There’s the same problem and the same solution too: dom0 must be prevented from loading drivers for a PCI device (here, it’s the USB controller) during early boot, so as not to expose itself to malicious data before the VM that the PCI device is assigned to (here, sys-usb) is started. The qubes-pciback dracut module takes care of that, if a certain kernel command line parameter is passed (here, rd.qubes.hide_all_usb).
The only difference with USB is that there is such a convenient rd.qubes.hide_all_usb syntax (instead of having to figure out the appropriate rd.qubes.hide_pci=Bus:Device.Function parameter for other types of PCI devices), and that rd.qubes.hide_all_usb is even added automatically by the installer during the creation of sys-usb.
Yes USB devices are hidden by default from dom0. So if you use a USB adapter for the SD card then sd card is hidden from dom0 because it gets handled as a usb device because of the adapter.
And that has the same result as if you don’t use any adapter, and just insert the sd card into the PCI sd card reader with an appropriate rd.qubes.hide_pci=Bus:Device.Function.
Both these solutions accomplish the same thing from a security perspective.
Fixing this at its root is very difficult, and requires changes to system firmware and to Xen. I presented about this at a Dasharo user group and the conclusion was that it was possible, but no work has happened since.
I would love for this to happen, but I suspect it would require significant funding for both changes.
I bought an internal SSD which is PCIe. It shows up as a block device. I haven’t done anything with it yet.
I want to create 2 standard partitions (not LVM) and have some spare memory unallocated which I can use to resize the other 2 partitions in the future. I created another topic about it: Standard partioning secondary block devices with LUKS encryption
But that topic is more about how to create the partitions and encryption. I realized that since the internal SSD is a PCI device, I’m not sure how to properly do the appropriate rd.qubes.hide_pci=Bus:Device.Function
So I should hide_pci of the BDF of the ssd device, then attach it to a disposable and create partitions with parted.
After that I de-attach and powercycle by restarting the computer. Or do I maybe need to do any new hide_pci after creating the partitions? …Before restarting computer (power cycling)?
Or do I need to add the partitions to hide_pci after restarting the computer?
Or maybe I don’t need to do any more hide_pci at all, just the first time before creating the partitions?
Or maybe not even the first time?
I thought I had a good understanding of PCI device security but now that it’s about an internal SSD I’m uncertain again.
I also guess I can only attach 1 partition at a time since SSD are PCIe. So I can’t have partition1 in qube1 and partition2 in qube2 at the same time, I would have to powercycle (restart computer) every time I switch between those two qubes or more specifically each time I want to use one of those partitions in one of those qubes.