From 77e84b9ce415017755a24727788e5b43ebf2c155 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Mon, 3 Jul 2017 23:07:25 +0200
Subject: [PATCH 1/6] Add qvm-block symlink

---
 Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Makefile b/Makefile
index eaf706b2..1a6d32ac 100644
--- a/Makefile
+++ b/Makefile
@@ -140,6 +140,7 @@ ifeq ($(OS),Linux)
 	$(MAKE) install -C linux/system-config
 endif
 	$(PYTHON) setup.py install -O1 --skip-build --root $(DESTDIR)
+	ln -s qvm-device $(DESTDIR)/usr/bin/qvm-block
 	ln -s qvm-device $(DESTDIR)/usr/bin/qvm-pci
 	ln -s qvm-device $(DESTDIR)/usr/bin/qvm-usb
 #	$(MAKE) install -C tests

From e5de8f4115d5edc76179282d1a03c7a8706f412e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Mon, 3 Jul 2017 23:08:04 +0200
Subject: [PATCH 2/6] devices: better handle exceptions in device extension

Do not fail app.save() just because listing devices failed, for any
reason.
---
 qubes/devices.py | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/qubes/devices.py b/qubes/devices.py
index b4d166d2..a3f9783e 100644
--- a/qubes/devices.py
+++ b/qubes/devices.py
@@ -241,8 +241,17 @@ class DeviceCollection(object):
         attached persistently.
         '''
 
-        devices = self._vm.fire_event('device-list-attached:' + self._bus,
-            persistent=persistent)
+        try:
+            devices = self._vm.fire_event('device-list-attached:' + self._bus,
+                persistent=persistent)
+        except Exception as e:  # pylint: disable=broad-except
+            self._vm.log.exception(e, 'Failed to list {} devices'.format(
+                self._bus))
+            if persistent is True:
+                # don't break app.save()
+                return self._set
+            else:
+                raise
         result = set()
         for dev, options in devices:
             if dev in self._set and not persistent:

From 3721ae3e8ba81582d7c206947386a584064ba516 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Mon, 3 Jul 2017 23:13:23 +0200
Subject: [PATCH 3/6] vm/adminvm: setup libvirt_domain property

Since libvirt do provide object for dom0 too, return it here.
It's much easier than special-casing AdminVM everywhere. And in fact
sometimes it is actually useful (for example attaching devices from/to
dom0, adjusting memory).
---
 qubes/vm/adminvm.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/qubes/vm/adminvm.py b/qubes/vm/adminvm.py
index a3246d09..82a9b975 100644
--- a/qubes/vm/adminvm.py
+++ b/qubes/vm/adminvm.py
@@ -49,6 +49,11 @@ class AdminVM(qubes.vm.BaseVM):
         default='00000000-0000-0000-0000-000000000000',
         setter=qubes.property.forbidden)
 
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+
+        self._libvirt_domain = None
+
     def __str__(self):
         return self.name
 
@@ -71,12 +76,14 @@ class AdminVM(qubes.vm.BaseVM):
 
     @property
     def libvirt_domain(self):
-        '''Always :py:obj:`None`.
+        '''Libvirt object for dom0.
 
         .. seealso:
            :py:attr:`qubes.vm.qubesvm.QubesVM.libvirt_domain`
         '''
-        return None
+        if self._libvirt_domain is None:
+            self._libvirt_domain = self.app.vmm.libvirt_conn.lookupByID(0)
+        return self._libvirt_domain
 
     @staticmethod
     def is_running():

From 75608795b0036708a949328f442cb8150a53f17c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Mon, 3 Jul 2017 23:25:43 +0200
Subject: [PATCH 4/6] Disable SMAP in VMs

Linux kernel bug cause hypercall fails from HVM userspace (see
referenced issue). As a simple workaround, do not advertise SMAP to VMs
- but still use it as hypervisor level.

Fixes QubesOS/qubes-issues#2881
---
 templates/libvirt/xen.xml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/templates/libvirt/xen.xml b/templates/libvirt/xen.xml
index 393f670d..e3ff31ac 100644
--- a/templates/libvirt/xen.xml
+++ b/templates/libvirt/xen.xml
@@ -10,6 +10,15 @@
         <currentMemory unit="MiB">{{ vm.memory }}</currentMemory>
         <vcpu placement="static">{{ vm.vcpus }}</vcpu>
     {% endblock %}
+    {% block cpu %}
+        <cpu mode='host-passthrough'>
+            <!-- disable nested HVM -->
+            <feature name='vmx' policy='disable'/>
+            <feature name='svm' policy='disable'/>
+            <!-- disable SMAP inside VM, because of Linux bug -->
+            <feature name='smap' policy='disable'/>
+        </cpu>
+    {% endblock %}
     <os>
         {% block os %}
             {% if vm.hvm %}

From 2dbb51a38d0991120bf3d472c897fa9623ba9e48 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Mon, 3 Jul 2017 23:42:39 +0200
Subject: [PATCH 5/6] exc/block: fix attaching block device exposed by dom0

Don't set <backenddomain> element in libvirt XML when device is provided
by dom0.
---
 qubes/tests/devices_block.py        | 8 +++-----
 templates/libvirt/devices/block.xml | 2 ++
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/qubes/tests/devices_block.py b/qubes/tests/devices_block.py
index 820753ec..33620060 100644
--- a/qubes/tests/devices_block.py
+++ b/qubes/tests/devices_block.py
@@ -345,7 +345,6 @@ class TC_00_Block(qubes.tests.QubesTestCase):
             '    <driver name="phy" />\n'
             '    <source dev="/dev/sda" />\n'
             '        <target dev="xvdi" />\n'
-            '\n'
             '    <backenddomain name="sys-usb" />\n'
             '</disk>')
         vm.libvirt_domain.attachDevice.assert_called_once_with(device_xml)
@@ -366,7 +365,6 @@ class TC_00_Block(qubes.tests.QubesTestCase):
             '    <driver name="phy" />\n'
             '    <source dev="/dev/sda" />\n'
             '        <target dev="xvdj" />\n'
-            '\n'
             '    <backenddomain name="sys-usb" />\n'
             '</disk>')
         vm.libvirt_domain.attachDevice.assert_called_once_with(device_xml)
@@ -387,7 +385,7 @@ class TC_00_Block(qubes.tests.QubesTestCase):
             '    <driver name="phy" />\n'
             '    <source dev="/dev/sda" />\n'
             '        <target dev="xvdi" />\n'
-            '        <readonly />\n\n'
+            '        <readonly />\n'
             '    <backenddomain name="sys-usb" />\n'
             '</disk>')
         vm.libvirt_domain.attachDevice.assert_called_once_with(device_xml)
@@ -462,7 +460,7 @@ class TC_00_Block(qubes.tests.QubesTestCase):
             '    <driver name="phy" />\n'
             '    <source dev="/dev/sda" />\n'
             '        <target dev="xvdi" />\n'
-            '        <readonly />\n\n'
+            '        <readonly />\n'
             '    <backenddomain name="sys-usb" />\n'
             '</disk>')
         vm.libvirt_domain.attachDevice.assert_called_once_with(device_xml)
@@ -479,7 +477,7 @@ class TC_00_Block(qubes.tests.QubesTestCase):
             '    <driver name="phy" />\n'
             '    <source dev="/dev/sda" />\n'
             '        <target dev="xvdi" />\n'
-            '        <readonly />\n\n'
+            '        <readonly />\n'
             '    <backenddomain name="sys-usb" />\n'
             '</disk>')
         vm = TestVM({}, domain_xml=domain_xml_template.format(device_xml))
diff --git a/templates/libvirt/devices/block.xml b/templates/libvirt/devices/block.xml
index 41327f36..a78dca34 100644
--- a/templates/libvirt/devices/block.xml
+++ b/templates/libvirt/devices/block.xml
@@ -12,5 +12,7 @@
         <readonly />
     {%- endif %}
 
+    {%- if device.backend_domain.name != 'dom0' %}
     <backenddomain name="{{ device.backend_domain.name }}" />
+    {%- endif %}
 </disk>

From 9d17c52a8d9785f3ca982150521f913a5df851c2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Tue, 4 Jul 2017 05:22:39 +0200
Subject: [PATCH 6/6] tests: add missing import

---
 qubes/tests/__init__.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/qubes/tests/__init__.py b/qubes/tests/__init__.py
index 3d19249e..07d3e787 100644
--- a/qubes/tests/__init__.py
+++ b/qubes/tests/__init__.py
@@ -53,6 +53,7 @@ import pkg_resources
 
 import qubes.api
 import qubes.api.admin
+import qubes.api.internal
 import qubes.backup
 import qubes.config
 import qubes.devices