[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Lenovo X200 IOMMU support through Xen 4.6 iommu=no-igfx switch



Hi all,

iommu=no-igfx is a gamechanger for Qubes support through 3.1 RC1 release, thanks to Xen 4.6 :)

The Lenovo X200 supports vt-x, vt-d and TPM as reported and required by Qubes in the HCL attached to this e-mail. The problem is that when Qubes launches it's netvm which uses IOMMU to talk to it's network card, it freezes the whole system up. Even when specifying sync_console, I don't get much more verbosity. I ordered a PCMCIA to serial adapter which will be shipped to my door late January... Meanwhile, booting with iommu=0 makes things work, but a potential hardware component being compromised has chances to compromise the whole system since compartmentalization is not guaranteed without IOMMU (vt-d).

A little more love is needed from xen to make that laptop line supported by Qubes and a nice alternative to the costy Librem currently promoted by Qubes-Purism partnership which suggest that the laptop will be Respect Your Freedom compliant in the future with Intel participation in removing ME and AMT, which is not guaranteed at all. If Xen 4.6 can cooperate with Penryn GM45 chipset, it's all MiniFree laptops (and Libreboot support of those) that will be potential candidates!
Please share the love so that the community has a cheap alternative.

Requirements to replicate bug:
Model: X200 745434U with p8700 CPU running 1067a microcode(important), upgrable to 8go
BIOS: Lenovo 3.22/1.07 (latest from 2013)
Network card supports FLReset+ as requested here.
Bios settings: vt-d and vt-x needs to be enforced.
Xen command line option required to boot: iommu=no-igfx

Here is the current debug trace/status on Qubes side of things.
If you have any hint, please contribute :)

Help me say happy new years to all security conscious people out there :)

Merry Christmas all,
Thierry Laurion





--
Thierry Laurion

Attachment: Qubes-HCL-LENOVO-745434U-20151212-193925.yml
Description: application/yaml

Attachment: x200_vtd_works_on_latest_bios_with_no-igfx
Description: Binary data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.