USB Passthrough has stopped working after update and updating usb-policy.conf
-
Hello,
As always, I am grateful for such an awesome open-source solution! Thank you all!
Asking regarding my home lab -- I have a VM whose disk is located on my master host's local storage and I've been using USB passthrough to pass a Yubikey to the VM.
I know that in the past, after an update, I often had to update
/etc/xensource/usb-policy.conf
to allow my YubiKey, reboot the host, then runxe pusb-scan host-uuid=<host-uuid>
before I could configure passthrough of my yubikey.I installed updates the other day, but as the weather was hot and I wasn't using my homelab, I shut everything down before any of my TLS certificates expired, so I didn't notice that the
usb-policy.conf
file had been overwritten by the update (I know that this is to be expected).Today, I booted up my system and noticed the
usb-policy.conf
file had overwritten during the update, so I backed up/etc/xensource/usb-policy.conf
, then added the line plus comments that has historically allowed my YubiKey to be passed through.Original
/etc/xensource/usb-policy.conf
:# When you change this file, run 'xe pusb-scan' to confirm # the file can be parsed correctly. # # Syntax is an ordered list of case insensitive rules where # is line comment # and each rule is (ALLOW | DENY) : ( match )* # and each match is (class|subclass|prot|vid|pid|rel) = hex-number # Maximum hex value for class/subclass/prot is FF, and for vid/pid/rel is FFFF # # USB Hubs (class 09) are always denied, independently of the rules in this file DENY: vid=17e9 # All DisplayLink USB displays DENY: class=02 # Communications and CDC-Control ALLOW:vid=056a pid=0315 class=03 # Wacom Intuos tablet ALLOW:vid=056a pid=0314 class=03 # Wacom Intuos tablet ALLOW:vid=056a pid=00fb class=03 # Wacom DTU tablet DENY: class=03 subclass=01 prot=01 # HID Boot keyboards DENY: class=03 subclass=01 prot=02 # HID Boot mice DENY: class=0a # CDC-Data DENY: class=0b # Smartcard DENY: class=e0 # Wireless controller DENY: class=ef subclass=04 # Miscellaneous network devices ALLOW: # Otherwise allow everything else
Updated
/etc/xensource/usb-policy.conf
# When you change this file, run 'xe pusb-scan' to confirm # the file can be parsed correctly. # # Syntax is an ordered list of case insensitive rules where # is line comment # and each rule is (ALLOW | DENY) : ( match )* # and each match is (class|subclass|prot|vid|pid|rel) = hex-number # Maximum hex value for class/subclass/prot is FF, and for vid/pid/rel is FFFF # # USB Hubs (class 09) are always denied, independently of the rules in this file DENY: vid=17e9 # All DisplayLink USB displays DENY: class=02 # Communications and CDC-Control ALLOW:vid=056a pid=0315 class=03 # Wacom Intuos tablet ALLOW:vid=056a pid=0314 class=03 # Wacom Intuos tablet ALLOW:vid=056a pid=00fb class=03 # Wacom DTU tablet DENY: class=03 subclass=01 prot=01 # HID Boot keyboards DENY: class=03 subclass=01 prot=02 # HID Boot mice DENY: class=0a # CDC-Data DENY: class=0b # Smartcard DENY: class=e0 # Wireless controller DENY: class=ef subclass=04 # Miscellaneous network devices ### Jeff # YubiKey 5 FIPS Series PID 0x0407 - YubiKey OTP+FIDO+CCID ALLOW: VID=1050 PID=0407 ALLOW: # Otherwise allow everything else
Today, however, the YubiKey won't show up as a PUSB device when viewing the host's advanced tab, nor is it in the list of available devices when I attempt to create a VUSB for my VM.
I have rebooted the system, I have run
xe pusb-scan host-uuid=...
for the appropriate host, I have physically disconnected and reconnected the YubiKey, I have powered down the host, then powered back on, but runningxe pusb-list
doesn't show the yubikey and I can't select it for passthrough.When I run
lsusb
I do see the YubiKey listed (thoigh it detects it as a Yubikey 4 series instead of 5 series. Can't recall whether that's consistent with past behavior)[14:03 xcp-ng-4 ~]# lsusb Bus 002 Device 004: ID 1050:0407 Yubico.com Yubikey 4 OTP+U2F+CCID Bus 002 Device 005: ID 413c:2113 Dell Computer Corp. Bus 002 Device 003: ID 0557:8021 ATEN International Co., Ltd Hub Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 001 Device 003: ID 0557:2221 ATEN International Co., Ltd Winbond Hermon Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub [14:03 xcp-ng-4 ~]#
Is there anything I'm missing? Any suggestions for where to look or what to check?
Thank you!
-
Hello. I had a similar issue which I solved by adding my
ALLOW
line to the top of the list in the usb-policy.conf file. I didn't deep dive to find out why this was necessary in my case. Worth a try in your case as well..joel
-
@knightjoel Thanks for the suggestion. Since my original message, I've tried moving my allow rule to the top, before any Deny rules, after any deny rules, I even tried experimenting with commenting all of the deny rules to see if any of those would make a difference; unfortunately none of them made a difference.
I've tried simply saving the file then initiating a
xe pusb-scan
on the host, I also tried rebooting to see if that would have an effect, but it doesn't seem to.