with a USB 1.1 and
a USB 2.0 version.)
Or does "lspci" just show two USB PCI devices (one 1.1, and one 2.0)?
The USB PCI device can have 10 *ports*, and still just be one PCI device,
assignable to only a single Qubes VM.
I have 8 ports (well, 6 after blowing 2 of them on some projects, but
that's another story), which are handled by a single USB PCI device (which
has two presences, one for 1.1 (ohci), one for 2.0 (ehci).
(I'm rather impressed that the single controller let me blow two ports,
while keeping the others alive. Nice isolation, NVIDIA!):
# lspci
00:02.0 USB controller: NVIDIA Corporation MCP61 USB 1.1 Controller (rev a3)
00:02.1 USB controller: NVIDIA Corporation MCP61 USB 2.0 Controller (rev a3)
"lsusb -t" is also telling:
# lsusb -t
/: Bus 02.Port 1: Dev 1, Class=root_hub, Driver=ohci-pci/8p, 12M
/: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=ehci-pci/8p, 480M
|__ Port 4: Dev 2, If 0, Class=Mass Storage, Driver=usb-storage, xxxM
|__ Port 6: Dev 3, If 0, Class=Mass Storage, Driver=usb-storage, xxxM
|__ Port 7: Dev 4, If 0, Class=Mass Storage, Driver=usb-storage, xxxM
|__ Port 8: Dev 5, If 0, Class=Mass Storage, Driver=usb-storage, xxxM
USB ports are not the same as USB PCI devices/busses. And the only reason
you see two Bus's in both cases above, is because it's a USB 1.1 and USB
2.0 presence of the same single USB controller.
It *may* be possible to assign the 2.0 controller instance (fast hard
drives, thumb drives, etc.) to a given VM, while keeping the slower 1.1
HID instance (keyboard, mouse) in dom0, but I wouldn't count on it. (I
might try that when I get a chance.)
We'd possibly need Andrew or Merek or some other Qubes expert to answer that.
Just get your keyboard/mouse onto PS/2, and then things get a lot simpler
to figure out.
> However I now have another issue...
>
> "Error starting VM 'sys-usb': Requested operation is not valid: PCI device
> 0000:00:1a.0 is in use by driver xenlight, domain sys-usb"
>
> What does this mean?
> It does this for each PCI device. I have removed them 1 by 1 just to
> verify.
>
> Why won't it just assign the device?
two of the ports are tied up in dom0 with your USB keyboard/mouse it wants
to (out of necessity) control them all (well, the one USB controller,
really) and won't let you assign individual ports on the common USB PCI
bus to different VM's??
I've never seen that error, so I'm just guessing; that's a question for
the Qubes dev experts.
I'm actually still running my boot/root drive off of USB until an imminent
reinstall (with btrfs root, yay!), so I'm a bit of a hypocrite singing the
praises of USB VM isolation. As long as my boot/root is on USB, I can't
create a USB VM, despite having a PS/2 keyboard/mouse. Soon... Soon...
Cheers
JJ
Drew White
> > Hi JJ,
> >
> > My PC has 10 USB Bus's.
> > My keyboard and mouse are on bus 10, which is PCI device XXXX.XX.X and I
> > left that one on Dom0.
>
> Are they 10 separate PCI devices, 10 separate USB buses?
>
> I'd be very surprised if that were the case. But also very impressed, and
> wanting such a motherboard for myself. It'd be awesome for Qubes.
>
> But it's more likely that it's a single USB controller with 10 ports.
>
> If you do a "lspci" do you see 10 different USB PCI devices? (Well, it
> would probably be 20, as each USB bus usually shows up with a USB 1.1 and
> a USB 2.0 version.)
I have USB1 and USB2 hubs. (according to lsusb)
> Or does "lspci" just show two USB PCI devices (one 1.1, and one 2.0)?
attached, view it for yourself. :}
in that list though, I only have 1 keyboard and 1 mouse plugged in.
I will do some more with more devices plugged in so you can see where the devices attach to.
I have 2 ports on the back on 1 bus, 2 ports on another.
2 ports on the front on another bus.
I have a PCIE card with 4xUSB3 ports.
I also have 1xUSB Internal (can be used as a boot device, as a Qubes boot device even)
My monitor is plugged into the USB3 card, which has 4 USB ports and a Multimedia card reader in it.
My other 2 USB port monitor is NOT plugged in.
I have 2xUSB3 on the front that aren't plugged in.
Drew White
Did some more testing, you were right, I only have 3.
I have 2 bus's on the motherboard...
I plugged a USB drive into each set to find out which were which.
But that doesn't explain why it isn't working when I even just attach my USB3 card to the USBVM.
That alone should work, but it doesn't.
So this means I should be able to attach the USB3 card, and the 4 other USB to the USBVM, leaving 2 attached to Dom0 for my use.
So why does it have the error?
johny...@sigaint.org
>
> Did some more testing, you were right, I only have 3.
In Qubes VM Manager, for a chosen VM, you *should* be able to pick a given
PCI USB device and assign it.
Only having one USB bus myself, also used for root, I haven't tried this.
I have a USB PCI card I've been tempted to use for similar reasons. But
once again, it was given to me out of the blue, which doesn't put it in my
"trusted hardware" chain.
Not that *any* use bus or device should ever be trusted, the main
motivation for us stuffing them in a VM. :)
> I have 2 bus's on the motherboard...
> I plugged a USB drive into each set to find out which were which.
>
> But that doesn't explain why it isn't working when I even just attach my
> USB3 card to the USBVM.
>
> That alone should work, but it doesn't.
things?
There's some protection about PCI devices not being allowed to go back to
dom0 for reassignment after use, to protect against potentially
compromised devices then touching dom0 (to DMA-attack away):
https://www.qubes-os.org/doc/user-faq/#i-assigned-a-pci-device-to-a-qube-then-unassigned-itshut-down-the-qube-why-isnt-the-device-available-in-dom0
Not sure if that's relevant or not. I'm over my head with this, and just
guessing, so I probably shouldn't be giving advice, lol.
> So this means I should be able to attach the USB3 card, and the 4 other
> USB to the USBVM, leaving 2 attached to Dom0 for my use.
and onto PS/2 certainly wouldn't hurt figuring things out.)
> So why does it have the error?
seeing are coming from in the first place?)
JJ
Marek Marczykowski-Górecki
Hash: SHA256
On Tue, Sep 27, 2016 at 07:59:55PM -0700, Drew White wrote:
> On Wednesday, 28 September 2016 12:46:10 UTC+10, johny...@sigaint.org wrote:
> > Pretty sure the answer is "no." You can assign a whole USB bus (which is
> > typically a single PCI device) to a VM, but you can't split it up beyond
> > that, other than the default of having dom0 relay specific devices to
> > specific VM's (which isn't dom0 USB isolation at all).
> >
> > My mobo has 8 USB ports, but they're all on a single bus, so it's all or
> > nothing.
> >
>
> Hi JJ,
>
> My PC has 10 USB Bus's.
> My keyboard and mouse are on bus 10, which is PCI device XXXX.XX.X and I left that one on Dom0.
>
> However I now have another issue...
>
> "Error starting VM 'sys-usb': Requested operation is not valid: PCI device 0000:00:1a.0 is in use by driver xenlight, domain sys-usb"
a bug in libvirt that device is not marked as unused when VM fails to
start. Workaround: restart libvirtd service. Close Qubes Manager first.
If you still get an error, take a look here:
https://www.qubes-os.org/doc/user-faq/#i-created-a-usbvm-and-assigned-usb-controllers-to-it-now-the-usbvm-wont-boot
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJX66R8AAoJENuP0xzK19csYsQH/1EtR+VOp9LPys+sFh6yHHWJ
ehsHKFRkvF/iJgHghRNM/707jylYYf+LEuuR/2ncymFPTuF2GjrLG8mxIys8HChC
ZY7uQLhy2sNMWQAW+Z9BNN/6dIyKyfXLO1uiVoahddef4e5gk/PFulEPiBDunuFN
J2pVr6BNg3xh8yeyqt1WddKYv3oRWiP9pOfQMGyaqHPt9cSmA942rMY0cHnFbRAu
X1uSVroqvjeQhVnhWQm++Weoq0IoO0Of5+JnNDQ3oNHIC8F9cQ2niRPjKL5BJfAZ
Dp2ShhCsg26B2UjWgPl77zJ+XID2JRlxUbi73PlVXdyyKYkPVMntwPF74ZqDUko=
=qQzz
-----END PGP SIGNATURE-----
Drew White
> > Hi JJ,
> >
> > Did some more testing, you were right, I only have 3.
>
> Hey, that's still pretty handy for separation.
>
> In Qubes VM Manager, for a chosen VM, you *should* be able to pick a given
> PCI USB device and assign it.
> Only having one USB bus myself, also used for root, I haven't tried this.
>
> I have a USB PCI card I've been tempted to use for similar reasons. But
> once again, it was given to me out of the blue, which doesn't put it in my
> "trusted hardware" chain.
>
> Not that *any* use bus or device should ever be trusted, the main
> motivation for us stuffing them in a VM. :)
It is annoying isn't it?
> > I have 2 bus's on the motherboard...
> > I plugged a USB drive into each set to find out which were which.
> >
> > But that doesn't explain why it isn't working when I even just attach my
> > USB3 card to the USBVM.
> >
> > That alone should work, but it doesn't.
>
> Agreed, it should work, from my understanding. You reboot after assigning
> things?
rebooted, rebuilt, checked it wasn't on any other guests..
> There's some protection about PCI devices not being allowed to go back to
> dom0 for reassignment after use, to protect against potentially
> compromised devices then touching dom0 (to DMA-attack away):
>
> https://www.qubes-os.org/doc/user-faq/#i-assigned-a-pci-device-to-a-qube-then-unassigned-itshut-down-the-qube-why-isnt-the-device-available-in-dom0
>
> Not sure if that's relevant or not. I'm over my head with this, and just
> guessing, so I probably shouldn't be giving advice, lol.
Nope, that isn't relevant. Interesting, but not relevant. Thanks. :}
> > So this means I should be able to attach the USB3 card, and the 4 other
> > USB to the USBVM, leaving 2 attached to Dom0 for my use.
>
> Makes sense to me. (Again, getting those darn keyboard/mice off of USB
> and onto PS/2 certainly wouldn't hurt figuring things out.)
It wouldn't change anything.
If I can't assign a PCI-e USB3 4 port card to the VM and have it start... Bit of a problem?
> > So why does it have the error?
>
> dmesg have any hints? (Or is that where the error messages your are
> seeing are coming from in the first place?)
No hints, no tips, no help button.
Drew White
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On Tue, Sep 27, 2016 at 07:59:55PM -0700, Drew White wrote:
> > On Wednesday, 28 September 2016 12:46:10 UTC+10, johny...@sigaint.org wrote:
> > > Pretty sure the answer is "no." You can assign a whole USB bus (which is
> > > typically a single PCI device) to a VM, but you can't split it up beyond
> > > that, other than the default of having dom0 relay specific devices to
> > > specific VM's (which isn't dom0 USB isolation at all).
> > >
> > > My mobo has 8 USB ports, but they're all on a single bus, so it's all or
> > > nothing.
> > >
> >
> > Hi JJ,
> >
> > My PC has 10 USB Bus's.
> > My keyboard and mouse are on bus 10, which is PCI device XXXX.XX.X and I left that one on Dom0.
> >
> > However I now have another issue...
> >
> > "Error starting VM 'sys-usb': Requested operation is not valid: PCI device 0000:00:1a.0 is in use by driver xenlight, domain sys-usb"
>
> I assume this is after previous failed sys-usb startup, right? There is
> a bug in libvirt that device is not marked as unused when VM fails to
> start. Workaround: restart libvirtd service. Close Qubes Manager first.
> If you still get an error, take a look here:
> https://www.qubes-os.org/doc/user-faq/#i-created-a-usbvm-and-assigned-usb-controllers-to-it-now-the-usbvm-wont-boot
As for doing the pci strict reset to false, they are being assigned to a container, so that's good, they won't be available to dom0.
How do I assign them and deassign them from Dom0 before the system boots?
Drew White
Or assign a storage device to a guest AS a USB device not a physical device?