search

QubesOS / qubes-issues

The Qubes OS Project issue tracker
https://www.qubes-os.org/doc/issue-tracking/
539 stars 48 forks source link

Got locked out, unable to type boot password etc. because method of finding usb controller address in documentation was wrong (in my case) #7711

Open qubesbugreport opened 2 years ago

qubesbugreport commented 2 years ago

Qubes OS release

4.1.1

Brief summary

I tried to follow the instructions for setting up a sys-usb vm while having one usb controller for dom0 (mouse and keyboard) and another one that sys-usb should use.

The method given at https://www.qubes-os.org/doc/how-to-use-usb-devices/ for finding the address of the dom0 controller to be "whitelisted" using the readlink ... command resulted in a wrong address in my case, leading to the whitelisting not working and getting locked out, also unable to enter the password at boot. I had to boot using a live system and disable the usb related options in the grub config to regain access to the system.

Then I saw that when I open a vm's settings in the qubes manager and go on the devices tab, the address shown there for the controller is different. So I tried using that in the boot options instead and now everything works as it should. Dom0 gets the controller for mouse and keyboard and the other one is available for sys-usb.

I would suggest adding a note to the documentation that the readlink method can (sometimes?) result in a wrong address and the one from qubes manager should be used instead.

unman commented 2 years ago

On Wed, Aug 24, 2022 at 11:50:13PM -0700, qubesbugreport wrote:

Qubes OS release

4.1.1

Brief summary

I tried to follow the instructions for setting up a sys-usb vm while having one usb controller for dom0 (mouse and keyboard) and another one that sys-usb should use.

The method given at https://www.qubes-os.org/doc/how-to-use-usb-devices/ for finding the address of the dom0 controller to be "whitelisted" using the readlink ... command resulted in a wrong address in my case, leading to the whitelisting not working and getting locked out, also unable to enter the password at boot. I had to boot using a live system and disable the usb related options in the grub config to regain access to the system.

Then I saw that when I open a vm's settings in the qubes manager and go on the devices tab, the address shown there for the controller is different. So I tried using that in the boot options instead and now everything works as it should. Dom0 gets the controller for mouse and keyboard and the other one is available for sys-usb.

I would suggest adding a note to the documentation that the readlink method can (sometimes?) result in a wrong address and the one from qubes manager should be used instead.

Can you not provide more information? What did readlink output? What was the "correct" address? What was the "incorrect" address? Does the readlink method still give you incorrect information ? (Absent that I strongly suspect user error.)

qubesbugreport commented 2 years ago

On Wed, Aug 24, 2022 at 11:50:13PM -0700, qubesbugreport wrote: ### Qubes OS release 4.1.1 ### Brief summary I tried to follow the instructions for setting up a sys-usb vm while having one usb controller for dom0 (mouse and keyboard) and another one that sys-usb should use. The method given at https://www.qubes-os.org/doc/how-to-use-usb-devices/ for finding the address of the dom0 controller to be "whitelisted" using the readlink ... command resulted in a wrong address in my case, leading to the whitelisting not working and getting locked out, also unable to enter the password at boot. I had to boot using a live system and disable the usb related options in the grub config to regain access to the system. Then I saw that when I open a vm's settings in the qubes manager and go on the devices tab, the address shown there for the controller is different. So I tried using that in the boot options instead and now everything works as it should. Dom0 gets the controller for mouse and keyboard and the other one is available for sys-usb. I would suggest adding a note to the documentation that the readlink method can (sometimes?) result in a wrong address and the one from qubes manager should be used instead. Can you not provide more information? What did readlink output? What was the "correct" address? What was the "incorrect" address? Does the readlink method still give you incorrect information ? (Absent that I strongly suspect user error.)

OK, I will try.

As I have a USB mouse and keyboard and wanted to setup a sys-usb qubes I read the documentation (https://www.qubes-os.org/doc/usb-qubes/) and noticed that I need a second USB controller for dom0. So I ordered a PCIe USB 3.0 card with 2 ports and put in in my PC. I made sure to order one that should work with linux, and it did without having to install any additional drivers or anything. I plugged my keyboard and mouse into that and everything else remained on the mainboard USB controller.

Then as per doc I ran lsusb and it was showing that the devices plugged into the new controller are on bus 3, coincidentally just like the example. So I also ran readlink /sys/bus/usb/devices/usb3

Now with the working configuration already set the devices are shown as bus 1 instead, so I can give the output of readlink /sys/bus/usb/devices/usb1 instead, which is: ../../../devices/pci0000:00/0000:00:1c.0/0000:01:00.0/usb1

I am 99.99% sure that before it was the same just of course usb3 at the end instead of usb1.

The instructions say "Now you see the path and the text between /pci0000:00/0000: and /usb3 i.e. 00:1a.0 is the BDF address."

Since my readlink output format is a bit different than the example given in the doc, following that literally would leave me with something (seemingly) obviously not a valid address by itself: 00:1c.0/0000:01:00.0

So I thought that the correct address would be the part in the beginning: "00:1c.0" because it looks similar to the example in the doc: "00:1a.0". Actually since now I already know the correct answer which is "01:00.0" the part at the end would have been correct, if that is the part showing the address and not just equivalent by coincidence. But not knowing that beforehand and trying to just follow the instructions led me to the wrong result. So maybe it could also work to say that the correct address is the part at the end?

So it's not necessarily that readlink gives incorrect information but that the documentation was insufficient for me as the reader to reliably determine which part of it is the address to use.

When looking in the qubes manager in the settings for any vm and then going to devices, the address for the added controller was also shown as "01:00.0" and the address for the internal one is something different. The "00:1c.0" is actually a PCI bridge.

So either saying to look in qubes manages or that the correct address is at the end of the readlink output would have worked for me. Or why not just say that both are possible to find the address...

unman commented 2 years ago

Thanks for that very detailed explanation, which makes it very clear what change would be needed in the docs.

The documentation is a community effort, and everyone is welcome to contribute. (That's how things like this get updated!) So, if you'd like to get involved with +the project, this is a great way to do it. You can read more about how to submit documentation changes here:

https://www.qubes-os.org/doc/how-to-edit-the-documentation/

You may also be interested in the documentation style guide:

https://www.qubes-os.org/doc/documentation-style-guide/

qubesbugreport commented 2 years ago

Submitted the pull request https://github.com/QubesOS/qubes-doc/pull/1265

If the changes are acceptable for you, the issue can be closed.