Best way to pass qvm-run output to dom0?

I’m trying to assign the qvm-run command output to a variable that dom0 will use in a script.

Short of writing the output to a file in the qube, and then copying the file to dom0, is there any other more direct ways?

One way is to use the --pass-io option, as described in the intro of the qvm-run documentation:

Note that by doing that you’ll be essentially copying data from a less trusted qube to dom0, which is generally discouraged. Please make sure that fits within your threat model.

Example (from the docs):

qvm-run --pass-io personal -- ls -a
  • --pass-io is a qvm-run option
  • personal is the name of the less trusted qube
  • -- indicates that no more qvm-run options will be provided, so options after that are part of the command to run
  • ls is an example command that prints a list of files within a directory
  • -a is an ls option that allows to include hidden files in the list (by default they’re not shown)

The result would print in dom0 a list of all files within the home directory of the personal qube. Again, that’s assuming that the ls command in the personal qube does what it says it does, see security warnings associated with copying less trusted data to dom0.

Edit: There is a real world example of that in the SecureDrop Developer docs:

1 Like