docs/HARDENING.md

@@ -128,42 +128,6 @@ sudo usbguard list-devices
 sudo usbguard allow-device <id>
 ```
 
-### Removable storage (UAS preload)
-
-`veilor-modules-lock.service` flips `kernel.modules_disabled=1` 30s after
-graphical boot. Any kernel module not loaded by then is permanently blocked
-for the session. `usb-storage` ships built into the kernel and auto-loads,
-but `uas` (USB Attached SCSI) is a separate module that the kernel only
-loads on demand when a UAS-capable USB-SATA bridge appears at boot. If no
-such device is present at boot, `uas` never loads, the lock engages, and
-hot-plugging an ASMedia / JMicron / Realtek UAS enclosure later fails — the
-bridge's interface descriptor advertises both BBB and UAS alt-settings,
-the kernel prefers UAS, and `usb-storage` stands down expecting `uas` to
-claim. Result: device authorizes in USBGuard but no `sd*` node appears.
-
-Fix shipped in overlay: `/etc/modules-load.d/veilor-storage.conf` lists
-`uas` + `usb-storage` for `systemd-modules-load.service` to preload at
-boot, before the modules lock engages.
-
-To verify after install:
-
-```bash
-lsmod | grep -E '^uas|^usb_storage'   # both should show
-cat /proc/sys/kernel/modules_disabled  # 1 after 30s post-graphical
-```
-
-If a future enclosure still fails to bind, the runtime workaround (no
-reboot) is to force `usb-storage` to claim by quirking UAS off for that
-vendor:product:
-
-```bash
-echo "<vid>:<pid>:u" | sudo tee /sys/module/usb_storage/parameters/quirks
-sudo bash -c 'echo 0 > /sys/bus/usb/devices/<dev>/authorized; sleep 2; echo 1 > /sys/bus/usb/devices/<dev>/authorized'
-```
-
-Persistent quirk for known-bad enclosures: add
-`usb-storage.quirks=<vid>:<pid>:u` to the kernel cmdline.
-
 ## Disabled services
 
 `abrt*`, `cups`, `cups-browsed`, `geoclue`, `avahi-daemon`,

overlay/etc/modules-load.d/veilor-storage.conf

@@ -1,35 +0,0 @@
-# veilor-os — preload USB mass-storage drivers at boot.
-#
-# Why this exists:
-#   veilor-modules-lock.service sets kernel.modules_disabled=1 about 30s
-#   after graphical.target. Any module not loaded by then is permanently
-#   blocked for the rest of the session. usb-storage is built into the
-#   default Fedora kernel image and auto-loads at boot, but uas is a
-#   separate module that the kernel only loads on demand when a UAS-
-#   capable USB-SATA bridge is enumerated. If no such device is present
-#   at boot, uas never loads, the lock engages, and any later hot-plug
-#   of an ASMedia / JMicron / Realtek UAS bridge (e.g. 174c:55aa,
-#   152d:*, 0bc2:*) fails:
-#
-#     usb 7-1: Device is not authorized for usage
-#     modprobe: ERROR: could not insert 'uas': Operation not permitted
-#
-#   The interface descriptor on these enclosures advertises both BBB
-#   (bulk-only, 08:06:50) and UAS (08:06:62) alt-settings. Kernel
-#   prefers UAS, so usb-storage stands down expecting uas to claim.
-#   Without uas loaded, neither driver binds and the block device
-#   never appears.
-#
-# Fix:
-#   Preload uas (and usb-storage as belt+braces) via systemd-modules-
-#   load.service at boot, before veilor-modules-lock runs. Both modules
-#   are then resident and can bind hot-plugged devices for the entire
-#   session.
-#
-# Incident: 2026-05-13, onyx, SK Hynix SC311 in ASMT105x enclosure.
-# References:
-#   - usb-storage(4), systemd-modules-load.service(8)
-#   - /etc/systemd/system/veilor-modules-lock.service
-
-uas
-usb-storage