diff --git a/core-modules/000QubesVm.py b/core-modules/000QubesVm.py index 5f637b43..81bb6f10 100644 --- a/core-modules/000QubesVm.py +++ b/core-modules/000QubesVm.py @@ -128,6 +128,7 @@ class QubesVm(object): "func": lambda value: [] if value in ["none", None] else eval(value) if value.find("[") >= 0 else eval("[" + value + "]") }, + "pci_strictreset": {"default": True}, # Internal VM (not shown in qubes-manager, doesn't create appmenus entries "internal": { "default": False, 'attr': '_internal' }, "vcpus": { "default": None }, @@ -188,7 +189,7 @@ class QubesVm(object): ### Mark attrs for XML inclusion # Simple string attrs for prop in ['qid', 'uuid', 'name', 'dir_path', 'memory', 'maxmem', - 'pcidevs', 'vcpus', 'internal',\ + 'pcidevs', 'pci_strictreset', 'vcpus', 'internal',\ 'uses_default_kernel', 'kernel', 'uses_default_kernelopts',\ 'kernelopts', 'services', 'installed_by_rpm',\ 'uses_default_netvm', 'include_in_backups', 'debug',\ @@ -1056,7 +1057,7 @@ class QubesVm(object): return template.format(ip=ip, mac=mac, backend=backend) def _format_pci_dev(self, address): - template = " \n" \ + template = " \n" \ " \n" \ "
\n" \ " \n" \ @@ -1067,7 +1068,10 @@ class QubesVm(object): return template.format( bus=dev_match.group(1), slot=dev_match.group(2), - fun=dev_match.group(3)) + fun=dev_match.group(3), + strictreset=("" if self.pci_strictreset else + " nostrictreset='yes'"), + ) def get_config_params(self): args = {} diff --git a/doc/qvm-tools/qvm-prefs.rst b/doc/qvm-tools/qvm-prefs.rst index ef1c6878..197ef6eb 100644 --- a/doc/qvm-tools/qvm-prefs.rst +++ b/doc/qvm-tools/qvm-prefs.rst @@ -37,6 +37,16 @@ include_in_backups pcidevs PCI devices assigned to the VM. Should be edited using qvm-pci tool. +pci_strictreset + Accepted values: ``True``, ``False`` + + Control whether prevent assigning to VM a device which does not support any + reset method. Generally such devices should not be assigned to any VM, + because there will be no way to reset device state after VM shutdown, so + the device could attack next VM to which it will be assigned. But in some + cases it could make sense - for example when the VM to which it is assigned + is trusted one, or is running all the time. + label Accepted values: ``red``, ``orange``, ``yellow``, ``green``, ``gray``, ``blue``, ``purple``, ``black`` diff --git a/qvm-tools/qvm-prefs b/qvm-tools/qvm-prefs index 36b57f76..8eac355d 100755 --- a/qvm-tools/qvm-prefs +++ b/qvm-tools/qvm-prefs @@ -55,6 +55,7 @@ def do_list(vm): print fmt.format ("dir", vm.dir_path) print fmt.format ("config", vm.conf_file) print fmt.format ("pcidevs", vm.pcidevs) + print fmt.format ("pci_strictreset", vm.pci_strictreset) if vm.template is None: print fmt.format ("root_img", vm.root_img) if hasattr(vm, "rootcow_img") and vm.rootcow_img is not None: @@ -217,6 +218,14 @@ def set_pcidevs(vms, vm, args): vm.pcidevs = list(eval(args[0])) return True +def set_pci_strictreset(vms, vm, args): + if len (args) != 1: + print >> sys.stderr, "Missing value (True/False)!" + return False + + vm.pci_strictreset = bool(eval(args[0].capitalize())) + return True + def set_netvm(vms, vm, args): if len (args) != 1: print >> sys.stderr, "Missing netvm name argument!" @@ -475,6 +484,7 @@ def set_timezone(vms, vm, args): properties = { "include_in_backups": set_include_in_backups, "pcidevs": set_pcidevs, + "pci_strictreset": set_pci_strictreset, "label" : set_label, "netvm" : set_netvm, "dispvm_netvm" : set_dispvm_netvm, diff --git a/rpm_spec/core-dom0.spec b/rpm_spec/core-dom0.spec index c9612885..86612c48 100644 --- a/rpm_spec/core-dom0.spec +++ b/rpm_spec/core-dom0.spec @@ -57,7 +57,7 @@ Requires: libvirt-python %if x%{?backend_vmm} == xxen Requires: xen-runtime Requires: xen-hvm -Requires: libvirt-daemon-xen +Requires: libvirt-daemon-xen >= 1.2.12-3 %endif Requires: createrepo Requires: gnome-packagekit