qubes-pciback: add optional support for PCI device whitelisting

This feature can be used by advanced users to assign devices to pciback in a policy-like manner based on various PCI device attributes. References QubesOS/qubes-issues#7886 QubesOS/qubes-issues#7792
QubesOS · Nov 22, 2022 · b5b80a6 · b5b80a6
1 parent 7aba186
commit b5b80a6
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 3 deletions.
diff --git a/dracut/modules.d/90qubes-pciback/module-setup.sh b/dracut/modules.d/90qubes-pciback/module-setup.sh
@@ -10,6 +10,7 @@ install () {
     inst_multiple /etc/nsswitch.conf
     inst_multiple /etc/usbguard/{qubes-usbguard.conf,rules.d,IPCAccessControl.d}
     inst_multiple /etc/usbguard/rules.d/*
+    inst_multiple -o /etc/qubes-pci-whitelist.txt
     inst -l /usr/bin/usbguard
     inst -l /usr/sbin/usbguard-daemon
     inst /usr/lib/systemd/system/usbguard.service.d/30_qubes.conf

diff --git a/dracut/modules.d/90qubes-pciback/qubes-pciback.sh b/dracut/modules.d/90qubes-pciback/qubes-pciback.sh
@@ -1,10 +1,19 @@
 #!/bin/bash --
 
 type getarg >/dev/null 2>&1 || . /lib/dracut-lib.sh
-unset re HIDE_PCI usb_in_dom0 dev skip exposed
+unset re HIDE_PCI usb_in_dom0 dev skip exposed PCI_WHITELIST_FILE PCI_WHITELIST_RE ignore_re devs invert
 
 usb_in_dom0=false
 
+# PCI_WHITELIST_FILE syntax:
+# - one POSIX regex on `lspci -mm -n` per line (match = whitelisted)
+# - empty lines & lines starting with # are ignored
+# - lines starting with ! will cause a blacklisting
+# - processing stops as soon as a match is found
+# - WARNING: If you block devices required by dom0, Qubes may not boot anymore.
+#            You'll have to chroot and re-create the initramfs.
+PCI_WHITELIST_FILE="/etc/qubes-pci-whitelist.txt"
+
 if getargbool 0 rd.qubes.hide_all_usb; then
     # Select all networking and USB devices
     re='0(2|c03)'
@@ -17,8 +26,32 @@ else
     warn 'USB in dom0 is not restricted. Consider rd.qubes.hide_all_usb or usbcore.authorized_default=0.'
 fi
 
-HIDE_PCI=$(set -o pipefail; { lspci -mm -n | awk "/^[^ ]* \"$re/ {print \$1}";}) ||
-    die 'Cannot obtain list of PCI devices to unbind.'
+if [ -f "$PCI_WHITELIST_FILE" ] ; then
+    PCI_WHITELIST_RE="$(cat "$PCI_WHITELIST_FILE")" || die "Failed to read ${PCI_WHITELIST_FILE}."
+fi
+if [ -n "$PCI_WHITELIST_RE" ] ; then
+    info "Manual PCI whitelisting mode based on ${PCI_WHITELIST_FILE} in initramfs."
+    getargbool 0 "rd.qubes.hide_all_usb" && warn "rd.qubes.hide_all_usb has no effect with manual PCI whitelisting."
+    ignore_re='^[[:blank:]]*(#.*)?$'
+    devs="$(lspci -mm -n)" || die "Cannot obtain the list of PCI devices."
+
+    while IFS= read -r dev ; do
+        skip=1
+        while IFS= read -r re ; do
+            invert=1
+            [[ "$re" =~ $ignore_re ]] && continue
+            [[ "$re" == '!'* ]] && invert=0 && re="${re:1}"
+            if [[ "$dev" =~ $re ]] ; then
+                [ $invert -eq 0 ] && skip=1 || skip=0
+                break
+            fi
+        done <<< "$PCI_WHITELIST_RE"
+        [ $skip -eq 0 ] && info "Whitelisting: $dev" || HIDE_PCI="$HIDE_PCI ${dev%% *}"
+    done <<< "$devs"
+else
+    HIDE_PCI=$(set -o pipefail; { lspci -mm -n | awk "/^[^ ]* \"$re/ {print \$1}";}) ||
+        die 'Cannot obtain the list of PCI devices to unbind.'
+fi
 
 manual_pcidevs=$(getarg rd.qubes.hide_pci)
 case $manual_pcidevs in