fix(overlay): preload uas + usb-storage so UAS enclosures bind post-modules-lock
Some checks failed
secret-scan / gitleaks (HEAD + history) (push) Has been cancelled
secret-scan / detect-secrets (entropy + cross-tool) (push) Has been cancelled
secret-scan / gitleaks (HEAD + history) (pull_request) Has been cancelled
secret-scan / detect-secrets (entropy + cross-tool) (pull_request) Has been cancelled
secret-scan / summary (push) Has been cancelled
secret-scan / summary (pull_request) Has been cancelled
Some checks failed
secret-scan / gitleaks (HEAD + history) (push) Has been cancelled
secret-scan / detect-secrets (entropy + cross-tool) (push) Has been cancelled
secret-scan / gitleaks (HEAD + history) (pull_request) Has been cancelled
secret-scan / detect-secrets (entropy + cross-tool) (pull_request) Has been cancelled
secret-scan / summary (push) Has been cancelled
secret-scan / summary (pull_request) Has been cancelled
veilor-modules-lock sets kernel.modules_disabled=1 about 30s after graphical.target. Without uas already loaded, hot-plugged USB-SATA bridges (ASMedia / JMicron / Realtek) that advertise both BBB and UAS alt-settings fail to bind — the kernel prefers uas, usb-storage stands down, and modprobe uas is denied by the lock. Add /etc/modules-load.d/veilor-storage.conf via the overlay so systemd-modules-load.service preloads uas + usb-storage at boot, before the lock engages. Document the rationale and a runtime quirks workaround in docs/HARDENING.md. Incident: 2026-05-13, onyx, SK Hynix SC311 in ASMT105x (174c:55aa).
This commit is contained in:
parent
05c041b18f
commit
4f91fbb8f0
2 changed files with 71 additions and 0 deletions
|
|
@ -128,6 +128,42 @@ sudo usbguard list-devices
|
||||||
sudo usbguard allow-device <id>
|
sudo usbguard allow-device <id>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Removable storage (UAS preload)
|
||||||
|
|
||||||
|
`veilor-modules-lock.service` flips `kernel.modules_disabled=1` 30s after
|
||||||
|
graphical boot. Any kernel module not loaded by then is permanently blocked
|
||||||
|
for the session. `usb-storage` ships built into the kernel and auto-loads,
|
||||||
|
but `uas` (USB Attached SCSI) is a separate module that the kernel only
|
||||||
|
loads on demand when a UAS-capable USB-SATA bridge appears at boot. If no
|
||||||
|
such device is present at boot, `uas` never loads, the lock engages, and
|
||||||
|
hot-plugging an ASMedia / JMicron / Realtek UAS enclosure later fails — the
|
||||||
|
bridge's interface descriptor advertises both BBB and UAS alt-settings,
|
||||||
|
the kernel prefers UAS, and `usb-storage` stands down expecting `uas` to
|
||||||
|
claim. Result: device authorizes in USBGuard but no `sd*` node appears.
|
||||||
|
|
||||||
|
Fix shipped in overlay: `/etc/modules-load.d/veilor-storage.conf` lists
|
||||||
|
`uas` + `usb-storage` for `systemd-modules-load.service` to preload at
|
||||||
|
boot, before the modules lock engages.
|
||||||
|
|
||||||
|
To verify after install:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
lsmod | grep -E '^uas|^usb_storage' # both should show
|
||||||
|
cat /proc/sys/kernel/modules_disabled # 1 after 30s post-graphical
|
||||||
|
```
|
||||||
|
|
||||||
|
If a future enclosure still fails to bind, the runtime workaround (no
|
||||||
|
reboot) is to force `usb-storage` to claim by quirking UAS off for that
|
||||||
|
vendor:product:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
echo "<vid>:<pid>:u" | sudo tee /sys/module/usb_storage/parameters/quirks
|
||||||
|
sudo bash -c 'echo 0 > /sys/bus/usb/devices/<dev>/authorized; sleep 2; echo 1 > /sys/bus/usb/devices/<dev>/authorized'
|
||||||
|
```
|
||||||
|
|
||||||
|
Persistent quirk for known-bad enclosures: add
|
||||||
|
`usb-storage.quirks=<vid>:<pid>:u` to the kernel cmdline.
|
||||||
|
|
||||||
## Disabled services
|
## Disabled services
|
||||||
|
|
||||||
`abrt*`, `cups`, `cups-browsed`, `geoclue`, `avahi-daemon`,
|
`abrt*`, `cups`, `cups-browsed`, `geoclue`, `avahi-daemon`,
|
||||||
|
|
|
||||||
35
overlay/etc/modules-load.d/veilor-storage.conf
Normal file
35
overlay/etc/modules-load.d/veilor-storage.conf
Normal file
|
|
@ -0,0 +1,35 @@
|
||||||
|
# veilor-os — preload USB mass-storage drivers at boot.
|
||||||
|
#
|
||||||
|
# Why this exists:
|
||||||
|
# veilor-modules-lock.service sets kernel.modules_disabled=1 about 30s
|
||||||
|
# after graphical.target. Any module not loaded by then is permanently
|
||||||
|
# blocked for the rest of the session. usb-storage is built into the
|
||||||
|
# default Fedora kernel image and auto-loads at boot, but uas is a
|
||||||
|
# separate module that the kernel only loads on demand when a UAS-
|
||||||
|
# capable USB-SATA bridge is enumerated. If no such device is present
|
||||||
|
# at boot, uas never loads, the lock engages, and any later hot-plug
|
||||||
|
# of an ASMedia / JMicron / Realtek UAS bridge (e.g. 174c:55aa,
|
||||||
|
# 152d:*, 0bc2:*) fails:
|
||||||
|
#
|
||||||
|
# usb 7-1: Device is not authorized for usage
|
||||||
|
# modprobe: ERROR: could not insert 'uas': Operation not permitted
|
||||||
|
#
|
||||||
|
# The interface descriptor on these enclosures advertises both BBB
|
||||||
|
# (bulk-only, 08:06:50) and UAS (08:06:62) alt-settings. Kernel
|
||||||
|
# prefers UAS, so usb-storage stands down expecting uas to claim.
|
||||||
|
# Without uas loaded, neither driver binds and the block device
|
||||||
|
# never appears.
|
||||||
|
#
|
||||||
|
# Fix:
|
||||||
|
# Preload uas (and usb-storage as belt+braces) via systemd-modules-
|
||||||
|
# load.service at boot, before veilor-modules-lock runs. Both modules
|
||||||
|
# are then resident and can bind hot-plugged devices for the entire
|
||||||
|
# session.
|
||||||
|
#
|
||||||
|
# Incident: 2026-05-13, onyx, SK Hynix SC311 in ASMT105x enclosure.
|
||||||
|
# References:
|
||||||
|
# - usb-storage(4), systemd-modules-load.service(8)
|
||||||
|
# - /etc/systemd/system/veilor-modules-lock.service
|
||||||
|
|
||||||
|
uas
|
||||||
|
usb-storage
|
||||||
Loading…
Reference in a new issue