I seem to have it working; I'll outline the steps in case others run into this. Nevertheless, I'd appreciate an 'authoritative answer' since I was 'fishing blindly'. [More see inline]
Am Freitag, 2. März 2018 09:34:18 UTC+1 schrieb sbor...@gmail.com: > Dear Qubes community, > > after using 3.1 and 3.2 in production on my primary laptop > (Lenovo X220), and having used that machine to test Qubes since R2, > I now have the need to make my built in camera available in an App VM (I > choose untrusted, but may a dedicated one later on). > > However, I am failing to pass through the > USB controller to the App VM. [snip] I reread https://www.qubes-os.org/doc/assigning-devices/ and tried enabling 'permissive' mode as described for R3.2 in the above documentation. However, this per se doesn't work, as the target file (/sys/bus/pci/drivers/pciback/permissive) is not writeable, even for root and even when triggered through systemd. However, I then compared the 'kernelopts' of 'sys-net' to those of 'untrusted', and noted that 'iommu=soft swiotlb=8192' where missing in the latter. So I added those, together with forcing 'pci_strictreset False'. After rebooting the whole machine, untrusted has grabbed the usb hub and sees the camera. The expected loss of a USB port due to the strange 'wiring' of the Lenovo X220 is acceptable to me; furthermore, I do plan to attach the pci device only when I know that I'll need the camera. [snip] > > And xl dmesg shows: > > XEN) [VT-D] It's disallowed to assign 0000:00:1a.0 with shared RMRR at > da8d5000 for Dom5. > (XEN) XEN_DOMCTL_assign_device: assign 0000:00:1a.0 to dom5 failed (-1) > For the record, xl dmesg is now telling me that [VT-D] It's risky to assign .. with shared RMRR at .. for Dom4 what ever that means. I don't know which of the options / changes did the trick, but one or more of the above seems to enable the camera in 'untrusted'. Best regards, Stefan -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4d5f0ff0-e25a-4cdd-81f3-d8e98db7525a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
