-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2016-07-13 15:03, Cannon wrote: > On 07/12/2016 11:16 PM, Andrew David Wong wrote: >> Please see this FAQ entry: >> >> https://www.qubes-os.org/doc/user-faq/#i-created-a-usbvm-and-assigned- >> usb-controllers-to-it-now-the-usbvm-wont-boot >> > > > > Thanks for the link. Yes it is a USB 3.0 device, I wonder why it is not > working with sys-usb after restore from backup, although it did before I > deleted sys-usb? >
Even after settings pci_strictreset to false? Please clarify what you mean by "not working." > I am trying to understand the pci_strict reset cons/pros of disabling it? > When it states "because there will be no way to reset device state after VM > shutdown, so the device could attack next VM to which it will be assigned." > What does this mean? The idea is that a compromised VM might compromise the device. You then detach the compromised device from that VM and attach it to a different VM. The device compromises the second VM. If the device could be reset in between detaching it from the first VM and attaching it to the second VM, there would be a significantly lower probability that the second VM would be compromised. > Does this mean even if untrusted device is unplugged, then trusted device > plugged in the untrusted device could still affect the VM? Yes, but for a different reason. A compromised device could compromise the VM to which it is attached. The compromised VM could then compromise any other devices subsequently attached to that VM. > If I disable pci_strict reset does this make dom0 vulnerable? > No, because by default USB controllers are not automatically returned to dom0 after being assigned to a domU. You'd have to do that manually (in which case you would indeed be putting dom0 at risk). See the FAQ entry immediately after the previous one: https://www.qubes-os.org/doc/user-faq/#i-assigned-a-pci-device-to-a-qube- then-unassigned-itshut-down-the-qube`-why-isnt-the-device-available-in-dom0 - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXh0wQAAoJENtN07w5UDAwEq0P/0nEBLvXofflEDBm1257Qw9U kf+yvhQQ03pziEN+1E/JX43FwWoiphGlmz/Ksn5wouHSYTca7bFiLV8Ia0PaOYca BRZ7Qrb5vJKoyr5HjWB/7y/jp7zrqFFRPSi7gw5iUk6nZ0hQiuM+zdMah5DYbv7t 4AXugJvxuHuce9ZwiOBdKqiP/ds9GbhLLVhLSG4SDGvsy/UmcF0HRwmY5awv2jaz QgVexNVgdQMFKm9x6cMQMCfixNpidgHwHg/hWIDmw/W+wPS8xU8fq8jOR/dKY28c teUCRkE7IHfn0LmQgrRonVt3BBJWLKcsnGNUNmgjVyOEVzIHfTfsx0jjGKwYDSFp isrnkht67/zTXh3fUvD88g+snl7DTgzyE/CS7ideONQynjl0Ec8bLiW9rynpiTRt t4192hYwnQHzPxEMn4p4ujbCZ3uSHCcRN8fpjVi1cu9/I309ZlhJEgCPLnAriheM EJAfSOwsMzCwe1t/zG6z/mhCqcaynm2DUCa8eU2juV0N7fXe59VsHKchnZSToI8A 2Xu+secZYDO1su+x4BGBOhri7j3baax2cm5sOtRuRBreCpTgGS7QU+uVtELN9YOr h6rHTNE2ANxp7Vfxe1+AslTJo9PpUu21svkzSn/iwQ0cbBtg9X+Y/mIM3GT6DQPE qvx4dWFaj/BnuD808emz =octU -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/975800e7-f8fb-5809-6db9-aeed5b6e29ed%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.