HCL - Lenovo T400 (Coreboot without ME, with IOMMU*)
928 views
Skip to first unread message
Aphid Farmer
Dec 25, 2016, 3:53:29 AM12/25/16
to qubes...@googlegroups.com
Says IOMMU is active. However, this Intel generation lacks interrupt
remapping. There are some attacks[1] and also some Xen-specific
mitigations[2].
Install notes
-------------
Coreboot IOMMU changes are not in downstream Libreboot yet.
To compile Coreboot, I followed these[3][4] instructions for ME-less
Coreboot. Alternatively, you can wait until Libreboot updates their builds.
For step-by-step instructions to flash a Lenovo T400 with an external
programmer (replacing the factory BIOS), see Libreboot website. The
Lenovo T400 requires a complete disassembly; the procedure is much
easier on the Lenovo X200.
After Coreboot + Grub2 payload is flashed, to boot an already-installed
Qubes:
at grub prompt:
configfile (ahci0,msdos1)/grub2/grub.cfg
or similar.
If boot hangs on "Loading initial ramdisk":
'e' to edit the entry "Qubes, with Xen hypervisor"
append to Xen command line after ${xen_rm_opts}: iommu=no-igfx
Thanks for reading.
[1]http://theinvisiblethings.blogspot.com/2011/05/following-white-rabbit-software-attacks.html
[2]page 24 of same paper
[3]https://www.coreboot.org/Board:lenovo/x200
[4]https://www.coreboot.org/Build_HOWTO
remapping. There are some attacks[1] and also some Xen-specific
mitigations[2].
Install notes
-------------
Coreboot IOMMU changes are not in downstream Libreboot yet.
To compile Coreboot, I followed these[3][4] instructions for ME-less
Coreboot. Alternatively, you can wait until Libreboot updates their builds.
For step-by-step instructions to flash a Lenovo T400 with an external
programmer (replacing the factory BIOS), see Libreboot website. The
Lenovo T400 requires a complete disassembly; the procedure is much
easier on the Lenovo X200.
After Coreboot + Grub2 payload is flashed, to boot an already-installed
Qubes:
at grub prompt:
configfile (ahci0,msdos1)/grub2/grub.cfg
or similar.
If boot hangs on "Loading initial ramdisk":
'e' to edit the entry "Qubes, with Xen hypervisor"
append to Xen command line after ${xen_rm_opts}: iommu=no-igfx
Thanks for reading.
[1]http://theinvisiblethings.blogspot.com/2011/05/following-white-rabbit-software-attacks.html
[2]page 24 of same paper
[3]https://www.coreboot.org/Board:lenovo/x200
[4]https://www.coreboot.org/Build_HOWTO
Reply all
Reply to author
Forward
0 new messages