Dear Qubes community,
after using 3.1 and 3.2 in production on my primary laptop
(Lenovo X220), and having used that machine to test Qubes since R2,
I now have the need to make my built in camera available in an App VM (I choose
untrusted, but may a dedicated one later on).
However, I am failing to pass through the
USB controller to the App VM. This
may never have worked with Qubes 3.x (didn't need it so far), but I definitely
tested this in the 2.x days.
Since it was experimental(?) at the time, I chose not to install
a dedicated USB VM, so by default both USB controllers are
assigned to Dom0. This is what my system/hardware looks like
Please note that this is Qubes R3.2!!
lspci (in Dom0):
00:1a.0 USB controller: Intel Corporation 6 Series/C200 Series Chipset Family
USB Enhanced Host Controller #2 (rev 04)
00:1d.0 USB controller: Intel Corporation 6 Series/C200 Series Chipset Family
USB Enhanced Host Controller #1 (rev 04)
lsusb (in Dom0):
Bus 002 Device 003: ID 0bdb:1911 Ericsson Business Mobile Networks BV
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 003: ID 04f2:b217 Chicony Electronics Co., Ltd Lenovo Integrated
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Output of 'readlink /sys/bus/usb/devices/usb1'
I assumed that the path of least resistance would be to attach
the USB controller with pci ID 00:1a.0 to my AppVM (untrusted).
qvm-pci -a untrusted 00:1a.0
qvm-pci -l untrusted
However, as apparently often seen (mailing list, FAQ), at that
point I fail to start the AppVM:
[user@dom0 ~]$ qvm-start untrusted
--> Creating volatile image: /var/lib/qubes/appvms/untrusted/volatile.img...
--> Loading the VM (type = AppVM)...
Traceback (most recent call last):
File "/usr/bin/qvm-start", line 136, in <module>
File "/usr/bin/qvm-start", line 120, in main
xid = vm.start(verbose=options.verbose,
preparing_dvm=options.preparing_dvm, start_guid=not options.noguid,
notify_function=tray_notify_generic if options.tray else None)
File "/usr/lib64/python2.7/site-packages/qubes/modules/000QubesVm.py", line
1979, in start
File "/usr/lib64/python2.7/site-packages/libvirt.py", line 1059, in
if ret == -1: raise libvirtError ('virDomainCreateWithFlags() failed',
libvirt.libvirtError: internal error: libxenlight failed to create new domain
And xl dmesg shows:
XEN) [VT-D] It's disallowed to assign 0000:00:1a.0 with shared RMRR at da8d5000
(XEN) XEN_DOMCTL_assign_device: assign 0000:00:1a.0 to dom5 failed (-1)
Further, pci ID 00:1a.0 still shows up in dom0.
In the context of dedicated USB VMs there is a FAQ pertaining to this,
and clearly there are several github issues related to this. However,
qvm-prefs untrusted -s pci_strictreset false
I get exactly the same error (AppVM untrusted fails to start). I tried
the trick resetting USB to 2.0 (though given the age of the machine
I am not even sure that this is a 3.0 hub/device); again no effect --
as far as I can tell identical error.
Yesterday too late I found some discussions from 2015 in a Xen mailing list,
where someone eventually succeeded using several options, but
I don't know how to set these in Qubes (via qvm-prefs??).
I should add that i tried again after rebooting as well, but no
change. So, I am puzzled as I know that this worked in Qubes 2.x.
Am I missing some small print in my attempts and/or in what order
should I try the tricks that might remedy this?
I guess I could try setting up a USB VM, but I assume I would run
into exactly the same issue. And aside from the need to assign the
camera, I don't exactly have a use scenario for a dedicated USB VM
on that machine.
Help appreciated, thanks in advance!
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to firstname.lastname@example.org.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.