Add the feature to prohibit starting of a qube

qubes/tests/integ/basic.py

@@ -466,6 +466,22 @@ def test_206_shutdown_paused(self):
         self.loop.run_until_complete(self.vm.start())
         self.shutdown_paused(self.vm)
 
+    def test_207_domain_start_prohibition(self):
+        vmname = self.make_vm_name("compromised_vm")
+        self.vm = self.app.add_new_vm(
+            qubes.vm.appvm.AppVM,
+            name=vmname,
+            template=self.app.default_template,
+            label="red",
+        )
+        self.loop.run_until_complete(self.vm.create_on_disk())
+        with self.assertRaises(qubes.exc.QubesException):
+            self.vm.features["prohibit-start"] = (
+                "The qube is compromised and awaits forensic analysis"
+            )
+            self.loop.run_until_complete(self.vm.start())
+        self.assertFalse(self.vm.is_running())
+
 
 class TC_01_Properties(qubes.tests.SystemTestCase):
     # pylint: disable=attribute-defined-outside-init

qubes/vm/qubesvm.py

@@ -369,6 +369,7 @@
         .. event:: domain-start-failed (subject, event, reason)
 
             Fired when :py:meth:`start` method fails.
+            or if domain has a `prohibit-start` feature.
             *reason* argument is a textual error message.
 
             Handler for this event may be asynchronous.
@@ -1302,6 +1303,17 @@
 
             await self._ensure_shutdown_handled()
 
+            prohibit_rationale: str = self.features.get("prohibit-start", False)
+            if prohibit_rationale:
+                await self.fire_event_async(
+                    "domain-start-failed",
+                    reason="Qube start is prohibited. "
+                    f"Rationale: {prohibit_rationale}",
+                )
+                raise qubes.exc.QubesException(
+                    f"Qube start is prohibited. Rationale: {prohibit_rationale}"
+                )
+
             self.log.info("Starting {}".format(self.name))
 
             try: