XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Can one fully disable PCI and USB Passthrough?

    Scheduled Pinned Locked Moved Hardware
    3 Posts 3 Posters 126 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      reiichi001
      last edited by

      Hello,
      This is as the title states.

      I'm looking into using XCP-Ng in a production environment that needs to have restricted access for PCI DSS compliance. Previously, the servers were built on Citrix Hypervisor with a Xenserver Express license, so they didn't have the ability to connect anything regardless of whether the hypervisor supported it or not.

      As we're moving these servers to XCP-Ng 8.3, I've seen that our XO now shows support for PCI Passthrough and USB Passthrough.

      Will commenting out all entries in /etc/xensource/usb-policy.conf and adding a line for DENY # block all USB be sufficient for preventing USB passthrough through XCP-Center (I'm aware it's legacy / no longer supported) and Xen Orchestra?

      Is there another config file I can use to disable PCI passthrough? Or does this mean I will need to check with my coworkers who manage the hardware to see if we can disable it in BIOS/EFI via turning the iommu features off? Does XCP-Ng support disabling it from the bootloader, and is there a preferred method of doing that?

      1 Reply Last reply Reply Quote 0
      • TeddyAstieT Offline
        TeddyAstie Vates 🪐 XCP-ng Team Xen Guru
        last edited by TeddyAstie

        Hello @reiichi001

        Not sure about USB passthrough, but regarding PCI passthrough, I am not aware of a way to specifically disable PCI passthrough, but there is a way to disable the use of IOMMU (which in fact disable the ability to do PCI Passthrough but may not be possible in combination with future features like PVH Dom0, Host Secure Boot, ...) by adding iommu=no to Xen cmdline in the bootloader.

        1 Reply Last reply Reply Quote 0
        • olivierlambertO Offline
          olivierlambert Vates 🪐 Co-Founder CEO
          last edited by

          Also, we might have better roles in the future to be sure other people without the right role couldn't use it.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post