PCMCIA card - how prevent to assigning to dom0 and start direct with sys-net?
41 views
Skip to first unread message
niepo...@gmail.com
Oct 25, 2015, 5:18:17 AM10/25/15
to qubes-users
Hello,
I have pcmcia wifi card and I want start its with sys-net (device is assigned to sys-net)
When I put card into pcmcia slot cart its firstly assigned to dom0 and next I can start sys-net. Without assignig this card firstly to dom0 I can't start sys-net as there is message showed info "there is no device" or something simillar.
How prevent assignig this card to dom0 and start this device only in sys-net?
niepo...@gmail.com
Oct 31, 2015, 7:00:01 AM10/31/15
to qubes-users, niepo...@gmail.com
Nobody?
Marek Marczykowski-Górecki
Oct 31, 2015, 9:34:37 AM10/31/15
to niepo...@gmail.com, qubes-users, Joanna Rutkowska
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
If you plug the card before starting the system, it will be assigned to
xen-pciback driver (which among other things, prevents dom0 driver
touching the device). But this is done automatically only at system
startup. If you plug the device later, there is no such mechanism
currently.
Anyway there is nothing in dom0 which would configure the device, so if
the device itself isn't malicious, dom0 would not be exposed for network
access.
@Joanna: should we add some udev rule to automatically attach such
devices to xen-pciback driver? Allowing hotplug of DMA capable devices
to dom0 isn't a good idea, but but at least we could have some
mitigation factor.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJWNMNmAAoJENuP0xzK19cssb4H/RFlJBo1eRfdUDt+ei+ngsc0
uafgxR6YFTUBhZjjfrPpXktjv83WYxDPosFP8jrHYDmoFK3f9mLL+juX+WelWg9b
sBpXlIjqlKEXiyyTuJSkruTLqUWKAyQshJROag5YMfw5GEZxf80ScDDmte6XI4hG
eEbNcOWd026GaL6LDmFBgSuYemnmy9yGwFY/+mMhOpbBwsNAlE6E8Z/b/JHNPAf7
L0gIPHih9AqM9AzGYSXgHWOaulwC0aOaCYcE7JrKEiIhwEE+E1XIPsQR63wTbVu3
cYums2h5MlU/5bf0mgtxiRksy/3F7JY5rYHw4ikNKYXfrSj13XF/+lHunVKk/HI=
=ljAg
-----END PGP SIGNATURE-----
Hash: SHA256
xen-pciback driver (which among other things, prevents dom0 driver
touching the device). But this is done automatically only at system
startup. If you plug the device later, there is no such mechanism
currently.
Anyway there is nothing in dom0 which would configure the device, so if
the device itself isn't malicious, dom0 would not be exposed for network
access.
@Joanna: should we add some udev rule to automatically attach such
devices to xen-pciback driver? Allowing hotplug of DMA capable devices
to dom0 isn't a good idea, but but at least we could have some
mitigation factor.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJWNMNmAAoJENuP0xzK19cssb4H/RFlJBo1eRfdUDt+ei+ngsc0
uafgxR6YFTUBhZjjfrPpXktjv83WYxDPosFP8jrHYDmoFK3f9mLL+juX+WelWg9b
sBpXlIjqlKEXiyyTuJSkruTLqUWKAyQshJROag5YMfw5GEZxf80ScDDmte6XI4hG
eEbNcOWd026GaL6LDmFBgSuYemnmy9yGwFY/+mMhOpbBwsNAlE6E8Z/b/JHNPAf7
L0gIPHih9AqM9AzGYSXgHWOaulwC0aOaCYcE7JrKEiIhwEE+E1XIPsQR63wTbVu3
cYums2h5MlU/5bf0mgtxiRksy/3F7JY5rYHw4ikNKYXfrSj13XF/+lHunVKk/HI=
=ljAg
-----END PGP SIGNATURE-----
Joanna Rutkowska
Nov 1, 2015, 4:24:25 AM11/1/15
to Marek Marczykowski-Górecki, niepo...@gmail.com, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sat, Oct 31, 2015 at 02:34:30PM +0100, Marek Marczykowski wrote:
> On Sun, Oct 25, 2015 at 02:18:17AM -0700, niepo...@gmail.com wrote:
> > Hello,
> >
> > I have pcmcia wifi card and I want start its with sys-net (device is assigned to sys-net)
> > When I put card into pcmcia slot cart its firstly assigned to dom0 and next I can start sys-net. Without assignig this card firstly to dom0 I can't start sys-net as there is message showed info "there is no device" or something simillar.
> > How prevent assignig this card to dom0 and start this device only in sys-net?
>
> If you plug the card before starting the system, it will be assigned to
> xen-pciback driver (which among other things, prevents dom0 driver
> touching the device). But this is done automatically only at system
> startup. If you plug the device later, there is no such mechanism
> currently.
>
> Anyway there is nothing in dom0 which would configure the device, so if
> the device itself isn't malicious, dom0 would not be exposed for network
> access.
>
> @Joanna: should we add some udev rule to automatically attach such
> devices to xen-pciback driver? Allowing hotplug of DMA capable devices
> to dom0 isn't a good idea, but but at least we could have some
> mitigation factor.
>
How would you like to define "such devices"?
joanna.
-----BEGIN PGP SIGNATURE-----
iQIcBAEBAgAGBQJWNdnxAAoJEDOT2L8N3GcYqucP/2kv8whDx3Xwi9NvfrRzgm4J
ptstOYN5AQMjOv1TB3Xl/biaU0UDru+FuNiDIsW333xZQ08M0cn5L8KOYDNp7pR/
tAkeuSf2VaJ2PqqQ4jevtXllT62IiKaQex4pmAu4Ao1w2TpU9cfPyik0yd/XFXkD
1ynWMSCgCz7EvrtTaaTZee1aHGZ/FGRQk+WdbQO2q0ylovIVLcdmrBazfNf7YEpu
vKNYqGkD6GgFEb6e7HP/q2HnB9FeT+2F7gGu3s5Awe9tNrA7iCvKxccC8ot811M1
V3tzR8s9HhNbQWAl5gNqey9/hPZi4HMxTTzr84tGXPAIwcKVvdcdR45xVo47BYY7
1JNvqb3TRDDpkAoKHUKOMBo3Iz9axtVaKT4nVOeZCpGJdfhtJNtPqZcfAiJJYNKg
1UELfavtLoBGweK2zjHeFTDxw7prJZZVd9jqQlOnDk4xHgY7DNSXpNI/33+CckMk
x8c+rUx4wNdyg9OML/LfBeVJzlMZZobsID8gQmCvkaezoO8do9qryvjWGJQpwx5I
M5OEnh+JbJ4lHUORevNU9NyRa0ZfG0wUjnuF1p4TgSuErawOi3C66bt20xIok4SP
15EK1pAknW6LjFHfPKjr2db7cRzUuNZrAGSpYahn8zxAKc1G4gKkD81bRTPz77xP
9uvOjYo5DJXKrBc23UeG
=O+uN
-----END PGP SIGNATURE-----
Hash: SHA1
On Sat, Oct 31, 2015 at 02:34:30PM +0100, Marek Marczykowski wrote:
> On Sun, Oct 25, 2015 at 02:18:17AM -0700, niepo...@gmail.com wrote:
> > Hello,
> >
> > I have pcmcia wifi card and I want start its with sys-net (device is assigned to sys-net)
> > When I put card into pcmcia slot cart its firstly assigned to dom0 and next I can start sys-net. Without assignig this card firstly to dom0 I can't start sys-net as there is message showed info "there is no device" or something simillar.
> > How prevent assignig this card to dom0 and start this device only in sys-net?
>
> If you plug the card before starting the system, it will be assigned to
> xen-pciback driver (which among other things, prevents dom0 driver
> touching the device). But this is done automatically only at system
> startup. If you plug the device later, there is no such mechanism
> currently.
>
> Anyway there is nothing in dom0 which would configure the device, so if
> the device itself isn't malicious, dom0 would not be exposed for network
> access.
>
> @Joanna: should we add some udev rule to automatically attach such
> devices to xen-pciback driver? Allowing hotplug of DMA capable devices
> to dom0 isn't a good idea, but but at least we could have some
> mitigation factor.
>
joanna.
-----BEGIN PGP SIGNATURE-----
iQIcBAEBAgAGBQJWNdnxAAoJEDOT2L8N3GcYqucP/2kv8whDx3Xwi9NvfrRzgm4J
ptstOYN5AQMjOv1TB3Xl/biaU0UDru+FuNiDIsW333xZQ08M0cn5L8KOYDNp7pR/
tAkeuSf2VaJ2PqqQ4jevtXllT62IiKaQex4pmAu4Ao1w2TpU9cfPyik0yd/XFXkD
1ynWMSCgCz7EvrtTaaTZee1aHGZ/FGRQk+WdbQO2q0ylovIVLcdmrBazfNf7YEpu
vKNYqGkD6GgFEb6e7HP/q2HnB9FeT+2F7gGu3s5Awe9tNrA7iCvKxccC8ot811M1
V3tzR8s9HhNbQWAl5gNqey9/hPZi4HMxTTzr84tGXPAIwcKVvdcdR45xVo47BYY7
1JNvqb3TRDDpkAoKHUKOMBo3Iz9axtVaKT4nVOeZCpGJdfhtJNtPqZcfAiJJYNKg
1UELfavtLoBGweK2zjHeFTDxw7prJZZVd9jqQlOnDk4xHgY7DNSXpNI/33+CckMk
x8c+rUx4wNdyg9OML/LfBeVJzlMZZobsID8gQmCvkaezoO8do9qryvjWGJQpwx5I
M5OEnh+JbJ4lHUORevNU9NyRa0ZfG0wUjnuF1p4TgSuErawOi3C66bt20xIok4SP
15EK1pAknW6LjFHfPKjr2db7cRzUuNZrAGSpYahn8zxAKc1G4gKkD81bRTPz77xP
9uvOjYo5DJXKrBc23UeG
=O+uN
-----END PGP SIGNATURE-----
Marek Marczykowski-Górecki
Nov 1, 2015, 1:45:52 PM11/1/15
to Joanna Rutkowska, niepo...@gmail.com, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Sun, Nov 01, 2015 at 10:22:57AM +0100, Joanna Rutkowska wrote:
> On Sat, Oct 31, 2015 at 02:34:30PM +0100, Marek Marczykowski wrote:
> > On Sun, Oct 25, 2015 at 02:18:17AM -0700, niepo...@gmail.com wrote:
> > > Hello,
> > >
> > > I have pcmcia wifi card and I want start its with sys-net (device is assigned to sys-net)
> > > When I put card into pcmcia slot cart its firstly assigned to dom0 and next I can start sys-net. Without assignig this card firstly to dom0 I can't start sys-net as there is message showed info "there is no device" or something simillar.
> > > How prevent assignig this card to dom0 and start this device only in sys-net?
> >
> > If you plug the card before starting the system, it will be assigned to
> > xen-pciback driver (which among other things, prevents dom0 driver
> > touching the device). But this is done automatically only at system
> > startup. If you plug the device later, there is no such mechanism
> > currently.
> >
> > Anyway there is nothing in dom0 which would configure the device, so if
> > the device itself isn't malicious, dom0 would not be exposed for network
> > access.
> >
> > @Joanna: should we add some udev rule to automatically attach such
> > devices to xen-pciback driver? Allowing hotplug of DMA capable devices
> > to dom0 isn't a good idea, but but at least we could have some
> > mitigation factor.
> >
> How would you like to define "such devices"?
Devices plugged into external slot. For example:
[marmarek@dom0 ~]$ cat /sys/bus/pci/slots/1/address
0000:03:00
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJWNl3bAAoJENuP0xzK19cseOcH/RACoxIJL1151peukqYob6me
mqQyI7G6gh7uqhyvmkRNkatWtEwxDnRhpTjsRAdsFxznUo5dnAJDh8hy841kPGwW
CA/kS+Br1DsWmrs0keupXy/N/c7lEMAiBktJVRzLbiagxWWqDgHEQrZW0YktBFNw
7G1hoQDzSfYRU7tBmXLtpDprMBPYsQAHmDm82mBqqcF6+Xj1soZh7ybOME1o2bg2
1/ZsQ8i0O/E/QxS1q9FF8AUp76kN3ZsWO2KwXrOTrqpg88YtB2WIXFDI5mOQiA0q
HDCK1dVr9MgD9BSBXlg5hiFq+BqqnSeQS98g67LjrLiw0gU+nCESEQpM437/xr0=
=wSyF
-----END PGP SIGNATURE-----
Hash: SHA256
On Sun, Nov 01, 2015 at 10:22:57AM +0100, Joanna Rutkowska wrote:
> On Sat, Oct 31, 2015 at 02:34:30PM +0100, Marek Marczykowski wrote:
> > On Sun, Oct 25, 2015 at 02:18:17AM -0700, niepo...@gmail.com wrote:
> > > Hello,
> > >
> > > I have pcmcia wifi card and I want start its with sys-net (device is assigned to sys-net)
> > > When I put card into pcmcia slot cart its firstly assigned to dom0 and next I can start sys-net. Without assignig this card firstly to dom0 I can't start sys-net as there is message showed info "there is no device" or something simillar.
> > > How prevent assignig this card to dom0 and start this device only in sys-net?
> >
> > If you plug the card before starting the system, it will be assigned to
> > xen-pciback driver (which among other things, prevents dom0 driver
> > touching the device). But this is done automatically only at system
> > startup. If you plug the device later, there is no such mechanism
> > currently.
> >
> > Anyway there is nothing in dom0 which would configure the device, so if
> > the device itself isn't malicious, dom0 would not be exposed for network
> > access.
> >
> > @Joanna: should we add some udev rule to automatically attach such
> > devices to xen-pciback driver? Allowing hotplug of DMA capable devices
> > to dom0 isn't a good idea, but but at least we could have some
> > mitigation factor.
> >
> How would you like to define "such devices"?
[marmarek@dom0 ~]$ cat /sys/bus/pci/slots/1/address
0000:03:00
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
mqQyI7G6gh7uqhyvmkRNkatWtEwxDnRhpTjsRAdsFxznUo5dnAJDh8hy841kPGwW
CA/kS+Br1DsWmrs0keupXy/N/c7lEMAiBktJVRzLbiagxWWqDgHEQrZW0YktBFNw
7G1hoQDzSfYRU7tBmXLtpDprMBPYsQAHmDm82mBqqcF6+Xj1soZh7ybOME1o2bg2
1/ZsQ8i0O/E/QxS1q9FF8AUp76kN3ZsWO2KwXrOTrqpg88YtB2WIXFDI5mOQiA0q
HDCK1dVr9MgD9BSBXlg5hiFq+BqqnSeQS98g67LjrLiw0gU+nCESEQpM437/xr0=
=wSyF
-----END PGP SIGNATURE-----
niepo...@gmail.com
Nov 2, 2015, 12:44:02 PM11/2/15
to qubes-users, joa...@invisiblethingslab.com, niepo...@gmail.com
Could I obtain explantation: Once I physically disconnect pcmcia card from working VM and re-insert it VM cannot recognise and do not show it as attached device. Even making new vm and trying to connect with this device does nothing.
Its a bit tiring as once device become disconnected for back to proper work there is needs restart entire system, start needed vm's etc.
Its a bit tiring as once device become disconnected for back to proper work there is needs restart entire system, start needed vm's etc.
Marek Marczykowski-Górecki
Nov 4, 2015, 1:23:12 PM11/4/15
to niepo...@gmail.com, qubes-users, joa...@invisiblethingslab.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
On Mon, Nov 02, 2015 at 09:44:02AM -0800, niepo...@gmail.com wrote:
> Could I obtain explantation: Once I physically disconnect pcmcia card from working VM and re-insert it VM cannot recognise and do not show it as attached device. Even making new vm and trying to connect with this device does nothing.
> Its a bit tiring as once device become disconnected for back to proper work there is needs restart entire system, start needed vm's etc.
To have device accessible in some VM, it must be attached there (an
> Could I obtain explantation: Once I physically disconnect pcmcia card from working VM and re-insert it VM cannot recognise and do not show it as attached device. Even making new vm and trying to connect with this device does nothing.
> Its a bit tiring as once device become disconnected for back to proper work there is needs restart entire system, start needed vm's etc.
action). It is normally done at VM startup (or while using qvm-pci while
the VM is already running). If you remove the device and insert it
again, the is nothing that would attach that device again to the VM.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
1S98lhH3tal9U3xs1RtKDc8UtKc6F8UVLKDD5kGv2JQbtkFt8YLmGMv3UxT722dC
KWUXjXtUX5cqTM+S4iAFtS/1A5tW9H/DHc9CMzIwXsORWIg4gQs1tZqXr5QvBiaQ
RpYm2H7YsLF3tFCTmp2/rPyQWeB2rMukK0IPUffghYFsmO9IuNOwDiRfHBuGX6+a
z2XXTP5c1e9x5X+n6/7g5GtybuvKQrY8bQ9QUA3KwP4los/BLJlzc51h5vPKALwu
WgFvRNvYBoIgpK44gW4f+GQY0qgnXp9jhYlJ3tOpFwuikCr8u5OTnWBqw0R9CDI=
=QgMz
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages