HCL - LENOVO ThinkStation S30 4352G1G - R2-rc1
140 views
Skip to first unread message
Hans Walter
May 7, 2014, 2:37:32 PM5/7/14
to qubes...@googlegroups.com
Hello,
this is my workstation machine and here are some random notes:
- Updated Bios to the latest
- Sound appears not to be working, but i have not spend enought time
debugging it. Perhaps I am doing it wrong.
- Sometimes after cold boot(?) the Intel 82579LM NIC seems not work.
It's assigned correctly to the netvm and is also listed by lspci, but
ifconfig -a does not show it. Further digging revealed, that dmesg is
getting an -3 error. It seems like the NVU(?) have to be updated and
this is a known error. Need further investigation. Next time i will save
the error message ;).
- Having 8GB RAM with Qubes is no fun. You have to upgrade.
- Onboard Sata Marvel Raid "controller" does not work in linux. The
devices are always shown spitted and not as Raid. Best not to use the
"raid" logic.
- You can disable each usb port specifically in Bios
- Bios passwords are [a-z0-9]
- VT-x/VT-d + TXT + TPM Support
The machine supports Intel ME and APM. As far as i understand the
purpose of these abbreviations is to do remote management with with
Intel ME and APM. Can anything of it be used to "get" more security
locally, or should they be better deactivated? Information on the both
topics is pretty rare.
Hans
this is my workstation machine and here are some random notes:
- Updated Bios to the latest
- Sound appears not to be working, but i have not spend enought time
debugging it. Perhaps I am doing it wrong.
- Sometimes after cold boot(?) the Intel 82579LM NIC seems not work.
It's assigned correctly to the netvm and is also listed by lspci, but
ifconfig -a does not show it. Further digging revealed, that dmesg is
getting an -3 error. It seems like the NVU(?) have to be updated and
this is a known error. Need further investigation. Next time i will save
the error message ;).
- Having 8GB RAM with Qubes is no fun. You have to upgrade.
- Onboard Sata Marvel Raid "controller" does not work in linux. The
devices are always shown spitted and not as Raid. Best not to use the
"raid" logic.
- You can disable each usb port specifically in Bios
- Bios passwords are [a-z0-9]
- VT-x/VT-d + TXT + TPM Support
The machine supports Intel ME and APM. As far as i understand the
purpose of these abbreviations is to do remote management with with
Intel ME and APM. Can anything of it be used to "get" more security
locally, or should they be better deactivated? Information on the both
topics is pretty rare.
Hans
cprise
May 7, 2014, 11:30:57 PM5/7/14
to Hans Walter, qubes...@googlegroups.com
On 05/07/14 14:37, Hans Walter wrote:
> - Sound appears not to be working, but i have not spend enought time
> debugging it. Perhaps I am doing it wrong.
then plug it back in. This is how I get audio working on my system since
Qubes got FC20.
Hakisho Nukama
May 9, 2014, 9:12:08 AM5/9/14
to cprise, Hans Walter, qubes...@googlegroups.com
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> Visit this group at http://groups.google.com/group/qubes-users.
> For more options, visit https://groups.google.com/d/optout.
Hey,
added to the HCL: https://www.qubes-os.org/trac/wiki/HCL?action=diff&version=166
Did you install and test AEM?
Best Regards,
Hakisho Nukama
Hans Walter
May 9, 2014, 12:25:48 PM5/9/14
to qubes...@googlegroups.com
Good Evening,
Tried that no luck with youtube and also tried playing an ogg file. So
whats next?
Hans
whats next?
Hans
Hans Walter
May 9, 2014, 1:13:09 PM5/9/14
to Hakisho Nukama, cprise, qubes...@googlegroups.com
Good Evening,
On 05/09/14 09:12, Hakisho Nukama wrote:
> added to the HCL: https://www.qubes-os.org/trac/wiki/HCL?action=diff&version=166
I'm glad to be helpful :). The issues you are mentioning in the wiki,
are a little bit overrated, at least the network and raid issue.
I could not reproduce the Network issue anymore, across a few cold
starts. I will observe the issue further.
The Raid is not worth mentioning, because it appears to be a software
raid. I had occasionally used marvel onboard hardware raids, they worked
with qubes.
> Did you install and test AEM?
Installed. I am working on it.
Notes till now:
- There are 3 states in Bios -> Security -> TGC Settings for the TGC
- Enabled <= The one you want
- Inactive <= It's visible to OS, but you can't take owner ship of it
or do anything(?) with it. (Default)
- Disabled
- To clear the TPM chip you have to execute tpm_clear and reboot to
Bios. In the TGC Settings choose the Clear TGC Option, set to Yes, save
and reboot.
Hans
On 05/09/14 09:12, Hakisho Nukama wrote:
> added to the HCL: https://www.qubes-os.org/trac/wiki/HCL?action=diff&version=166
are a little bit overrated, at least the network and raid issue.
I could not reproduce the Network issue anymore, across a few cold
starts. I will observe the issue further.
The Raid is not worth mentioning, because it appears to be a software
raid. I had occasionally used marvel onboard hardware raids, they worked
with qubes.
> Did you install and test AEM?
Notes till now:
- There are 3 states in Bios -> Security -> TGC Settings for the TGC
- Enabled <= The one you want
- Inactive <= It's visible to OS, but you can't take owner ship of it
or do anything(?) with it. (Default)
- Disabled
- To clear the TPM chip you have to execute tpm_clear and reboot to
Bios. In the TGC Settings choose the Clear TGC Option, set to Yes, save
and reboot.
Hans
Hans Walter
May 9, 2014, 1:50:34 PM5/9/14
to qubes...@googlegroups.com
Good Evening,
On 05/09/14 13:13, Hans Walter wrote:
> I could not reproduce the Network issue anymore, across a few cold
> starts. I will observe the issue further.
It's back. But it appears randomly. Here is the dmesg error msg:
[ +0.004350] e1000e: Intel(R) PRO/1000 Network Driver - 2.3.2-k
[ +0.000007] e1000e: Copyright(c) 1999 - 2013 Intel Corporation.
[ +0.000050] e1000e 0000:00:00.0: enabling device (0000 -> 0002)
[ +0.000227] e1000e 0000:00:00.0: Xen PCI mapped GSI20 to IRQ79
[ +0.000059] e1000e 0000:00:00.0: setting latency timer to 64
[ +0.000269] e1000e 0000:00:00.0: Interrupt Throttling Rate (ints/sec)
set to dynamic conservative mode
[ +0.454075] e1000e: probe of 0000:00:00.0 failed with error -2
I'm pretty sure i have seen the issue already some where.
Hans
On 05/09/14 13:13, Hans Walter wrote:
> I could not reproduce the Network issue anymore, across a few cold
> starts. I will observe the issue further.
[ +0.004350] e1000e: Intel(R) PRO/1000 Network Driver - 2.3.2-k
[ +0.000007] e1000e: Copyright(c) 1999 - 2013 Intel Corporation.
[ +0.000050] e1000e 0000:00:00.0: enabling device (0000 -> 0002)
[ +0.000227] e1000e 0000:00:00.0: Xen PCI mapped GSI20 to IRQ79
[ +0.000059] e1000e 0000:00:00.0: setting latency timer to 64
[ +0.000269] e1000e 0000:00:00.0: Interrupt Throttling Rate (ints/sec)
set to dynamic conservative mode
[ +0.454075] e1000e: probe of 0000:00:00.0 failed with error -2
I'm pretty sure i have seen the issue already some where.
Hans
Hans Walter
May 9, 2014, 2:11:44 PM5/9/14
to qubes...@googlegroups.com
Good Evening,
On 05/09/14 09:12, Hakisho Nukama wrote:
On 05/09/14 09:12, Hakisho Nukama wrote:
> Did you install and test AEM?
Taking ownership of the TPM chip worked flawlessly.
- I assume i do not need a SINIT module? At least for E5-2650 on C600
you do not need one.
https://software.intel.com/en-us/articles/intel-trusted-execution-technology#comment-1787459
So i can skip this part?
- I do not want to use an usb stick can, so i just replace the
apropriate device with my current one, right?
- I already have a loot of boot options like AEM and tboot, which do not
work at the moment. Is it because i installed anti-evile-maid or is it
because i run yesterday grub2-mkconfig to get discard working? Should i
just ignore them and follow the README?
Hans
Marek Marczykowski-Górecki
May 9, 2014, 7:02:27 PM5/9/14
to Hans Walter, qubes...@googlegroups.com
On 09.05.2014 20:11, Hans Walter wrote:
> Good Evening,
>
> On 05/09/14 09:12, Hakisho Nukama wrote:
>
>> Did you install and test AEM?
>
> Taking ownership of the TPM chip worked flawlessly.
>
>
> - I assume i do not need a SINIT module? At least for E5-2650 on C600
> you do not need one.
> https://software.intel.com/en-us/articles/intel-trusted-execution-technology#comment-1787459
> So i can skip this part?
Most likely, but to be sure check if PCR 17+ are extended with anything (so no
> Good Evening,
>
> On 05/09/14 09:12, Hakisho Nukama wrote:
>
>> Did you install and test AEM?
>
> Taking ownership of the TPM chip worked flawlessly.
>
>
> - I assume i do not need a SINIT module? At least for E5-2650 on C600
> you do not need one.
> https://software.intel.com/en-us/articles/intel-trusted-execution-technology#comment-1787459
> So i can skip this part?
FF...):
PCR17 DRTM and launch control policy
PCR18 Trusted OS start-up code (MLE)
PCR19 Trusted OS (for example OS configuration)
PCR20 Trusted OS (for example OS Kernel and other code)
> - I do not want to use an usb stick can, so i just replace the
> apropriate device with my current one, right?
by changing its label and executing part of that script manually:
e2label <DEVICE> "antievilmaid"
mkdir /boot/antievilmaid
cp /var/lib/tpm/system.data /boot/antievilmaid
chmod -x /etc/grub.d/20_linux_tboot
chmod -x /etc/grub.d/20_linux_xen_tboot
dracut -f
grub2-mkconfig -o /boot/grub2/grub.cfg
When using on-disk /boot, you most likely want to set SRK key.
> - I already have a loot of boot options like AEM and tboot, which do not
> work at the moment. Is it because i installed anti-evile-maid or is it
> because i run yesterday grub2-mkconfig to get discard working? Should i
> just ignore them and follow the README?
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Reply all
Reply to author
Forward
0 new messages