Creating a Qubes Bootable USB: Installing Qubes OS via USB

Qubes OS is highly regarded for its security, ensuring the safety of your devices against threats like viruses, malware, and especially the prevalent ransomware, without the need for top-notch antivirus software. The Qubes Bootable USB creation method makes it easy to install Qubes OS on any device.

How to create a Qubes Bootable USB and install Qubes OS via USB

Connecting unreliable USB devices to dom0 poses security risks. Dom0, like most operating systems, automatically reads partition tables, and the USB stack is introduced to analyze data presented on the USB device to determine if it's a USB storage device, read its configuration, and more. This occurs even if the drive is designated and mounted in a different Qubes.

To mitigate this risk, you can create a Qubes Bootable USB.

USB Qubes acts as a secure processor, handling potentially dangerous USB devices and preventing them from interacting with dom0 (which could compromise the overall system's security).

With USB Qubes, each time you connect an unreliable USB drive to a USB port managed by the USB controller, you need to attach that unreliable USB drive to Qubes if you want to use it using the Qubes VM Manager or the command line. Additionally, you can create a Qubes Bootable USB using the stack by following the steps below, similar to the root in dom0:

1. Activate Enable sys-usb:

Qubesctl top.enable qvm.sys-usb

2. Apply the configuration:

Qubesctl state.highstate

Furthermore, you can manually create a USB Boot Qubes by following the steps below:

Step 1: You can search and explore additional information online to learn how to list and identify your USB controller with the method of assigning the device to a Virtual Machine.

Carefully check if your USB controller is suitable for assigning to USB Qubes.

Note that input devices, programmable devices, and any device that can be connected must not be directly attached to dom0. If you find a suitable driver, take note of its name and proceed to step 2.

Step 2: Create a new Qubes. Give it a name and choose a suitable color (it is advisable to use the name sys-usb and choose the color red). If you need to attach a network device, you can create a NetVM. Otherwise, using an AppVM may be more practical. (By default, sys-usb is a NetVM.)

Step 3: In the Qubes settings, go to the Devices tab. Locate the USB controller identified in step 1 in the Available list. Move that controller to the Selected list.

Note: By assigning a USB controller to USB Qubes, it will no longer be available to dom0. This may render your system unusable, for example, if you only have one USB controller, and you are running Qubes on the USB drive.

Step 4: Click OK and restart Qubes.

Step 5: Tip: Check the Start VM automatically on boot box on the Basic tab. This step minimizes the risk of attacks where someone forces the system to reboot and then plugs in a malicious USB device.

How to hide all USB controllers from dom0?

If you manually create a USB Qubes drive, during boot, there will be a brief period when dom0 interacts with the USB controllers (and any accompanying devices).

This poses security risks because brief exposure to a malicious USB device can harm dom0. There are two ways to address this issue:

- Disconnect all USB devices whenever you reboot the server.

- Conceal (e.g., blacklist) all USB controllers from dom0.

Warning: If using a USB AEM device, do not use the second option. Using a USB AEM device requires dom0 to have access to the USB controller to which your USB AEM device is attached. If dom0 cannot read the USB AEM device, AEM will hang.

Follow the steps below to hide all USB controllers from dom0:

Step 1: Open the file /etc/default/grub on dom0.

Step 2: Find the line starting with GRUB_CMDLINE_LINUX.

Step 3: Add rd.Qubes.hide_all_usb to that line.

Step 4:Save and close the file.

Step 5: Run the command grub2-mkconfig -o /boot/grub2/grub.cfg on dom0.

Step 6: Reboot.

(Note: Starting from R3.2, rd.Qubes.hide_all_usb is set automatically if you choose to create a USB Qubes during installation. This also happens automatically if you choose to create a USB Qubes using the Qubesctl method).

Warning: You won't be able to use a USB keyboard to enter the disk passphrase if USB controllers are hidden from dom0.

Before hiding USB controllers, ensure that your laptop keyboard is not internally connected via USB (check the output of the lsusb command) or use a PS/2 keyboard (if using a desktop). Otherwise, your system will become unusable.

Detach USB Qubes

Warning: The result of this operation is that USB controllers will be directly attached to dom0.

Step 1: Turn off USB Qubes.

Step 2: On Qubes Manager, right-click on USB Qubes and select Remove VM.

Step 3: Open file /etc/default/grub on dom0.

Step 4: Look for lines starting with GRUB_CMDLINE_LINUX.

Step 5: If you see rd.Qubes.hide_all_usb appear on any line, delete that line.

Step 6: Save and close the file.

Step 7: Run command grub2-mkconfig -o /boot/grub2/grub.cfg on dom0.

Step 8: Reboot your system.

Security Warning on USB Input Devices

If you connect USB input devices (keyboard and mouse) to a VM (virtual machine), that VM gains effective control over your system. In addition to controlling your system, such a VM can also detect all inputs you enter into it (e.g., using a USB keyboard to enter passwords).

There's no solution to 'prevent' VM input detection, but you can make input exploitation and control more challenging.

If only a USB mouse is connected to USB Qubes, while the keyboard is directly connected to dom0 (e.g., using a PS/2 connector), simply lock your computer screen when stepping away to work elsewhere. Locking the computer screen will help protect important data within the computer without disrupting the ongoing work process.

You must perform this each time you step away, even if no one else is present to directly access your computer. This is not only to ensure no other user can access your computer but also to prevent potential 'actions' that may occur from a compromised USB Qubes.

If your keyboard is also connected to a USB Qubes, things become much more challenging. Locking the computer screen (with a traditional password) won't solve the issue as USB Qubes can 'sniff' this password and easily unlock the screen.

However, the solution is to set up a screen lock that requires an additional step for unlocking (2-factor authentication). You can use YubiKey for this or manually enter the password each time you unlock.

Using a USB Keyboard

Note: Read carefully the security warnings regarding USB input devices before proceeding with the steps.

To utilize a USB keyboard, you must first connect that USB keyboard to USB Qubes and then allow USB Qubes to pass the keyboard input to dom0. Edit the Qubes.InputKeyboard policy file in dom0, which is located at:

/etc/Qubes-rpc/policy/Qubes.InputKeyboard

Add a line similar to the one below at the top of the file:

sys-usb dom0 ask,user=root

Modify sys-usb to the desired USB Qubes.

Now you can use the USB keyboard.

Using a USB mouse

Note: Read the security warnings regarding USB input devices before proceeding with the steps.

To use a USB mouse, first attach the USB mouse to USB Qubes, then allow USB Qubes to pass the mouse input to dom0. Edit the Qubes.InputMouse policy file in dom0, located at:

/etc/Qubes-rpc/policy/Qubes.InputMouse

Add a line similar to the one below at the top of the file:

sys-usb dom0 ask,user=root

Change sys-usb to the desired USB Qubes.

Now you can use the USB mouse. In case your computer doesn't recognize the USB mouse, refer to troubleshooting steps for fixing USB-related issues, including USB mice and keyboards. Fixing issues with a computer not recognizing USB devices is straightforward and not as complex as you might think.

How to attach a USB drive?

(Note: In the current context, the term 'USB drive' is used to refer to any USB storage device.)

Qubes OS supports the ability to attach a USB drive (or one or more partitions of that USB drive) to any Qubes easily, regardless of whether Qubes handles USB controllers. (USB controllers can be assigned on the Devices tab in the Qubes VM Manager settings or by using the qvm-pci command).

Attaching a USB drive is integrated into the Qubes VM Manager GUI. Simply plug in your USB drive, right-click on the desired Qubes in the Qubes VM Manager list, select Attach/detach block devices, and choose the action and device you want. However, this only works for the entire device. If you want to attach individual partitions, you have to use the command-line tool.

Use the command-line tool qvm-block to attach a USB drive or its partitions. You can use this tool to assign a USB drive to a Qubes:

Step 1: Plug in your USB drive.

Step 2: On the dom0 control panel (run as a regular user), list all available block devices:

qvm-block -l

This command will list all available block devices connected to any USB controller in your system, whether Qubes stores the controller or not. The name of the Qubes storing the USB controller is displayed before the colon in the device name. The string after the colon is the name of the device used in Qubes, as follows:

dom0:sdb1 Cruzer () 4GiB

usbVM:sdb1 Disk () 2GiB

Note: If your device is not listed here, you can refresh the list by calling (from Qubes to connected devices):

sudo udevadm trigger --action=change

Step 3: Assuming your USB drive is attached to dom0 and named sdb, you attach the device to Qubes using the device name as follows:

qvm-block -a personal dom0:sdb

This action will attach the device to Qubes as /dev/xvdi if that name hasn't been used by other connected devices, or /dev/xvdj, ... .

You can also attach a partition simultaneously by using the same command along with the partition number after sdb.

Warning: When working with a partition, the same partition can be shared among multiple Qubes. For instance, you can attach sdb1 to Qubes1 and then attach sdb to Qubes2. This is to avoid confusion for users.

Step 4: At this point, your USB drive is attached to Qubes. If using the default Qubes, you can open Nautilus on Qubes, and your device will be displayed on the Devices panel on the left.

Step 5: When you're done with the USB drive, click the eject button or right-click on the USB and select Unmount.

Step 6: Detach the USB drive from the dom0 control panel:

qvm-block -d

Or:

qvm-block -d

Step 7: That concludes the device detachment process.

Warning: Do not remove the device before detaching it from the VM.

If your device doesn't appear in Nautilus, you'll need to manually attach the device.

The device will appear as /dev/xvdi (or /dev/xvdj if one device is attached, or /dev/xvdk if two devices are attached, and so on).

What happens if you remove the device before detaching it from the VM?

Currently (until release version 1082), if you remove the device before detaching it from Qubes, the Qubes operating system (specifically libvirtd) will think the device is still attached to Qubes and won't allow attaching other devices with the same name.

The simplest way to recover the device in this case is to reboot the Qubes to which the device is attached. If this option is not available, you can follow these steps:

Step 1: Reconnect the device. You can use any device as long as it will be detected with the same name (e.g., sdb).

Step 2: Manually attach the device to the same VM using the xl block-attach command. It is important to use the same device name as the 'frontend' (default is xvdi). You can get it from the qvm-block list:

[user@dom0 ~]$ qvm-block

sys-usb:sda DataTraveler_2.0 () 246 MiB (attached to 'testvm' as 'xvdi')

[user@dom0 ~]$ xl block-attach testvm phy:/dev/sda backend=sys-usb xvdi

In the example above, the parameters for xl block-attach can be inferred from the output of qvm-block. In order:

- Testvm: the name of the destination Qubes on which the device has been attached - listed in parentheses with qvm-block command

- phy: /dev/sda: the physical path where the device appears in the Qubes source (found after the Qubes source name in the qvm-block output)

- backend = sys-usb: the name of the Qubes source, can be omitted in the case of dom0

- xvdi: the name of the 'frontend' device (listed at the end of the qvm-block output)

Step 3: Detach the device properly, either using Qubes VM Manager or the qvm-block -d command.

Attach a USB device to a Qubes (USB passthrough)

Since Qubes 3.2, you can attach a USB device to any Qubes. While this is a useful feature, caution is advised due to the high security risks involved. It is recommended to use specific methods for each type of device (e.g., block devices in the above steps) rather than a general approach.

To use this feature, you must install the Qubes-usb-proxy package in the templates used for USB Qubes and the Qubes you want to connect the USB device to.

Note that you cannot pass devices from dom0 (in other words, USB VM is mandatory).

List the available USB devices:

[user@dom0 ~]$ qvm-usb

sys-usb:2-4 04ca:300d 04ca_300d

sys-usb:2-5 058f:3822 058f_USB_2.0_Camera

sys-usb:2-1 03f0:0641 PixArt_HP_X1200_USB_Optical_Mouse

Attach specific USB devices:

[user@dom0 ~]$ qvm-usb -a conferences sys-usb:2-5

[user@dom0 ~]$ qvm-usb

conferences:2-1 058f:3822 058f_USB_2.0_Camera

sys-usb:2-4 04ca:300d 04ca_300d

sys-usb:2-5 058f:3822 058f_USB_2.0_Camera (attached to conferences)

sys-usb:2-1 03f0:0641 PixArt_HP_X1200_USB_Optical_Mouse

Now you can use the USB device (in this case, the camera) in the conferences Qubes.

After creating and using the USB Boot Qubes, perform detach the devices:

[user@dom0 ~]$ qvm-usb -d sys-usb:2-5

[user@dom0 ~]$ qvm-usb

sys-usb:2-4 04ca:300d 04ca_300d

sys-usb:2-5 058f:3822 058f_USB_2.0_Camera

sys-usb:2-1 03f0:0641 PixArt_HP_X1200_USB_Optical_Mouse

This feature is not available in Qubes Manager.

Nowadays, there are numerous methods supporting users in creating a USB Boot on their computers, such as Grub4dos or Hiren's Boot. Among them, the method of creating a USB Boot with Grub4dos is widely used. The Grub4dos tool is exceptionally helpful for copying and backing up data, making installing or ghosting Windows more straightforward.

If you're only creating a bootable USB for Windows installation, it can be quite cumbersome. Therefore, many versatile USB boot creation tools exist, allowing users to perform multiple tasks simultaneously, like installing Windows, ghosting the system, or troubleshooting computer issues. Explore how to create a multifunctional USB boot to have a USB with various utilities.