'npdflr' via qubes-users:
Hello all,
As stated in the link:
https://wiki.xen.org/wiki/Xen_PCI_Passthrough#How_can_I_check_if_PCI_device_supports_FLR_.28Function_Level_Reset.29_.3F
"For checking if PCI device supports FLR (Function Level Reset) one has to Run "lspci -vv" (in
dom0) and check if the device has "FLReset+" in the DevCap field"
Does one have to attach a pci device to dom0 to run the command "lspci -vv"? If
yes, then would there be any security issues because PCI devices are to be attached to
domU (guests). [except some of them which are strictly required in dom0 (e.g., the host
bridge) as stated in: https://www.qubes-os.org/doc/pci-devices/ ]
Please correct me if I have understood this incorrectly.
Thank you.
PCI devices are connected enough to dom0 that "sudo lspci -vv" will
work. If they are "hidden", they get claimed by the pciback Xen driver
so dom0 drivers don't try to initialize them. They don't actually
disappear from lspci. The hardware sits there inert, and only gets
initialized once the VM they are assigned to loads drivers for them.
When the VM shuts down, dom0 again won't recognize it.
If you want to make sure dom0 won't load drivers for a newly added PCI
device, add pciback.hide=(BDF) to your kernel options line, where BDF is
the format 01:00.0. It will be difficult to predict this in advance, so
use some type of live boot and lspci to see where the device gets assigned.
FLR is nice because it resets the hardware device before and after it
gets handed back to dom0. However, not having FLR is somewhat of a
theoretical vulnerability because a malicious device can't do much to
dom0 without a driver it can interact with. Am leaving hardware level
attacks out of scope of this, as FLR capability wouldn't matter as much
as IOMMU containment.
Hope that helps more than it confuses. I welcome corrections to any of
my misunderstandings as well.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/f843bcc7-3bfa-69cc-9644-2909d5dfb7c3%40danwin1210.me.
For more options, visit https://groups.google.com/d/optout.
