Configure Strict reset for PCI devices

Toughbookqube · September 6, 2022, 3:13pm

During a install of Qubes 4.1 I received the error: Domain […] has failed to start: internal error: Unable to reset PCI device […]: no FLR, PM reset or bus reset available

Then when booting in, and trying to manually start it, I also get the this error: Start failed: internal error: libxenlight failed to create new domain ‘sys-net’ see /var/log/libvirt/libx/libxl-driver.log. Okay, so I looked into the advanced tab within the settings for sys-net, and I pressed the configure strict reset for PCI devices, which solved the issue.

Are there any security implications that I should be aware of by doing it this way?

tripleh · September 6, 2022, 7:31pm

This is a pretty old known bug. Search on qubes-issues for the details.

Toughbookqube · September 7, 2022, 9:57am

Yeah, there’s a wiki page about it, but it suggests the configure strict reset causes additional attack vectors, however I don’t know how or what.

Toughbookqube · September 7, 2022, 12:33pm

I believe I may have found the solution to my problem. The device causing the issue was the Ethernet. Disabling that in the BIOS, has fixed the problem. Since I’m not planning on using ethernet this solution works for me.

I’d much rather use Qubes OS in it’s default configuration (therefore more secure) than allowing no strict reset on a device, that I’m not even going to be using.

tripleh · September 7, 2022, 3:47pm

Sorry, I had misread your question and was referring to an isse where setting strict-reset=False would still not make it work.

I think Strict-Reset=False will allow PCI devices being attached to a VM without any prior PCI reset.

What a PCI reset does depends on the device. Usually I’d imagine it to clear any state from it.
So a somewhat compromised PCI device should ideally become “clean” again.

That way, the security implications are rather straightforward:
A compromised PCI device without reset could attack whatever other VM it is being attached to.
Also, let’s say one VM stored some data on that device (image inside a GPU cache for example), you attach it to another VM without reset, then that other VM might be able to read that data = data leakage.

Cold boots should however reset most PCI devices, i.e. users with just one VM to attach a device to during a boot session should probably be fine.

Of course you might still have some super crappy PCI devices that don’t follow any of the above standards, ignore resets etc. But there’s little Qubes OS can do about bad hardware.