Possible to completely remove USB hub?

[rephlex]

Hello,

I am looking for a way to completely prevent any kind of USB controller from getting added to a VM I create.

qm showcmd 100 says:

root@pve:/# qm showcmd 100
/usr/bin/kvm -id 100 -chardev 'socket,id=qmp,path=/var/run/qemu-server/100.qmp,server,nowait' -mon 'chardev=qmp,mode=control' -pidfile /var/run/qemu-server/100.pid -daemonize -smbios 'type=1,uuid=311206b1-4244-4359-ba48-6ec5fd0dd3f4' -name tornode -smp '1,sockets=1,cores=1,maxcpus=1' -nodefaults -boot 'menu=on,strict=on,reboot-timeout=1000,splash=/usr/share/qemu-server/bootsplash.jpg' -vga cirrus -vnc unix:/var/run/qemu-server/100.vnc,x509,password -cpu kvm64,+lahf_lm,+sep,+kvm_pv_unhalt,+kvm_pv_eoi,enforce -m 512 -k de -no-hpet -device 'pci-bridge,id=pci.1,chassis_nr=1,bus=pci.0,addr=0x1e' -device 'pci-bridge,id=pci.2,chassis_nr=2,bus=pci.0,addr=0x1f' -device 'piix3-usb-uhci,id=uhci,bus=pci.0,addr=0x1.0x2' -iscsi 'initiator-name=iqn.1993-08.org.debian:01:55afc150b065' -device 'ahci,id=ahci0,multifunction=on,bus=pci.0,addr=0x7' -drive 'file=/dev/pve/vm-100-disk-1,if=none,id=drive-sata0,format=raw,cache=none,aio=native,detect-zeroes=on' -device 'ide-drive,bus=ahci0.0,drive=drive-sata0,id=sata0,bootindex=100' -netdev 'type=tap,id=net0,ifname=tap100i0,script=/var/lib/qemu-server/pve-bridge,downscript=/var/lib/qemu-server/pve-bridgedown' -device 'e1000,mac=A2:38:79:76:20:12,netdev=net0,bus=pci.0,addr=0x12,id=net0'

the problem here is:

-device 'piix3-usb-uhci,id=uhci,bus=pci.0,addr=0x1.0x2'

Can I influence this behavior and prevent it from passing this argument?? or completely remove USB support for a VM another way?

any help is much appreciated,

best regards
william

 

[rephlex]

found a hacky solution:

1.) back up /usr/share/perl5/PVE/QemuServer.pm
2.) comment these two lines out:

push @$devices, @usbcontrollers if @usbcontrollers;
push @$devices, @usbdevices if @usbdevices;

3.) restart the vm in question

just what I wanted..

would be nice to see a more official solution (added into the web panel?!) but for now I will go with this.

best regards
william

 

[dcsapak]

hmm maybe we can do something, but what exactly is the use case?

 

[rephlex]

adding as little overhead to a vm as possible, if theres no usb tablet or other devices assigned you should have the option to completely prevent qemu from emulating a usb controller.

one of the CVEs i read exploited said USB controller if im not mistaken, guess im just paranoid but theres no need to emulate one if its not used anyway.

nothing high priority (especially since you can fix it on your own if you so desire) but something i'd like to see anyway..

 

[pieteras.meyer]

I would also like to see this option, in some cases like router for example you want to remove all unused devices to free up IRQ's resources