0

I'm running Qubes-OS 4.1.0 While looking through the /var/log/xen/console/hypervisor.log I stumbled over the following messages:

...
(XEN) [VT-D] It's risky to assign 0000:00:14.0 with shared RMRR at c9f42000 for Dom40.
(XEN) [VT-D] It's risky to assign 0000:00:1d.0 with shared RMRR at c9f42000 for Dom40.

In my case those PCI devices in question are USB controllers. They are handled by a VM called sys-usb in order to protect the bare metal carrier system from the risks of any malicious USB device being plugged in.

My questions are: What is the meaning of the acronym RMRR in this context? And what are the risks involved with this so called "shared RMRR"?

pefu
  • 629
  • 6
  • 20
  • 1
    "Reserved Memory Region Reporting". https://groups.google.com/g/qubes-users/c/gS1XTal8XYs/m/6ACnyN7WCAAJ is probably relevant, even though old and the settings are a bit different. (I think it basically comes down to Xen warning as soon as you start assigning devices that are grouped in a single RMRR, because you could assign them in some impossible way that will break things) – Håkan Lindqvist Mar 02 '22 at 12:02
  • Hi Håkan, Thank you for this hint and link. I will now try to learn about this "Reserved Memory Region Reporting". However I fear I have to live with the risks involved anyway because I use an USB keyboard since this machine is lacking the good old PS2 keyboard socket from the past. :-) – pefu Mar 02 '22 at 12:08
  • 1
    No problem, I feel that I don't know the details enough myself to write a proper answer. But to my knowledge, if you are assigning all those devices to the same domain, that is a non-issue. – Håkan Lindqvist Mar 02 '22 at 12:10
  • In my case I've three USB host controllers. One of these three controllers is assigned to my administrative domain dom0 because the keyboard is connected to this controller. The other two USB host controllers are assigned to the before mentioned less privileged special domain `sys-usb`. This domain is considered less trust worthy in Qubes-OS because a malicious USB device might sometime somehow intrude und conquer this particular domain. more info: https://www.cvedetails.com/cve/CVE-2021-28702/ and ... – pefu Mar 02 '22 at 15:01
  • ... continued: http://www.intel.com/content/dam/www/public/us/en/documents/product-specifications/vt-directed-io-spec.pdf This nearly 300 page document contains a section 8.4 explaining the term Reserved Memory Region Reporting and the data structure used. – pefu Mar 02 '22 at 15:04

0 Answers0