From qubes-users Sun Nov 01 09:22:57 2015 From: Joanna Rutkowska Date: Sun, 01 Nov 2015 09:22:57 +0000 To: qubes-users Subject: Re: [qubes-users] PCMCIA card - how prevent to assigning to dom0 and start direct with sys-net? Message-Id: <20151101092256.GA1404 () work-mutt> X-MARC-Message: https://marc.info/?l=qubes-users&m=144636986625073 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, Oct 31, 2015 at 02:34:30PM +0100, Marek Marczykowski wrote: > On Sun, Oct 25, 2015 at 02:18:17AM -0700, niepowiem48@gmail.com wrote: > > Hello, > > > > I have pcmcia wifi card and I want start its with sys-net (device is assigned to sys-net) > > When I put card into pcmcia slot cart its firstly assigned to dom0 and next I can start sys-net. Without assignig this card firstly to dom0 I can't start sys-net as there is message showed info "there is no device" or something simillar. > > How prevent assignig this card to dom0 and start this device only in sys-net? > > If you plug the card before starting the system, it will be assigned to > xen-pciback driver (which among other things, prevents dom0 driver > touching the device). But this is done automatically only at system > startup. If you plug the device later, there is no such mechanism > currently. > > Anyway there is nothing in dom0 which would configure the device, so if > the device itself isn't malicious, dom0 would not be exposed for network > access. > > @Joanna: should we add some udev rule to automatically attach such > devices to xen-pciback driver? Allowing hotplug of DMA capable devices > to dom0 isn't a good idea, but but at least we could have some > mitigation factor. > How would you like to define "such devices"? joanna. -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJWNdnxAAoJEDOT2L8N3GcYqucP/2kv8whDx3Xwi9NvfrRzgm4J ptstOYN5AQMjOv1TB3Xl/biaU0UDru+FuNiDIsW333xZQ08M0cn5L8KOYDNp7pR/ tAkeuSf2VaJ2PqqQ4jevtXllT62IiKaQex4pmAu4Ao1w2TpU9cfPyik0yd/XFXkD 1ynWMSCgCz7EvrtTaaTZee1aHGZ/FGRQk+WdbQO2q0ylovIVLcdmrBazfNf7YEpu vKNYqGkD6GgFEb6e7HP/q2HnB9FeT+2F7gGu3s5Awe9tNrA7iCvKxccC8ot811M1 V3tzR8s9HhNbQWAl5gNqey9/hPZi4HMxTTzr84tGXPAIwcKVvdcdR45xVo47BYY7 1JNvqb3TRDDpkAoKHUKOMBo3Iz9axtVaKT4nVOeZCpGJdfhtJNtPqZcfAiJJYNKg 1UELfavtLoBGweK2zjHeFTDxw7prJZZVd9jqQlOnDk4xHgY7DNSXpNI/33+CckMk x8c+rUx4wNdyg9OML/LfBeVJzlMZZobsID8gQmCvkaezoO8do9qryvjWGJQpwx5I M5OEnh+JbJ4lHUORevNU9NyRa0ZfG0wUjnuF1p4TgSuErawOi3C66bt20xIok4SP 15EK1pAknW6LjFHfPKjr2db7cRzUuNZrAGSpYahn8zxAKc1G4gKkD81bRTPz77xP 9uvOjYo5DJXKrBc23UeG =O+uN -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscribe@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20151101092256.GA1404%40work-mutt. For more options, visit https://groups.google.com/d/optout.