Re: [qubes-users] AppVMs not starting whenever USB channels are assigned
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-07-13 15:03, Cannon wrote: > On 07/12/2016 11:16 PM, Andrew David Wong wrote: >> Please see this FAQ entry: >> >> https://www.qubes-os.org/doc/user-faq/#i-created-a-usbvm-and-assigned- >> usb-controllers-to-it-now-the-usbvm-wont-boot >> > > > > Thanks for the link. Yes it is a USB 3.0 device, I wonder why it is not > working with sys-usb after restore from backup, although it did before I > deleted sys-usb? > Even after settings pci_strictreset to false? Please clarify what you mean by "not working." > I am trying to understand the pci_strict reset cons/pros of disabling it? > When it states "because there will be no way to reset device state after VM > shutdown, so the device could attack next VM to which it will be assigned." > What does this mean? The idea is that a compromised VM might compromise the device. You then detach the compromised device from that VM and attach it to a different VM. The device compromises the second VM. If the device could be reset in between detaching it from the first VM and attaching it to the second VM, there would be a significantly lower probability that the second VM would be compromised. > Does this mean even if untrusted device is unplugged, then trusted device > plugged in the untrusted device could still affect the VM? Yes, but for a different reason. A compromised device could compromise the VM to which it is attached. The compromised VM could then compromise any other devices subsequently attached to that VM. > If I disable pci_strict reset does this make dom0 vulnerable? > No, because by default USB controllers are not automatically returned to dom0 after being assigned to a domU. You'd have to do that manually (in which case you would indeed be putting dom0 at risk). See the FAQ entry immediately after the previous one: https://www.qubes-os.org/doc/user-faq/#i-assigned-a-pci-device-to-a-qube- then-unassigned-itshut-down-the-qube`-why-isnt-the-device-available-in-dom0 - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXh0wQAAoJENtN07w5UDAwEq0P/0nEBLvXofflEDBm1257Qw9U kf+yvhQQ03pziEN+1E/JX43FwWoiphGlmz/Ksn5wouHSYTca7bFiLV8Ia0PaOYca BRZ7Qrb5vJKoyr5HjWB/7y/jp7zrqFFRPSi7gw5iUk6nZ0hQiuM+zdMah5DYbv7t 4AXugJvxuHuce9ZwiOBdKqiP/ds9GbhLLVhLSG4SDGvsy/UmcF0HRwmY5awv2jaz QgVexNVgdQMFKm9x6cMQMCfixNpidgHwHg/hWIDmw/W+wPS8xU8fq8jOR/dKY28c teUCRkE7IHfn0LmQgrRonVt3BBJWLKcsnGNUNmgjVyOEVzIHfTfsx0jjGKwYDSFp isrnkht67/zTXh3fUvD88g+snl7DTgzyE/CS7ideONQynjl0Ec8bLiW9rynpiTRt t4192hYwnQHzPxEMn4p4ujbCZ3uSHCcRN8fpjVi1cu9/I309ZlhJEgCPLnAriheM EJAfSOwsMzCwe1t/zG6z/mhCqcaynm2DUCa8eU2juV0N7fXe59VsHKchnZSToI8A 2Xu+secZYDO1su+x4BGBOhri7j3baax2cm5sOtRuRBreCpTgGS7QU+uVtELN9YOr h6rHTNE2ANxp7Vfxe1+AslTJo9PpUu21svkzSn/iwQ0cbBtg9X+Y/mIM3GT6DQPE qvx4dWFaj/BnuD808emz =octU -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/975800e7-f8fb-5809-6db9-aeed5b6e29ed%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] AppVMs not starting whenever USB channels are assigned
On Wednesday, July 13, 2016 at 6:03:25 PM UTC-4, Cannon wrote: > On 07/12/2016 11:16 PM, Andrew David Wong wrote: > > Please see this FAQ entry: > > > > https://www.qubes-os.org/doc/user-faq/#i-created-a-usbvm-and-assigned- > > usb-controllers-to-it-now-the-usbvm-wont-boot > > > > > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Thanks for the link. > Yes it is a USB 3.0 device, I wonder why it is not working with sys-usb > after restore from backup, although it did before I deleted sys-usb? > > I am trying to understand the pci_strict reset cons/pros of disabling it? > When it states "because there will be no way to reset device state after > VM shutdown, so the device could attack next VM to which it will be > assigned." What does this mean? Does this mean even if untrusted device > is unplugged, then trusted device plugged in the untrusted device could > still affect the VM? If I disable pci_strict reset does this make dom0 > vulnerable? > > Thanks > > -BEGIN PGP SIGNATURE- > > iQIcBAEBCgAGBQJXhrmFAAoJEAYDai9lH2mwAL0P/iPRd8dOWejYz0WQcOo6RTRT > XWRiyY44lR1yBl7aVrRjxX1iJ9pltD3mZw/9y1WfOTDSdzF1taDqsU7dCmw5er2A > 2B9WqbLMdjfFY8iI47Pa+8iVbBrTOSOgQU8QuqTLEdQ8A8f9n7ekvSJn+vfoY/G8 > 3VIDOBFrFhAPgwaKG+Mvc4FwAmQ1I8zSr3K95EjC/IbldDCsmkdCZqnqoXbA0ihx > /5wX02yEeT6n4fnPnr+Ux5WsaMrx9xFNmqx5l02UPM6To2DCbxIJiJBHVS/6y4JV > iKBvaUUQ1NzNlVBfKq5IECy4+p0ofp48U2vWvkerv5K3EA2MEzjJ/TV9LjhUPyHF > q6ncSWPw0HHL+9A2QGsY0KlG9AGdcz42iODsLHcoJt3T39VpQngFaQ4KuD3GodGw > 5d9M2Nrg0lNjvahAjyY7T2spgyub7VKZ/PX1IH4daJJoYlNmPAatw9c+g9Zm3BDo > yOQapN4aL/BaLpgiy0E9tZhmaAkYMER5v8czvAwS0l+6IaeuMGKLRPpO0D1iUSMH > T2y0ILLNNr08DwnBzzOeunlBwJathV0PZ1guzx8gLuFDEOc43c0kFQedPuN6SDkQ > h8IOkXj77K854jbtaDxhMai9D80tB4GVweIQr0BiTmUf51YUyZFj3DLxdMoDj5oC > WQn4TdA3VluZ6Zfy/crH > =kKQ7 > -END PGP SIGNATURE- what if you delete it again, and then use the automatic management stack per directions on that page. qubesctl top.enable qvm.sys-usb qubesctl state.highstate I had a similar issue when trying to create a second usbvm. It wouldn't let me assign device cause of xen error. So then I just deleted both usbvms and then tried to recreate one manually,but i could never start it cause of the reset error. So I used the above commands to recreate it again with the same name and then it worked again. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0ceed317-de0f-45f7-8c49-df1d0769eb50%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] AppVMs not starting whenever USB channels are assigned
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-07-12 15:43, Cannon wrote: > My sys-usb was working fine. However I had to restore it. I tried to > recreate it by assigning USB devices to it, that did not work so I > restored the sys-usb from backup. > > I cannot start any system VM that has USB attache dot it because I get > following error: > > Error starting VM 'sys-usb': internal error: Unable to reset PCI device > :00:10:0: no FLR, PM reset or bus available > > Any ideas? > > Thanks > Please see this FAQ entry: https://www.qubes-os.org/doc/user-faq/#i-created-a-usbvm-and-assigned- usb-controllers-to-it-now-the-usbvm-wont-boot - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXhXoxAAoJENtN07w5UDAwmbMP/2H1msmyy0pXbMP7OZPkz0eq TekFEy3py2MW0XTK4JoR/JUI3PlQxNJIalWotSbP5iHdlZGbyP5YsSUGKp+6EHdW +BUjhsTH3zuxjN6v3J/F9r5JI/CJ/SB4ap/cQFc5mYj1c50rOy4GCEdwT1xI00vT gQYmGzG5hOyJ+MsCOb0HIjOebHNRy2JVzBV8D0n4pbw2e0TcITuo7YpvhQ8FBkQI EgT+dZt+HFg5dfwiDu5KGpqNlyn040dTdPQrjQj0z4SVk3Frgmswx4z8iYKvzuP2 wl6iyWFT0UPEShh4JhfFxPoS4eR5nnqMdTcVs97F5fCUaIai7NtVIsbQdwXRbOh8 vpJc5bA1EqAdaG1qiCzDMaLyYXtznAre78FWIYLQfqBvL6G50T770RmaOxC6VTUJ GEQK24wRsCvRjuuhlLOciHsgcUhyDdchrw80szTOyJShhJh/BuFp+WZZbo3j7iKp o2I8UdZfG/cofeHYEPoCp++cH9Fc+6TGe9bMLAlyGLYljjwcPPOeU5Cttae40dwm eXs7zUk9aAoYx+eMpzv65H8B4H6brOhm/xg/IJFzr2bTw5IHBGTro2+6WYI5HrSA dab149YGmnU5MSe/myPeSBFucEJ/zRnypYmSveMiwiVbm1ECRp+ORyPO4JyrA0ay KAL4Nhb+R54OTO/K1bg6 =2/Td -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4eec66e2-12c5-30dd-d2d7-11c54a04875b%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] AppVMs not starting whenever USB channels are assigned
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 My sys-usb was working fine. However I had to restore it. I tried to recreate it by assigning USB devices to it, that did not work so I restored the sys-usb from backup. I cannot start any system VM that has USB attache dot it because I get following error: Error starting VM 'sys-usb': internal error: Unable to reset PCI device :00:10:0: no FLR, PM reset or bus available Any ideas? Thanks -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXhXHZAAoJEAYDai9lH2mwExQQAJE6ySTjXXx/rR0yl60Y3IIe RJiBf9t+DHW9DIaayz3GS7k15Ez6JLio5Ci9WqW+WaENgJV+TWEu84uN/8gvL/xM fm9OKAJyAWJkJLVdgWE8mqHRNfQeN4HtxX07l6+cdvo9m7gL1f7D3r3gRuGUX85l dI/WV7Jx/L+A3WuKbNz46ysyp+KkawHDBqyFT5OOwI4/2SJnV4ALOtKaq7tY4gaH siThcYwgOQLKF2h+CBizg+ov8CD+4JvfplX2DEnrvkMRCLok9LZJ7cGpYgrK0HwR f/S9HY9ITUXjkOMFw9d8R72Px6PzgrkAvAFvjBzqGxz+Dqem8sWVgmpXVAnCtwpv lY/dwel0gB0lGIMmaGSsYVyue05My6pG4JSJEFCwMs5bSWgKRmZCmBHYsxF39YGb B21aT/bcGFy16g6ekwqka1AxPDC46v89Edd+Hx/tyBmZHncuW0rVwd5XWzBjX83w /liop23rfUoAapowcapI4GzydIyu0mdRAGECJ1AAVbXEK4V5kOh0eOCDz1MNihgV HhXWZnAzxj3FetboLKiQJ6KWB+59ZS1bsJXzzPlInkAazUazYCoNWHHsrKDei4L+ uXwWGMRiQpeYQDW3Kszj7PCV/oJeUc6bt0uBLaJnR/15IimNzRlA1g8rHzwwZYyF NxR8JKhemElrUHzMB8Zl =otd0 -END PGP SIGNATURE- -- Cannon PGP Fingerprint: 2BB5 15CD 66E7 4E28 45DC 6494 A5A2 2879 3F06 E832 Email: can...@cannon-ciota.info Bitmessage Address: BM-2cVaTbC8fJ5UDDaBBs4jPQoFNp1PfNhxqU Ricochet-IM: ricochet:hfddt2csxnsb2mdq NOTICE: ALL EMAIL CORRESPONDENCE NOT ENCRYPTED/SIGNED WITH PGP SHOULD BE CONSIDERED INSECURE AND NOT PRIVATE. If this matters to you, use PGP or bitmessage. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f779f7d8-e2b5-1e56-7f69-432836624880%40cannon-ciota.info. For more options, visit https://groups.google.com/d/optout.
