What is Nostr?
smrtak
npub1hwm…msq8
2024-03-02 22:37:28

smrtak on Nostr: # TrezorSuite how to for qubesOS R4.2 (it should work with same instruction on R4.1) ...

# TrezorSuite how to for qubesOS R4.2 (it should work with same instruction on R4.1)

It is not in scope of this text to go too deep into QubesOS rabbit hole...
You should always understand and double check what you type in your terminal, especially in Dom0
Keep in mind and stay vigilant when following any tutorial published online or downloading files from internet, always verify source URL, hashes or signatures)
Use at your own risk!

This setup is using QubesOS R4.2: disposable sys-usb which is based on debian-12-minimal template. Qube TS (AppVM) is using whonix-workstation-17 as template (it's good practice to work with clones, in this case it is ww17-TS).
You may find usefull utilities like qvm-copy or qvm-move when getting files to qubes which does not have networking enabled.

In order to make use of your Trezor HW Wallet follow instruction below:

in dom0:
1. sudo qubes-dom0-update
2. qvm-template install debian-12-minimal
3a. qvm-clone debian-12-minimal d12m-usb
3b. qvm-clone whonix-workstation-17 ww17-TS
4. qvm-run --pass-io -u root d12m-usb "apt update && apt install --no-install-recommends qubes-usb-proxy qubes-input-proxy-sender qubes-core-agent-nautilus zenity policykit-1 libblockdev-crypto2 ntfs-3g socat -y"
5. qvm-shutdown --wait d12m-usb
6. qvm-create --template d12m-usb --label red d12m-usb-dvm
7. qvm-prefs d12m-usb-dvm template_for_dispvms true
8. qvm-features d12m-usb-dvm appmenus-dispvm 1
9. qvm-prefs d12m-usb-dvm netvm none
10. echo "$anyvm $anyvm allow,user=trezord,target=sys-usb" > /etc/qubes-rpc/policy/trezord-service
11. do not forget to shut down your existing sys-usb and replace its template in settings with d12m-usb-dvm

in QubesManager:
1. create new AppVM using template: ww17-TS

in d12m-usb:
1. install trezor-bridge (sudo dpkg -i trezor-bridge_2.0.27_amd64.deb) you may need to transfer it from other qube with network enabled
2. echo -e "systemctl enable trezord.service \nsystemctl start trezord.service" | sudo tee -a /rw/config/rc.local
3. sudo vi /etc/udev/rules.d/51-trezor.rules (you can get udev rules from official source: https://data.trezor.io/udev/51-trezor.rules )
4. sudo chmod +x /etc/udev/rules.d/51-trezor.rules
5. sudo poweroff

in d12m-usb-dvm:
1. sudo mkdir -p /usr/local/etc/qubes-rpc
2. echo "socat - TCP:localhost:21325" | sudo tee /usr/local/etc/qubes-rpc/trezord-service
3. sudo chmod +x /usr/local/etc/qubes-rpc/trezord-service
4. sudo poweroff

in ww17-TS:
1. sudo apt install pip
2. sudo poweroff

in TS:
1. echo 'socat TCP-LISTEN:21325,fork EXEC:"qrexec-client-vm sys-usb trezord-service" &' | sudo tee -a /rw/config/rc.local
2. pip install --user trezor
2a. on qR4.2 you may experience error with above cmd. you can try this workaround: pip install --user trezor --break-system-packages
3. download or copy from other qube Trezor-Suite-24.*.AppImage, verify and give it executable bit ( chmod u+x /path/to/Trezor-Suite-*.AppImage )
4. poweroff

Make sure all templates are shut down, restart sys-usb and TS AppVM and you can start your hardware wallet with Trezor-Suite on QubesOS.
Now you should be ready and profit! ;)

# This guide has been inspired by multiple articles on Qubes Forum. To name few: Ursidae's post that I found here: https://forum.qubes-os.org/t/ultimate-guide-on-using-trezor-on-qubes/18310 and https://forum.qubes-os.org/t/debian-10-minimal-configuration/2603
Author Public Key
npub1hwm25xpesthffefk3nayctcnau0hu6ag2hc8hlp7yp65mlgfhmpq4smsq8