mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2025-10-09 09:08:28 -04:00
Removed documentation from deprecated pages
This commit is contained in:
GammaSQ
parent
30e58b17b5
commit
706498d976
2 changed files with 26 additions and 476 deletions
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
layout: doc
|
||||
title: Assigning Devices
|
||||
title: Assigning Devices in R3.2
|
||||
permalink: /doc/assigning-devices/
|
||||
redirect_from:
|
||||
- /en/doc/assigning-devices/
|
||||
|
|
@ -8,8 +8,9 @@ redirect_from:
|
|||
- /wiki/AssigningDevices/
|
||||
---
|
||||
|
||||
Assigning Devices to VMs
|
||||
========================
|
||||
Assigning Devices to VMs in R3.2
|
||||
================================
|
||||
(In case you were looking for the [R4.0 documentation](/doc/pci-devices/).)
|
||||
|
||||
Sometimes you may need to assign an entire PCI or PCI Express device directly to a qube.
|
||||
This is also known as PCI pass-through.
|
||||
|
|
@ -25,31 +26,7 @@ While PCI device can only be used by one powered on VM at a time, it *is* possib
|
|||
This means that you can use the device in one VM, shut that VM down, start up a different VM (to which the same device is also assigned), then use the device in that VM.
|
||||
This can be useful if, for example, you have only one USB controller, but you have multiple security domains which all require the use of different USB devices.
|
||||
|
||||
R4.0
|
||||
------------------------
|
||||
|
||||
In order to assign a whole PCI(e) device to a VM, one should use the `qvm-pci` tool.
|
||||
First, list the available PCI devices:
|
||||
|
||||
~~~
|
||||
qvm-pci
|
||||
~~~
|
||||
|
||||
This will show you the `backend:BDF` address of each PCI device.
|
||||
It will look something like `dom0:00_1a.0`.
|
||||
Once you've found the address of the device you want to assign, then attach it like so:
|
||||
|
||||
~~~
|
||||
qvm-pci attach --persistent <vmname> <backend>:<bdf>
|
||||
~~~
|
||||
|
||||
For example, if `00_1a.0` is the BDF of the device you want to assign to the "personal" domain, you would do this:
|
||||
|
||||
~~~
|
||||
qvm-pci attach --persistent personal dom0:00_1a.0
|
||||
~~~
|
||||
|
||||
R3.2
|
||||
Using the Commandline
|
||||
------------------------
|
||||
|
||||
In order to assign a whole PCI(e) device to a VM, one should use the `qvm-pci` tool.
|
||||
|
|
@ -83,103 +60,14 @@ This will show you a list of available devices, which you can select to be assig
|
|||
|
||||
Finding the right USB controller
|
||||
--------------------------------
|
||||
|
||||
Some USB devices are not compatible with the USB pass-through method Qubes employs.
|
||||
In situations like this, you can still often get the USB device to work by passing through the entire USB controller to a qube.
|
||||
However, with this approach one cannot assign single USB devices, only the whole USB controller with whatever USB devices are connected to it.
|
||||
More information on using and managing USB devices with qubes is available on the [USB] page.
|
||||
If you want assign a certain USB device to a VM by attaching the whole USB controller, you need to figure out which PCI device is the right controller.
|
||||
First, check to which USB bus the device is connected (note that these steps need to be run from a terminal inside `dom0`):
|
||||
|
||||
~~~
|
||||
lsusb
|
||||
~~~
|
||||
|
||||
For example, I want assign a broadband modem to the NetVM.
|
||||
In the output of `lsusb` it can be listed as something like this.
|
||||
(In this case, the device isn't fully identified):
|
||||
|
||||
~~~
|
||||
Bus 003 Device 003: ID 413c:818d Dell Computer Corp.
|
||||
~~~
|
||||
|
||||
The device is connected to USB bus \#3.
|
||||
Then check which other devices are connected to the same bus, since *all* of them will be assigned to the same VM.
|
||||
Now is the time to find the right USB controller:
|
||||
|
||||
~~~
|
||||
readlink /sys/bus/usb/devices/usb3
|
||||
~~~
|
||||
|
||||
This should output something like:
|
||||
|
||||
~~~
|
||||
../../../devices/pci-0/pci0000:00/0000:00:1a.0/usb3
|
||||
~~~
|
||||
|
||||
Now you see the BDF address in the path (right before final `usb3`).
|
||||
Strip the leading `0000:` and pass the rest to the `qvm-pci` tool to attach the controller with the version specific steps above.
|
||||
This was moved to the [current documentation][finding controller].
|
||||
|
||||
Possible issues
|
||||
---------------
|
||||
Please refere to the [current documentation][possible issues] for an issue description and carefully read the [security implications]!
|
||||
Return here for a guide on how to enable permissive mode and disable strict reset!
|
||||
|
||||
### DMA buffer size
|
||||
|
||||
VMs with assigned PCI devices in Qubes have allocated a small buffer for DMA operations (called swiotlb).
|
||||
By default it is 2MB, but some devices need a larger buffer.
|
||||
To change this allocation, edit VM's kernel parameters (this is expressed in 512B chunks):
|
||||
|
||||
~~~
|
||||
# qvm-prefs netvm |grep kernelopts
|
||||
kernelopts : iommu=soft swiotlb=2048 (default)
|
||||
# qvm-prefs -s netvm kernelopts "iommu=soft swiotlb=8192"
|
||||
~~~
|
||||
|
||||
This is [known to be needed][ml1] for the Realtek RTL8111DL Gigabit Ethernet Controller.
|
||||
|
||||
### PCI passthrough issues
|
||||
|
||||
Sometimes the PCI arbitrator is too strict.
|
||||
There is a way to enable permissive mode for it.
|
||||
See also: [this thread][ml2] and the Xen wiki's [PCI passthrough] page.
|
||||
|
||||
**NOTE:** By setting the permissive flag for the PCI device, you're potentially weakening the device isolation, especially if your system is not equipped with a VT-d Interrupt Remapping unit.
|
||||
See [Software Attacks on Intel VT-d] (page 7)
|
||||
for more details.
|
||||
|
||||
At other times, you may instead need to disable the FLR requirement on a device.
|
||||
This will also weaken device isolation; see the "I created a usbVM..." entry in the [FAQ](/doc/user-faq/) for more details.
|
||||
|
||||
R4.0
|
||||
------------------------
|
||||
|
||||
Permissive mode and strict reset are options set as part of PCI device attachment.
|
||||
If you've already attached the PCI device to a VM, detach it first either with Qube Manager or `qvm-pci`, then list the available PCI devices:
|
||||
|
||||
~~~
|
||||
qvm-pci
|
||||
~~~
|
||||
|
||||
This will show you the `backend:BDF` address of each PCI device.
|
||||
It will look something like `dom0:00_1a.0`.
|
||||
Once you've found the address of the device you want to assign, then attach it like so:
|
||||
|
||||
~~~
|
||||
qvm-pci attach --persistent --option <option1> [--option <option2>] <vmname> <backend>:<bdf>
|
||||
~~~
|
||||
|
||||
For example, if `00_1a.0` is the BDF of the device you want to assign to the "personal" domain, and it is particularly difficult to pass through you would do this:
|
||||
|
||||
~~~
|
||||
qvm-pci attach --persistent --option permissive=true --option no-strict-reset=true personal dom0:00_1a.0
|
||||
~~~
|
||||
|
||||
Running `qvm-pci` again should then show your PCI device attached with both the `permissive` and `no-strict-reset` options set.
|
||||
|
||||
**Note** again that in most cases you should not need either of these options set.
|
||||
Only set one or more of them as required to get your device to function, or replace the device with one that functions properly with Qubes.
|
||||
|
||||
R3.2
|
||||
Enabling permissive mode
|
||||
------------------------
|
||||
|
||||
Permissive mode is enabled system wide per device.
|
||||
|
|
@ -213,31 +101,12 @@ Only set one or more of them as required to get your device to function, or repl
|
|||
|
||||
Bringing PCI device back to dom0
|
||||
--------------------------------
|
||||
This was moved to the [current documentation][bring back devices].
|
||||
|
||||
By default, when a device is detached from a VM (or when a VM with an attached PCI device is shut down), the device is *not* automatically attached back to dom0.
|
||||
This is an intended feature.
|
||||
A device which was previously assigned to a VM less trusted than dom0 (which, in Qubes, is *all* of them) could attack dom0 if it were automatically reassigned there.
|
||||
|
||||
In order to re-enable the device in dom0, either:
|
||||
|
||||
* Reboot the physical machine.
|
||||
|
||||
or
|
||||
|
||||
* Go to the sysfs (`/sys/bus/pci`), find the right device, detach it from the pciback driver, and attach it back to the original driver.
|
||||
Replace `<BDF>` with your full device, for example `0000:00:1c.2`:
|
||||
|
||||
~~~
|
||||
echo <BDF> > /sys/bus/pci/drivers/pciback/unbind
|
||||
MODALIAS=`cat /sys/bus/pci/devices/<BDF>/modalias`
|
||||
MOD=`modprobe -R $MODALIAS | head -n 1`
|
||||
echo <BDF> > /sys/bus/pci/drivers/$MOD/bind
|
||||
~~~
|
||||
|
||||
|
||||
[usb]: /doc/usb/
|
||||
[ml1]: https://groups.google.com/group/qubes-devel/browse_thread/thread/631c4a3a9d1186e3
|
||||
[ml2]: https://groups.google.com/forum/#!topic/qubes-users/Fs94QAc3vQI
|
||||
[PCI passthrough]: https://wiki.xen.org/wiki/Xen_PCI_Passthrough
|
||||
[Software Attacks on Intel VT-d]: https://invisiblethingslab.com/resources/2011/Software%20Attacks%20on%20Intel%20VT-d.pdf
|
||||
|
||||
[finding controller]: /doc/usb-devices/#finding-the-right-usb-controller
|
||||
[possible issues]: /doc/pci-devices/#possible-issues
|
||||
[security implications]: /doc/device-considerations/#pci-security
|
||||
[bring back devices]: /doc/pci-devices/#bringing-pci-devices-back-to-dom0
|
||||
Loading…
Add table
Add a link
Reference in a new issue