On Wednesday, March 20, 2019 at 10:08:36 AM UTC-4, Matthew Roy wrote: > So there are 3 things I needed to do to get Thunderbolt docks to work on a > laptop with Qubes: > 3) Manually add and remove PCI devices provided by the dock from individual > Qubes (e.g. sysnet and sys-usb). The Qubes will no longer boot once the PCI > devices are not present after you unplug the dock, but at the same time they > can't be connected to the Qubes after boot since they don't have hotplug > enabled. So when you get to your desk you'll need to reboot the laptop, then > attach the PCI devices to sys-usb and sys-net, then restart those Qubes.
For this particular solution/complaint, I reiterate my recommendation of always turning off auto-start of sys-firewall and sys-net. A side-effect is that you'll get to the desktop sooner which might be nice for non-networked workflows. Optionally to avoid manual reconfiguration every boot, write and deploy a script that, based on the available PCI devices seen in dom0 at startup, sets the correct PCI associations to sys-net for dom0 startup, but before the desktop appears and the user can invoke another VM startup that could start those two before sys-net is configured. Can't fix the general hotplug issues and I think that, for now, Qubes Devs have made the correct decision on this. If this is extremely important to a user...perhaps consider building and packaging your own Qubes kernel variants with modified pci hotplug options and live with the security vulnerabilities that the Qubes Dev team believes is not a safe default. You would also set up those as default/non-default kernels in GRUB depending on use case. Perhaps utilize these custom kernels as default kernels specifically for a subset of physically secure workstations that need to dock. Lastly, combine with scripts to manage sys-net pci options, triggered via startup and/or hotplug events. -B -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a1755993-eb58-4df8-9c42-bbc1959ff9be%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
