Lspci in dom0 shows network and USB controllers

ryrona · February 23, 2025, 7:57am

When I run lspci inside dom0 terminal, it shows all network and USB controller PCI devices as well, even if they are supposed to not be assigned to dom0, but sys-net and sys-usb instead.

Is this expected, and why?

How can I list what PCI devices are actually assigned to and accessible by dom0?

How does QubesOS handle making sure (possibly compromised) network and USB hardware never touches dom0 at any point during boot?

Zrubi · February 23, 2025, 9:42am

qvm-pci

ryrona · February 24, 2025, 11:54am

From that page:

By default, when a device is detached from a VM (or when a VM with an attached PCI device is shut down), the device is not automatically attached back to dom0.

This is an intended feature.

A device which was previously attached to a VM less trusted than dom0 (which, in Qubes, is all of them) could attack dom0 if it were automatically reattached there.

In order to re-enable the device in dom0, either:

Reboot the physical machine. (Best practice)

So, do I understand it correctly that, briefly during the startup of the computer, network and USB controller devices will be attached to dom0?

How is dom0 protected from compromise in this situation, in case the firmware itself on the network device is compromised?

Or if a malicious USB device is plugged in already during boot?

If sys-net isn’t auto-started, would there now suddenly be internet connectivity in dom0? Or how is this prevented?

ryrona · February 24, 2025, 8:29pm

Apparently, someone was thinking along exactly the same lines, and asked pretty much these exact same questions 10 days ago.

There is apparently a script called qubes-pciback.sh which runs really early during startup, before devices are initialized, and assigns the network and USB controllers into a dummy “pciback” driver that does nothing, so that the devices cannot be claimed by the real drivers. The network PCI devices are always assigned to pciback, USB controllers if the “rd.qubes.hide_all_usb” grub option is supplied, which it is for me.

So, a compromised network or USB controller device should not be able to do any harm to dom0 at all. They are attached to dom0 though, there just won’t be any driver talking to them, so it is more or less like if they weren’t assigned to dom0 at all.

github.com/QubesOS/qubes-core-admin-linux

dracut/modules.d/90qubes-pciback/qubes-pciback.sh

main

#!/bin/bash --

type getarg >/dev/null 2>&1 || . /lib/dracut-lib.sh
unset re HIDE_PCI usb_in_dom0 dev skip exposed

usb_in_dom0=false

if getargbool 0 rd.qubes.hide_all_usb; then
    # Select all networking and USB devices
    re='0(2|c03)'
elif ! getargbool 1 usbcore.authorized_default; then
    # Select only networking devices, but enable USBguard
    re='02'
    usb_in_dom0=true
else
    re='02'
    warn 'USB in dom0 is not restricted. Consider rd.qubes.hide_all_usb or usbcore.authorized_default=0.'
fi

HIDE_PCI=$(set -o pipefail; { lspci -mm -n | awk "/^[^ ]* \"$re/ {print \$1}";}) ||

This file has been truncated. show original

Zrubi · March 12, 2025, 4:59pm