PCI Devices | Qubes OS
Driver on

PCI Devices | Qubes OS

This web page is a part of machine dealing with in qubes.

Warning: Solely dom0 exposes PCI units.
A few of them are strictly required in dom0 (e.g., the host bridge).
It’s possible you’ll find yourself with an unusable system by attaching the incorrect PCI machine to a VM.
PCI passthrough ought to be protected by default, however non-default choices could also be required.
Please be sure to rigorously learn and perceive the safety concerns earlier than deviating from default habits.

Introduction

Not like different units (USB, block, mic), PCI units should be hooked up on VM-bootup.
Just like how one can’t connect a brand new sound-card after your laptop booted (and anticipate it to work correctly), attaching PCI units to already booted VMs isn’t supported.

The Qubes installer attaches all community class controllers to sys-net and all USB controllers to sys-usb by default, should you selected to create the community and USB qube throughout set up.
Whereas this covers most use instances, there are some events when you could need to manually connect one NIC to sys-net and one other to a customized NetVM, or have another sort of PCI controller you need to manually connect.

Some units expose a number of features with distinct BDF-numbers.
Limits imposed by the PC and VT-d architectures could require all features belonging to the identical machine to be hooked up to the identical VM.
This requirement could be dropped with the no-strict-reset possibility throughout attachment, making an allowance for the aforementioned safety concerns.
Within the steps under, you’ll be able to inform if that is wanted should you see the BDF for a similar machine listed a number of occasions with solely the quantity after the “.” altering.

Whereas PCI machine can solely be utilized by one powered on VM at a time, it is attainable to assign the identical machine to a couple of VM at a time.
Because of this you should utilize the machine in a single VM, shut that VM down, begin up a distinct VM (to which the identical machine is now hooked up), then use the machine in that VM.
This may be helpful if, for instance, you’ve gotten just one USB controller, however you’ve gotten a number of safety domains which all require the usage of totally different USB units.

Attaching Gadgets Utilizing the GUI

The qube settings for a VM affords the “Gadgets”-tab.
There you’ll be able to connect PCI-devices to a qube.

  1. To achieve the settings of any qube both

    • Press Alt+F3 to open the appliance finder, sort within the VM title, choose the “appmenu[VM-name]: Qube Settings” menu entry and press enter or click on “Launch”!
    • Choose the VM in Qube Supervisor and click on the settings-button or right-click the VM and choose Qube settings.
    • Click on the Area Supervisor, hover the VM you need to connect a tool to and choose “settings” within the extra menu. (solely operating VMs!)
  2. Choose the “Gadgets” tab on the highest bar.
  3. Choose a tool you need to connect to the qube and click on the one arrow proper! (>)
  4. You’re accomplished.
    If every thing labored out, as soon as the qube boots (or reboots if it’s operating) it should begin with the pci machine hooked up.
  5. In case it doesn’t work out, first attempt disabling memory-balancing within the settings (“Superior” tab).
    If that doesn’t assist, learn on to learn to disable the strict reset requirement!

qvm-pci Utilization

The qvm-pci device permits PCI attachment and detachment.
It’s a shortcut for qvm-device pci.

To determine what machine to connect, first checklist the obtainable PCI units by operating (as consumer) in dom0:

It will present you the backend:BDF (Bus_Device.Perform) tackle of every PCI machine.
It’ll look one thing like dom0:00_1a.0.
When you’ve discovered the tackle of the machine you need to connect, then connect it like this:

qvm-pci connect targetVM sourceVM:[BDF] --persistent

Since PCI units must be hooked up on bootup, attaching has to occur with the --persistant possibility.

For instance, if 00_1a.0 is the BDF of the machine you need to connect to the “work” area, you’ll do that:

qvm-pci connect work dom0:00_1a.0 --persistent

Doable Points

Go to the PCI Troubleshooting information to see points that will come up attributable to PCI units and the way to troubleshoot them.

Further Connect Choices

Attaching a PCI machine by means of the commandline affords extra choices, specifiable by way of the --option/-o possibility.
(Sure, complicated wording, there’s a difficulty for that.)

qvm-pci exposes two extra choices.
Each are supposed to repair machine or driver particular points, however each include heavy safety implications! Be sure you perceive them earlier than persevering with!

no-strict-reset

Don’t require PCI machine to be reset earlier than attaching it to a different VM.
This may occasionally leak utilization knowledge even with out malicious intent!

utilization instance:

qvm-pci a piece dom0:00_1a.0 --persistent -o no-strict-reset=true

permissive

Enable write entry to full PCI config area as a substitute of whitelisted registers.
This will increase assault floor and chance of aspect channel assaults.

utilization instance:

qvm-pci a piece dom0:00_1a.0 --persistent -o permissive=true

Bringing PCI Gadgets Again to dom0

By default, when a tool is indifferent from a VM (or when a VM with an hooked up PCI machine is shut down), the machine is not mechanically hooked up again to dom0.

That is an supposed function.

A tool which was beforehand hooked up to a VM much less trusted than dom0 (which, in Qubes, is all of them) may assault dom0 if it have been mechanically reattached there.

With the intention to re-enable the machine in dom0, both:

  • Reboot the bodily machine. (Greatest follow)

or

  • Go to the sysfs (/sys/bus/pci), discover the fitting machine, detach it from the pciback driver, and connect it again to the unique driver.
    Exchange together with your full machine, for instance 0000:00:1c.2:

    echo  > /sys/bus/pci/drivers/pciback/unbind
    MODALIAS=`cat /sys/bus/pci/units//modalias`
    MOD=`modprobe -R $MODALIAS | head -n 1`
    echo  > /sys/bus/pci/drivers/$MOD/bind
    

    It’s strongly discouraged to reattach PCI units to dom0, particularly in the event that they don’t assist resetting!

Leave a Reply

Your email address will not be published. Required fields are marked *