Lot of small fixes/rewordings

media-removable.png icon points to personal repository, needs fixing once qubes-attachment PR went through!

common-tasks/device-handling.md

@@ -114,6 +114,6 @@ If no specific `sourceVM:deviceID` combination is given, *all devices of that DE
 [PCI]:/doc/pci-devices-in-qubes-R4.0/
 
 [security considerations]: /doc/device-considerations/
-[device manager icon]: https://raw.githubusercontent.com/hrdwrrsk/adwaita-xfce-icon-theme/master/Adwaita-Xfce/22x22/devices/media-removable.png <!--TODO: find actual icon used in qubes!-->
+[device manager icon]: https://raw.githubusercontent.com/GammaSQ/qubes-attachment/doc-device-rework/wiki/Devices/media-removable.png
 [eject icon]: https://raw.githubusercontent.com/hrdwrrsk/adwaita-xfce-icon-theme/master/Adwaita-Xfce/22x22/actions/media-eject.png
 [i4692]: https://github.com/QubesOS/qubes-issues/issues/4692

common-tasks/pci-devices.md

@@ -14,16 +14,14 @@ PCI Devices in Qubes R4.0
 **Warning:** Only dom0 exposes PCI devices. Some of them are strictly required in dom0! (e.g. host bridge)
 You may end up with an unusable system by attaching the wrong PCI device to a VM.
 
-**Security warning:** PCI passthrough should be safe by default, but none-default options may be required. Please make sure you carefully read and understood the **[security considerations]** before deviating from default behavior!
+**Security warning:** PCI passthrough should be safe by default, but non-default options may be required. Please make sure you carefully read and understood the **[security considerations]** before deviating from default behavior!
 
-Unlike other devices ([USB], [block], mic), PCI devices need to be attached on VM-bootup. Similar to how you can't attach a new sound-card after your computer booted (and expect it to work properly), attaching PCI devices to already booted VMs isn't possible in any meaningful way.
+Unlike other devices ([USB], [block], mic), PCI devices need to be attached on VM-bootup. Similar to how you can't attach a new sound-card after your computer booted (and expect it to work properly), attaching PCI devices to already booted VMs isn't supported.
 
 The Qubes installer attaches all network class controllers to `sys-net` and all USB controllers to `sys-usb` by default, if you chose to create the network and USB qube during install.
 While this covers most use cases, there are some occasions when you may want to manually attach one NIC to `sys-net` and another to a custom NetVM, or have some other type of PCI controller you want to manually attach.
 
-Note that one can only attach full PCI or PCI Express devices by default.
-This limit is imposed by the PC and VT-d architectures.
-This means if a PCI device has multiple functions, all instances of it need to be attached to the same qube unless you have disabled the strict requirement with the `no-strict-reset` option during attachment.
+Some devices expose multiple functions with distinct BDF-numbers. Limits imposed by the PC and VT-d architectures may require all functions belonging to the same device to be attached to the same VM. This requirement can be dropped with the `no-strict-reset` option during attachment, bearing in mind the aformentioned [security considerations].
 In the steps below, you can tell if this is needed if you see the BDF for the same device listed multiple times with only the number after the "." changing.
 
 While PCI device can only be used by one powered on VM at a time, it *is* possible to *assign* the same device to more than one VM at a time. 

common-tasks/usb-devices.md

@@ -138,7 +138,7 @@ Strip the leading `0000:` and pass the rest to the [`qvm-pci` tool][qvm-pci] to
 [optical drives]: /doc/recording-optical-discs/
 [qubes u2f proxy]: /doc/u2f-proxy/
 [4661]: https://github.com/QubesOS/qubes-issues/issues/4661
-[device manager icon]:https://raw.githubusercontent.com/hrdwrrsk/adwaita-xfce-icon-theme/master/Adwaita-Xfce/22x22/devices/media-removable.png <!--TODO: find actual icon used in qubes!-->
+[device manager icon]:https://raw.githubusercontent.com/GammaSQ/qubes-attachment/doc-device-rework/wiki/Devices/media-removable.png
 [eject icon]:https://raw.githubusercontent.com/hrdwrrsk/adwaita-xfce-icon-theme/master/Adwaita-Xfce/22x22/actions/media-eject.png
 [Installation Section]:#installation-of-qubes-usb-proxy
 [USB-qube howto]: /doc/usb-qube-howto/

security/device-considerations.md

@@ -24,8 +24,10 @@ By default, Qubes requires any PCI device to be resettable from the outside (i.e
 
 Some devices do not implement a reset option. In these cases, Qubes by default does not allow attaching the device to any VM. If you decide to override this precaution, beware that the device may only be trusted when attached to the first VM. Afterwards, it should be **considered tainted** until the whole system is shut down. Even without malicious intent, usage data may be leaked.
 
+In case device reset is disabled for any reason, detaching the device should be considered a risk. Ideally, devices for which the `no-strict-reset` option is set are attached once to a VM which isn't shut down until the system is shut down.
+
 Additionally, Qubes restricts the config-space a VM may use to communicate with a PCI device. Only whitelisted registers are accessible. However, some devices or applications require full PCI access. In these cases, the whole config-space may be allowed. you're potentially weakening the device isolation, especially if your system is not equipped with a VT-d Interrupt Remapping unit.  This increases the VM's ability to run a [side channel attack] and vulnerability to the same. <!--TODO: really? It seems obvious, but I'm missing citation.-->
-See [Software Attacks on Intel VT-d] (page 7) for more details.
+See [Software Attacks on Intel VT-d] \(page 7) for more details.
 
 USB Security
 ------------