[prev in list] [next in list] [prev in thread] [next in thread] 

List:       qubes-users
Subject:    Re: [qubes-users] PCMCIA card - how prevent to assigning to dom0 and start direct with sys-net?
From:       Joanna Rutkowska <joanna () invisiblethingslab ! com>
Date:       2015-11-01 9:22:57
Message-ID: 20151101092256.GA1404 () work-mutt
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, Oct 31, 2015 at 02:34:30PM +0100, Marek Marczykowski wrote:
> On Sun, Oct 25, 2015 at 02:18:17AM -0700, niepowiem48@gmail.com wrote:
> > Hello,
> > 
> > I have pcmcia wifi card and I want start its with sys-net (device is assigned to \
> > sys-net) When I put card into pcmcia slot cart its firstly assigned to dom0 and \
> > next I can start sys-net. Without assignig this card firstly to dom0 I can't \
> > start sys-net as there is message showed info "there is no device" or something \
> > simillar.  How prevent assignig this card to dom0 and start this device only in \
> > sys-net?
> 
> If you plug the card before starting the system, it will be assigned to
> xen-pciback driver (which among other things, prevents dom0 driver
> touching the device). But this is done automatically only at system
> startup. If you plug the device later, there is no such mechanism
> currently.
> 
> Anyway there is nothing in dom0 which would configure the device, so if
> the device itself isn't malicious, dom0 would not be exposed for network
> access.
> 
> @Joanna: should we add some udev rule to automatically attach such
> devices to xen-pciback driver? Allowing hotplug of DMA capable devices
> to dom0 isn't a good idea, but but at least we could have some
> mitigation factor.
> 
How would you like to define "such devices"?

joanna.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJWNdnxAAoJEDOT2L8N3GcYqucP/2kv8whDx3Xwi9NvfrRzgm4J
ptstOYN5AQMjOv1TB3Xl/biaU0UDru+FuNiDIsW333xZQ08M0cn5L8KOYDNp7pR/
tAkeuSf2VaJ2PqqQ4jevtXllT62IiKaQex4pmAu4Ao1w2TpU9cfPyik0yd/XFXkD
1ynWMSCgCz7EvrtTaaTZee1aHGZ/FGRQk+WdbQO2q0ylovIVLcdmrBazfNf7YEpu
vKNYqGkD6GgFEb6e7HP/q2HnB9FeT+2F7gGu3s5Awe9tNrA7iCvKxccC8ot811M1
V3tzR8s9HhNbQWAl5gNqey9/hPZi4HMxTTzr84tGXPAIwcKVvdcdR45xVo47BYY7
1JNvqb3TRDDpkAoKHUKOMBo3Iz9axtVaKT4nVOeZCpGJdfhtJNtPqZcfAiJJYNKg
1UELfavtLoBGweK2zjHeFTDxw7prJZZVd9jqQlOnDk4xHgY7DNSXpNI/33+CckMk
x8c+rUx4wNdyg9OML/LfBeVJzlMZZobsID8gQmCvkaezoO8do9qryvjWGJQpwx5I
M5OEnh+JbJ4lHUORevNU9NyRa0ZfG0wUjnuF1p4TgSuErawOi3C66bt20xIok4SP
15EK1pAknW6LjFHfPKjr2db7cRzUuNZrAGSpYahn8zxAKc1G4gKkD81bRTPz77xP
9uvOjYo5DJXKrBc23UeG
=O+uN
-----END PGP SIGNATURE-----

-- 
You received this message because you are subscribed to the Google Groups \
"qubes-users" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to qubes-users+unsubscribe@googlegroups.com. To post to this group, \
send email to qubes-users@googlegroups.com. To view this discussion on the web visit \
https://groups.google.com/d/msgid/qubes-users/20151101092256.GA1404%40work-mutt. For \
more options, visit https://groups.google.com/d/optout.


[prev in list] [next in list] [prev in thread] [next in thread]