How does Qubes handle malicious PCI devices?

I’m curious as to how Qubes handles potentially-malicious PCI devices, or more specifically, storage-related devices that are internally PCI devices(e.g. an SD card reader on a computer).
The qubes docs don’t offer much clarification on this matter. They do go over what precautions are taken to protect a PCI device from being compromised by a malicious VM, but it doesn’t go the other way around to explain the risks and dangers that the system or dom0 itself faces from a malicious PCI device. The most they say is that “Only dom0 exposes PCI devices.” Does that mean that all PCI devices are in direct contact with dom0? If so, that sounds like a major security concern. What if I were to plug in an infected SD card into an SD card reader?
I’d rather not try it out and find out myself. Any insight here would be appreciated.

1 Like

You are right - by default PCI devices are linked to dom0.
I would not describe this as a “major security concern” - it’s part of
the trade off between security and usability that you will find all
across Qubes.

If you insert an SD card, by default it will be attached to dom0.

You can override this for any PCI device:

  1. Identify the ID of the device - lspci will do.
  2. Edit the relevant grub entry adding rd.qubes.hide_PCI=DEVICE_ID to
    the vmlinuz boot line.
  3. Reboot

Now the device will be hidden from dom0 and can be allocated in any other

The potential for disaster is high, of course - but for most SD card
readers (beside better option of disabling in the BIOS settings), this works.
After testing you’ll want to make this a default boot setting.
You still run the risk of the PCI bus being infected.

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.
1 Like

Thanks for some clarification and the suggested workaround.

However, I still don’t get why you wouldn’t consider this a “major security concern” if Qubes, by default, automatically attaches potentially-compromised storage devices to dom0, the most trusted and crucial part of the OS.

Why wasn’t an approach taken where any PCI devices that handle block storage devices are automatically attached to a dedicated qube, similar to the way that usb devices are handled by sys-usb?