Replace crosvm xhci-based USB passthrough with usbip-rs over vsock,
enabling USB passthrough for both crosvm and cloud-hypervisor VMs.
Guest runs a persistent usbip-rs client listener on vsock port 5002.
Host runs one sandboxed usbip-rs host connect process per attached
device as a systemd template service (vmsilo-<vm>-usb@<devpath>).
Eliminates the JSON state file, file locking, and crosvm-specific
shell helper library in favor of systemd as the source of truth.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Now that git.dsg.is/dsg/cloud-hypervisor.git has a flake.nix,
use it as a proper flake input with inputs.nixpkgs.follows.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add buildVmsiloWaylandSeccontext build function and expose vmsilo-wayland-seccontext
and cloud-hypervisor (from nixpkgs) as package outputs. Inject both into
_internal module options. Remove nvidiaWeakenSandbox-conditional crosvm selection.
Note: git.dsg.is/dsg/cloud-hypervisor.git has no flake.nix, so cloud-hypervisor
is sourced from nixpkgs instead of a dedicated flake input.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace the local package derivation with the one now provided by the
vhost-device flake, removing packages/vhost-device-sound.nix.
Also bump wayland-proxy-virtwl.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Move Qt platform theme setup (plasma-integration, breeze, breeze-gtk,
breeze-icons) into the base VM configuration so all guests get consistent
theming out of the box. Previously qt.platformTheme was set in
optionalGuestSettings but qt.enable was never set, so it had no effect.
optionalGuestSettings now only configures dark theme (BreezeDark color
scheme, Breeze-Dark GTK theme, breeze-dark icons) on top of the base.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
xdg-desktop-portal-kde reports color-scheme via org.freedesktop.appearance
by reading QApplication palette colors. Without a KDE dark color scheme in
kdeglobals, the portal reported "prefer-light", overriding the GTK dark
theme settings for Firefox and other apps.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Nvidia GPU drivers require RWX memory pages, which crosvm's seccomp
sandbox blocks. This option switches to a crosvm-nvidia build with
a relaxed W+X memory policy, keeping the default secure.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
crosvm changes for realtime audio, plus some minor log message improvements.
Also stop pinning nixpkgs as the upstream build failure has been resolved.
The vm-switch experiment for VM-to-VM networking via vhost-user-net
didn't work out — it performs poorly under load, with busy connections
saturating the buffer and causing high latency for others.
Removes the vm-switch Rust crate, bufferbloat-test suite, all NixOS
module integration (options, services, networking, assertions, scripts),
and documentation.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Proxy guest StatusNotifierItems to the host system tray over vsock:5001.
Guest-side watches SNI registrations on D-Bus, collects snapshots
(properties + DBusMenu tree), and streams them to the host. Host-side
creates synthetic SNI items with sanitized data and forwards user
interactions (clicks, scrolls, menu events) back to the guest. Includes
icon theme forwarding, VM color tinting on icon borders, CSS named color
resolution, and automatic service startup with the VM.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Implements a host-side daemon that equalizes free memory headroom between
host and guests via virtio-balloon, using ChromeOS's BalanceAvailablePolicy.
Includes VM discovery via inotify, crosvm control socket client, stall
detection, NixOS module integration, and CLI argument parsing.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
guestConfig now accepts a single module or a list of modules via
coercedTo. Single modules are auto-wrapped in a list for backwards
compatibility.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Allows each VM to choose its Wayland proxy. Defaults to wayland-proxy-virtwl
(existing behavior). Setting waylandProxy = "sommelier" uses the ChromeOS
sommelier compositor instead.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Nine minimal Wayland client programs to exercise decoration bypass
vectors identified in the security audit. Tests 1-6 cover CSD request,
no-protocol, mode-none, server-decoration-none, fullscreen, and layer
shell. Tests 7-9 add large popup, subsurface overflow, and SSD request
(control). Includes Nix package and dev shell in flake.nix.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Two bugs were causing virtio_net TX timeouts in guest VMs:
1. inject_rx_frame used the source VM's memory mapping to access the
destination VM's vring descriptors. Fixed by making inject_rx_frame
a static method that uses the vring's own internal memory via a new
memory() accessor in VringState.
2. handle_event called read_kick() redundantly after the event loop
already consumed the eventfd, potentially blocking on a drained fd.
We temporarily use a local vnet library for debugging.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add VIRTIO_NET_F_STATUS feature flag to advertise link status support
- Set config status byte to VIRTIO_NET_S_LINK_UP (1) so guests see the
link as up instead of down
- Set max_virtqueue_pairs to 1 (was 0, which could confuse guests)
- Update vhost crate hash (upstream change)
This prevents potential issues where guest drivers might see the
interface as disconnected because the status field was returning 0.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implements a vhost-user network switch daemon that enables L2 networking
between VMs in the same vmNetwork. The switch uses a router/client
topology where:
- Each network has exactly one router VM
- Client VMs can only communicate through the router
- MAC addresses are discovered via inotify-watched config directory
The daemon implements the vhost-user protocol to provide virtio-net
backends that crosvm connects to via --vhost-user sockets.
Key components:
- vm-switch Rust crate with MAC parsing, frame routing, and vhost-user backend
- NixOS module integration with per-network systemd services
- Automatic daemon startup when VMs are added to a network
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rename `disks` to `additionalDisks` with structured format
(path, readOnly, enableDiscard, blockSize, devIdentifier, useDirect)
- Add custom boot options: rootDisk, kernel, initramfs, rootDiskReadonly
- Add kernelParams for extra kernel command line options
- Add gpu option (default: "context-types=cross-domain:virgl2")
- Add sharedDirectories for crosvm --shared-dir
- Add global crosvmLogLevel option (default: "info")
- Add --name argument to crosvm set to VM name
- Migrate deprecated --disk/--rwdisk to --block format
- Switch flake to nixos-unstable channel
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add treefmt-nix with nixfmt for code formatting (nix fmt)
- Extract cidrToNetworkBase and mkVmCase helper functions
- Use lib.nameValuePair for cleaner listToAttrs patterns
- Consolidate assertions with single let block
- Remove duplicate util-linux package
- Document formatting requirement in CLAUDE.md
- Apply nixfmt to all Nix files
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Use my wayland-proxy-virtwl fork. Unconditionally requests server-side
decorations even if the client doesn't want them.
Tested with firefox, works there.
Remove the old s6/execline-based rootfs in favor of the NixOS module approach:
- Delete rootfs/ directory (s6-based rootfs builder)
- Delete mktuntap/ directory (TAP utility, now using --tap-name)
- Delete default.nix (legacy package with vs*/tt*/ff* scripts)
- Update flake.nix to point packages.default to rootfs-nixos
- Update documentation to reflect NixOS-only architecture
The NixOS module (modules/) with socket-activated VMs is now the only
supported approach. VMs are configured declaratively via
programs.qubes-lite.nixosVms.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace the simple guestPrograms-only module with a full declarative
module that allows configuring VMs from configuration.nix:
- programs.qubes-lite.enable, user, vmNetwork, natEnable, natInterface
- programs.qubes-lite.nixosVms list with per-VM config (id, name,
memory, cpus, network, disks, guestPrograms, guestConfig)
- Automatic TAP interface creation via networking.interfaces
- NAT configuration for VM internet access
- Per-VM NixOS rootfs builds with combined packages
- Generated launcher scripts (qubes-lite-start-<name>)
- run-in-vm helper for executing commands via vsock
- Systemd user services for each VM
- Validation: odd IDs 3-255, unique IDs/names
Changes needed:
- Some minor renaming for nixpkgs changes.
- Kernel modules now come from a separate output.
- dash over vsock seems to be broken; switched to bash.
(it seems to be trying to use the console instead of the vsock)
Had to enable dbus as xfce4-terminal no longer works without a dbus
configuration service (it defaults to an unusable font and you can't
change it).
`chmod a+rw /dev/vsock` avoids a warning from socat, although it seems
to work OK without it.
`/run/current-system/sw/bin` is used by dbus-launch.
