XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    USB Passthrough has stopped working after update and updating usb-policy.conf

    Scheduled Pinned Locked Moved Hardware
    3 Posts 2 Posters 53 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      techjeff
      last edited by

      Hello,

      As always, I am grateful for such an awesome open-source solution! Thank you all!

      Asking regarding my home lab -- I have a VM whose disk is located on my master host's local storage and I've been using USB passthrough to pass a Yubikey to the VM.

      I know that in the past, after an update, I often had to update /etc/xensource/usb-policy.conf to allow my YubiKey, reboot the host, then run xe pusb-scan host-uuid=<host-uuid> before I could configure passthrough of my yubikey.

      I installed updates the other day, but as the weather was hot and I wasn't using my homelab, I shut everything down before any of my TLS certificates expired, so I didn't notice that the usb-policy.conf file had been overwritten by the update (I know that this is to be expected).

      Today, I booted up my system and noticed the usb-policy.conf file had overwritten during the update, so I backed up /etc/xensource/usb-policy.conf, then added the line plus comments that has historically allowed my YubiKey to be passed through.

      Original /etc/xensource/usb-policy.conf:

      # When you change this file, run 'xe pusb-scan' to confirm
      # the file can be parsed correctly.
      #
      # Syntax is an ordered list of case insensitive rules where # is line comment
      #  and each rule is (ALLOW | DENY) : ( match )*
      #  and each match is (class|subclass|prot|vid|pid|rel) = hex-number
      # Maximum hex value for class/subclass/prot is FF, and for vid/pid/rel is FFFF
      #
      # USB Hubs (class 09) are always denied, independently of the rules in this file
      DENY: vid=17e9 # All DisplayLink USB displays
      DENY: class=02 # Communications and CDC-Control
      ALLOW:vid=056a pid=0315 class=03 # Wacom Intuos tablet
      ALLOW:vid=056a pid=0314 class=03 # Wacom Intuos tablet
      ALLOW:vid=056a pid=00fb class=03 # Wacom DTU tablet
      DENY: class=03 subclass=01 prot=01 # HID Boot keyboards
      DENY: class=03 subclass=01 prot=02 # HID Boot mice
      DENY: class=0a # CDC-Data
      DENY: class=0b # Smartcard
      DENY: class=e0 # Wireless controller
      DENY: class=ef subclass=04 # Miscellaneous network devices
      ALLOW: # Otherwise allow everything else
      

      Updated /etc/xensource/usb-policy.conf

      # When you change this file, run 'xe pusb-scan' to confirm
      # the file can be parsed correctly.
      #
      # Syntax is an ordered list of case insensitive rules where # is line comment
      #  and each rule is (ALLOW | DENY) : ( match )*
      #  and each match is (class|subclass|prot|vid|pid|rel) = hex-number
      # Maximum hex value for class/subclass/prot is FF, and for vid/pid/rel is FFFF
      #
      # USB Hubs (class 09) are always denied, independently of the rules in this file
      DENY: vid=17e9 # All DisplayLink USB displays
      DENY: class=02 # Communications and CDC-Control
      ALLOW:vid=056a pid=0315 class=03 # Wacom Intuos tablet
      ALLOW:vid=056a pid=0314 class=03 # Wacom Intuos tablet
      ALLOW:vid=056a pid=00fb class=03 # Wacom DTU tablet
      DENY: class=03 subclass=01 prot=01 # HID Boot keyboards
      DENY: class=03 subclass=01 prot=02 # HID Boot mice
      DENY: class=0a # CDC-Data
      DENY: class=0b # Smartcard
      DENY: class=e0 # Wireless controller
      DENY: class=ef subclass=04 # Miscellaneous network devices
      
      ### Jeff
      # YubiKey 5 FIPS Series PID 0x0407 - YubiKey OTP+FIDO+CCID
      ALLOW: VID=1050 PID=0407
      
      ALLOW: # Otherwise allow everything else
      

      Today, however, the YubiKey won't show up as a PUSB device when viewing the host's advanced tab, nor is it in the list of available devices when I attempt to create a VUSB for my VM.

      I have rebooted the system, I have run xe pusb-scan host-uuid=... for the appropriate host, I have physically disconnected and reconnected the YubiKey, I have powered down the host, then powered back on, but running xe pusb-list doesn't show the yubikey and I can't select it for passthrough.

      When I run lsusb I do see the YubiKey listed (thoigh it detects it as a Yubikey 4 series instead of 5 series. Can't recall whether that's consistent with past behavior)

      [14:03 xcp-ng-4 ~]# lsusb
      Bus 002 Device 004: ID 1050:0407 Yubico.com Yubikey 4 OTP+U2F+CCID
      Bus 002 Device 005: ID 413c:2113 Dell Computer Corp. 
      Bus 002 Device 003: ID 0557:8021 ATEN International Co., Ltd Hub
      Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
      Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
      Bus 001 Device 003: ID 0557:2221 ATEN International Co., Ltd Winbond Hermon
      Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
      Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
      [14:03 xcp-ng-4 ~]# 
      

      Is there anything I'm missing? Any suggestions for where to look or what to check?

      Thank you!

      1 Reply Last reply Reply Quote 0
      • K Offline
        knightjoel
        last edited by

        Hello. I had a similar issue which I solved by adding my ALLOW line to the top of the list in the usb-policy.conf file. I didn't deep dive to find out why this was necessary in my case. Worth a try in your case as well.

        .joel

        T 1 Reply Last reply Reply Quote 0
        • T Offline
          techjeff @knightjoel
          last edited by

          @knightjoel Thanks for the suggestion. Since my original message, I've tried moving my allow rule to the top, before any Deny rules, after any deny rules, I even tried experimenting with commenting all of the deny rules to see if any of those would make a difference; unfortunately none of them made a difference.

          I've tried simply saving the file then initiating a xe pusb-scan on the host, I also tried rebooting to see if that would have an effect, but it doesn't seem to.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post