feat(ghaf-killswitch): Shell application to list, block and unblock

[vunnyso]

Description of Changes

• This PR introduces a new ghaf-killswitch shell application that provides a unified interface for managing PCI device blocking and unblocking operations. The tool allows users to list supported devices, block/unblock microphones and network devices, and includes help functionality.
• Refactor: Modify pci-hotplug package to hotplug
• device-passthrough/usb: add id to usb-host devices

The current ghaf-killswitch shell script available in ghaf-host and supports block/unblock of below devices.

1. mic - This block/suspends all audio PCI devices from the audio-vm.
2. net - This block/suspend the WLAN PCI device from the net-vm.
3. cam - This removes internal camera device from the business-vm.

Note:
There are hardware kill switch for internal camera specific to system76
Combination Fn+F10 to toggle enabling/disabling the camera. When disabled, it does not appear on the USB bus, so this probably disconnects it, logically. The state (on or off) is preserved across reboots and power cycles.
https://support.system76.com/articles/webcam/

Test Steps added below.

Improvements

1. Internal camera need to be added for kill-switch.
2. Kill-switch state is not yet persistent across system reboots. --> Can be taken up in later PR
3. Audio Widget flickering seen in menu-bar of gui-vm when mic is blocked . --> Can be taken up in later PR

Type of Change

• New Feature
• Bug Fix
• Improvement / Refactor

Related Issues / Tickets

Checklist

• Clear summary in PR description
• Detailed and meaningful commit message(s)
• Commits are logically organized and squashed if appropriate
• Contribution guidelines followed
• Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
• Author has run make-checks and it passes
• All automatic GitHub Action checks pass - see actions
• Author has added reviewers and removed PR draft status

Testing Instructions

Applicable Targets

• Orin AGX aarch64
• Orin NX aarch64
• Lenovo X1 x86_64
• Dell Latitude x86_64
• System 76 x86_64

Installation Method

• Requires full re-installation
• Can be updated with nixos-rebuild ... switch
• Other:

Test Steps To Verify:

Please test suspend/resume test cases thoroughly and steps to test shell app as below:

1. Login to ghaf-host

   ssh ghaf@ghaf-host
   

2. Run ghaf-killswitch with sudo rights to check supported devices for kill-switch

   [ghaf@ghaf-host:~]$ sudo ghaf-killswitch list
   

3. To block Microphone run

   [ghaf@ghaf-host:~]$ sudo ghaf-killswitch block mic
   

   After which all microphone devices will be removed and it can be verified by login to audio-vm

   [ghaf@gui-vm:~]$ nix-shell -p pulseaudio --run "pactl list sources short"
   

4. To block WLAN run

   [ghaf@ghaf-host:~]$ sudo ghaf-killswitch block net
   

   After which WiFi connection will be terminated and it can be verified by login to net-vm or from GUI

   [ghaf@net-vm:~]$ nmcli device status
   

5. To block Internal camera run

   [ghaf@ghaf-host:~]$ sudo ghaf-killswitch block cam
   

   After which internal camera will be removed from business-vm and it can be verified by login to business-vm

   [ghaf@business-vm:~]$ lsusb 
   

6. To start using back devices run

   [ghaf@ghaf-host:~]$ sudo ghaf-killswitch unblock mic
   
   [ghaf@ghaf-host:~]$ sudo ghaf-killswitch unblock net
   
   [ghaf@ghaf-host:~]$ sudo ghaf-killswitch unblock cam
   

[Copilot]

Pull Request Overview

This PR introduces a new ghaf-killswitch shell application that provides a unified interface for managing PCI device blocking and unblocking operations in the Ghaf system. The tool allows users to list supported devices (mic and net), block/unblock microphones and network devices, and includes help functionality.

Key changes:

• Adds a new shell script package for managing PCI device suspension/resumption
• Integrates the killswitch tool into the microvm host environment for x86_64 systems
• Provides commands to block/unblock microphone and network devices via PCI hotplug operations

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
packages/pkgs-by-name/ghaf-killswitch/package.nix	New shell application package implementing the killswitch functionality
packages/own-pkgs-overlay.nix	Adds ghaf-killswitch to the package overlay and reorganizes ghaf-installer entry
modules/microvm/host/microvm-host.nix	Integrates the killswitch tool into the host environment for x86_64 systems

Comments suppressed due to low confidence (1)

packages/pkgs-by-name/ghaf-killswitch/package.nix:1

• The array expansion ${devices[*]} creates a space-separated string which could lead to false matches if device names contain substrings of other device names. Use a proper array iteration instead: for device in \"${devices[@]}\"; do [[ \"$device\" == \"$2\" ]] && found=true; done

# Copyright 2025 TII (SSRC) and the Ghaf contributors

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[vunnyso]

PR ready for review.

[milva-unikie]

Tested on Lenovo-X1 (nixos-rebuild switch)

• All supported devices (mic, net and cam) can be blocked
• No issues after unblocking devices
• No issues with suspension
• Ethernet connection works while Wi-Fi is blocked