I seem to have it working; I'll outline the steps in case others
run into this. Nevertheless, I'd appreciate an 'authoritative answer'
since I was 'fishing blindly'. [More see inline]

Am Freitag, 2. März 2018 09:34:18 UTC+1 schrieb sbor...@gmail.com:
> Dear Qubes community,
> after using 3.1 and 3.2 in production on my primary laptop 
> (Lenovo X220), and having used that machine to test Qubes since R2,
> I now have the need to make my built in camera available in an App VM (I 
> choose untrusted, but may a dedicated one later on).
> However, I am failing to pass through the
> USB controller to the App VM.


I reread


and tried enabling 'permissive' mode as described for R3.2 in the above
documentation. However, this per se doesn't work, as the target file
is not writeable, even for root and even when triggered through systemd.

However, I then compared the 'kernelopts' of 'sys-net' to those of 'untrusted',
and noted that 'iommu=soft swiotlb=8192' where missing in the latter. So
I added those, together with forcing 'pci_strictreset False'.

After rebooting the whole machine, untrusted has grabbed the usb hub and sees
the camera. The expected loss of a USB port due to the strange 'wiring' of the 
Lenovo X220 is acceptable to me; furthermore, I do plan to attach the pci 
device only when I know that I'll need the camera. 


> And xl dmesg shows:
> XEN) [VT-D] It's disallowed to assign 0000:00:1a.0 with shared RMRR at 
> da8d5000 for Dom5.
> (XEN) XEN_DOMCTL_assign_device: assign 0000:00:1a.0 to dom5 failed (-1)

For the record, xl dmesg is now telling me that 
[VT-D] It's risky to assign .. with shared RMRR at .. for Dom4

what ever that means.

I don't know which of the options / changes did the trick, but one or more
of the above seems to enable the camera in 'untrusted'.

Best regards,


You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to