On Wednesday, March 20, 2019 at 8:33:27 AM UTC-4, [email protected] wrote: > Hello qubes users! > > I currently acquired this dock > (https://www.dell.com/en-us/shop/dell-business-thunderbolt-dock-tb16-with-240w-adapter/apd/452-bcnu/pc-accessories), > and tried to connect it with my laptop, but it does not seem to work. > > I have found different posts here and there regarding the issue, and I think > the most common solution is turning on the computer with the cable attached. > This does NOT work however. > > I have not tried to boot up without attaching, and viewing lspci output, and > then comparing to when I have it connected. Will do that and post back if > there are no better suggestions for now. > > I have also NOT modified my kernel yet or done anything to the start up flags > (other than enabling USB devices in general, so I can use my keyboard and > mouse). > > I am running Qubes 4.0. > > Any help appreciated! > > Best regards!
So there are 3 things I needed to do to get Thunderbolt docks to work on a laptop with Qubes: 1) Disable Thunderbolt device authorization in the laptop BIOS since we need the device to be online when Qubes is booting, rather than waiting for the OS to come online enough to authorize the device. If you had a Dell laptop some of them have an option to treat Dell docks differently which you may be able to use instead. 2) Have the dock plugged in and awake when Qubes is booting. Note that when booting from a cold shutdown you may need to connect the dock *after* the motherboard is powered on, but *before* the kernel boots -- one dock I tried needed this to wake up correctly and be awake before the kernel initialized PCI devices. 3) Manually add and remove PCI devices provided by the dock from individual Qubes (e.g. sysnet and sys-usb). The Qubes will no longer boot once the PCI devices are not present after you unplug the dock, but at the same time they can't be connected to the Qubes after boot since they don't have hotplug enabled. So when you get to your desk you'll need to reboot the laptop, then attach the PCI devices to sys-usb and sys-net, then restart those Qubes. Restarting sysnet and sys-usb often results in broken tray icons, so at that point you may also need to reboot the laptop (you can leave the dock connect during this IME). After you leave your desk you'll need to boot without the dock, remove the now-missing PCI devices from sys-net and sys-usb, and then reboot again to get everything working again. You're doing all this, BTW, because rather than supporting Thunderbolt and PCIe hotplug (which are usually protected by that device authorization you have to disable), Qubes is trying to protect users with FireWire and ExpressCard that are fundamentally insecure. I hope those extra 4 times a day you enter your dom0 decryption key on boot while using a dock aren't putting that key at extra risk or incentivising you to use a weaker key. :( More broadly, I think the lack of hotplug support is a misguided trade-off that hampers the usability of Qubes and just creates one more barrier to adoption for users. Folks with firewire ports/expresscard slots and nation-state adversaries with physical access need to disable those ports/slots in BIOS rather than relying on lack of hotplug support to protect them. It's not that hard to hide something in an expresscard slot that will be there on boot, and then it's game over for dom0 even without hotplug. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/15b958a1-1623-4d80-ab81-0ee291a71fde%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
