Lspci in dom0 shows network and USB controllers

ryrona · February 24, 2025, 8:29pm

Apparently, someone was thinking along exactly the same lines, and asked pretty much these exact same questions 10 days ago.

There is apparently a script called qubes-pciback.sh which runs really early during startup, before devices are initialized, and assigns the network and USB controllers into a dummy “pciback” driver that does nothing, so that the devices cannot be claimed by the real drivers. The network PCI devices are always assigned to pciback, USB controllers if the “rd.qubes.hide_all_usb” grub option is supplied, which it is for me.

So, a compromised network or USB controller device should not be able to do any harm to dom0 at all. They are attached to dom0 though, there just won’t be any driver talking to them, so it is more or less like if they weren’t assigned to dom0 at all.

github.com/QubesOS/qubes-core-admin-linux

dracut/modules.d/90qubes-pciback/qubes-pciback.sh

main

#!/bin/bash --

type getarg >/dev/null 2>&1 || . /lib/dracut-lib.sh
unset re HIDE_PCI usb_in_dom0 dev skip exposed

usb_in_dom0=false

if getargbool 0 rd.qubes.hide_all_usb; then
    # Select all networking and USB devices
    re='0(2|c03)'
elif ! getargbool 1 usbcore.authorized_default; then
    # Select only networking devices, but enable USBguard
    re='02'
    usb_in_dom0=true
else
    re='02'
    warn 'USB in dom0 is not restricted. Consider rd.qubes.hide_all_usb or usbcore.authorized_default=0.'
fi

HIDE_PCI=$(set -o pipefail; { lspci -mm -n | awk "/^[^ ]* \"$re/ {print \$1}";}) ||

This file has been truncated. show original