Dear Qubes community, after using 3.1 and 3.2 in production on my primary laptop (Lenovo X220), and having used that machine to test Qubes since R2, I now have the need to make my built in camera available in an App VM (I choose untrusted, but may a dedicated one later on).
However, I am failing to pass through the USB controller to the App VM. This may never have worked with Qubes 3.x (didn't need it so far), but I definitely tested this in the 2.x days. Since it was experimental(?) at the time, I chose not to install a dedicated USB VM, so by default both USB controllers are assigned to Dom0. This is what my system/hardware looks like Please note that this is Qubes R3.2!! lspci (in Dom0): 00:1a.0 USB controller: Intel Corporation 6 Series/C200 Series Chipset Family USB Enhanced Host Controller #2 (rev 04) 00:1d.0 USB controller: Intel Corporation 6 Series/C200 Series Chipset Family USB Enhanced Host Controller #1 (rev 04) lsusb (in Dom0): Bus 002 Device 003: ID 0bdb:1911 Ericsson Business Mobile Networks BV Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 001 Device 003: ID 04f2:b217 Chicony Electronics Co., Ltd Lenovo Integrated Camera (0.3MP) Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Output of 'readlink /sys/bus/usb/devices/usb1' ../../../devices/pci0000:00/0000:00:1a.0/usb1 I assumed that the path of least resistance would be to attach the USB controller with pci ID 00:1a.0 to my AppVM (untrusted). So, qvm-pci -a untrusted 00:1a.0 qvm-pci -l untrusted ['00:1a.0'] However, as apparently often seen (mailing list, FAQ), at that point I fail to start the AppVM: [user@dom0 ~]$ qvm-start untrusted --> Creating volatile image: /var/lib/qubes/appvms/untrusted/volatile.img... --> Loading the VM (type = AppVM)... Traceback (most recent call last): File "/usr/bin/qvm-start", line 136, in <module> main() File "/usr/bin/qvm-start", line 120, in main xid = vm.start(verbose=options.verbose, preparing_dvm=options.preparing_dvm, start_guid=not options.noguid, notify_function=tray_notify_generic if options.tray else None) File "/usr/lib64/python2.7/site-packages/qubes/modules/000QubesVm.py", line 1979, in start self.libvirt_domain.createWithFlags(libvirt.VIR_DOMAIN_START_PAUSED) File "/usr/lib64/python2.7/site-packages/libvirt.py", line 1059, in createWithFlags if ret == -1: raise libvirtError ('virDomainCreateWithFlags() failed', dom=self) libvirt.libvirtError: internal error: libxenlight failed to create new domain 'untrusted' And xl dmesg shows: XEN) [VT-D] It's disallowed to assign 0000:00:1a.0 with shared RMRR at da8d5000 for Dom5. (XEN) XEN_DOMCTL_assign_device: assign 0000:00:1a.0 to dom5 failed (-1) Further, pci ID 00:1a.0 still shows up in dom0. In the context of dedicated USB VMs there is a FAQ pertaining to this, and clearly there are several github issues related to this. However, e.g., after qvm-prefs untrusted -s pci_strictreset false I get exactly the same error (AppVM untrusted fails to start). I tried the trick resetting USB to 2.0 (though given the age of the machine I am not even sure that this is a 3.0 hub/device); again no effect -- as far as I can tell identical error. Yesterday too late I found some discussions from 2015 in a Xen mailing list, where someone eventually succeeded using several options, but I don't know how to set these in Qubes (via qvm-prefs??). I should add that i tried again after rebooting as well, but no change. So, I am puzzled as I know that this worked in Qubes 2.x. Am I missing some small print in my attempts and/or in what order should I try the tricks that might remedy this? I guess I could try setting up a USB VM, but I assume I would run into exactly the same issue. And aside from the need to assign the camera, I don't exactly have a use scenario for a dedicated USB VM on that machine. Help appreciated, thanks in advance! Stefan -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5bdaaeb8-4de3-4895-8a37-3027d1ba418b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.