HCL: asus n56vz is not best idea for Qubes with BIOS version N56VZ.216

[Oleg Artemiev]

Hello, list.

Found time to publish hcl info for my ASUS:

Asus n56vz with BIOS version N56VZ.216 (bought with it) does NOT support vt-d activation: only possible BIOS option is "enable intel virtualization technology",
 but qubes-hcl-report shows VT-D "Not Active", though VT-x "Active". :F

There're BIOS updates, but some people report their ordinary update broke (bricked) the device. I'm planning BIOS updates, but there're a lot of information to read how to avoid bricking it, or
at least making situation recoverable without much pain.. Till that I have to use my NetVM as USB VM. Thanks for advices in reply to my other messages!
I'll report VT-d availability in upgrades later.

--
Bye.

[Hakisho Nukama]

Hi Oleg,

the chipset, if my information is correct (BTW: could you run the
'qubes-hcl-script'?)
is an "Intel HM67 Express Chipset", that does not support VT-d.
The Asus website lists CPUs for the N56VZ that *do not* support VT-d.

On the other hand, a network isolated USBVM could help a little bit (not byte),
as an attacker has to mount an DMA attack against your USBVM first.

Best Regards
Hakisho Nukama

[Oleg Artemiev]

On Thu, Sep 4, 2014 at 3:59 AM, Hakisho Nukama <nuk...@gmail.com> wrote:
> On Wed, Sep 3, 2014 at 6:20 PM, Oleg Artemiev <grey...@gmail.com> wrote:
>> Hello, list.
>>
>> Found time to publish hcl info for my ASUS:
>>
>> Asus n56vz with BIOS version N56VZ.216 (bought with it) does NOT support
>> vt-d activation: only possible BIOS option is "enable intel virtualization
>> technology",
>> but qubes-hcl-report shows VT-D "Not Active", though VT-x "Active". :F
>>
>> There're BIOS updates, but some people report their ordinary update broke
>> (bricked) the device. I'm planning BIOS updates, but there're a lot of
>> information to read how to avoid bricking it, or
>> at least making situation recoverable without much pain.. Till that I have
>> to use my NetVM as USB VM. Thanks for advices in reply to my other messages!
>> I'll report VT-d availability in upgrades later.
>>
>> --
>> Bye.
>>
>
> Hi Oleg,
>
> the chipset, if my information is correct (BTW: could you run the
> 'qubes-hcl-script'?)

There's no qubes-hcl-script in my or root $PATH in dom0. I guess
'qubes-hcl-report dom0'
does required things now - it has generated output for STDOUT (showing
VT-d,VT-x state)
and also made a cpio archive and text file with detailed report.

I'm not planning to publish full hcl report, since it may contain
device IDs that may be used to identify my
hardware. Simply, since I don not understand everything and how it
could be used in identification,
then no reason to show entire report.

Though, if anyone here is interested - I'm OK to publish anything that
doesn't contain numbers, i.e. device,
chipset names and anything that is common for notebooks.

> is an "Intel HM67 Express Chipset", that does not support VT-d.
> The Asus website lists CPUs for the N56VZ that *do not* support VT-d.

I have Core-i7, and assume it should support both - vt-d and vt-x. Am I wrong?

> On the other hand, a network isolated USBVM could help a little bit (not byte),
> as an attacker has to mount an DMA attack against your USBVM first.

Thanks, I understand now.


--
Bye.Olli.
gpg --search-keys grey_olli
Key fingerprint = 9901 6808 768C 8B89 544C 9BE0 49F9 5A46 2B98 147E
Blog keys (mostly in russian): http://grey-olli.livejournal.com/tag/

[Gorka Alonso]

El jueves, 4 de septiembre de 2014 12:24:17 UTC+2, Oleg Artemiev escribió:

I'm not planning to publish full hcl report, since it may contain
device IDs that may be used to identify my
hardware. Simply, since I don not understand everything and how it
could be used in identification,
then no reason to show entire report.

HCL script does *not* include anything that could be used to identify you,

You can check mine, posted long time ago, before my GPU broke and got it replaced, in this link https://groups.google.com/d/msg/qubes-users/lycnE-LcJBo/Vn7b5AiAffgJ 

It says I got an Asrock Z77 motherboard, an NVIDIA GTX 680 and other hardware info, 

It does *not* reveal hard disk ID, network MAC address or other info that could be used to identity you.

[Marek Marczykowski-Górecki]

Of course send only that txt file. The other (cpio.gz) can contain device IDs
and is meant only for debugging qubes-hcl-report tool.

--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[Zrubi]

On 09/04/14 13:03, Gorka Alonso wrote:
> El jueves, 4 de septiembre de 2014 12:24:17 UTC+2, Oleg Artemiev escribió:
>
>
> I'm not planning to publish full hcl report, since it may contain
> device IDs that may be used to identify my
> hardware. Simply, since I don not understand everything and how it
> could be used in identification,
> then no reason to show entire report.

The standard output (and the.txt file) is safe from any unique IDs.
And actually it is help us to fill the HCL page with CORRECT information.

> HCL script does *not* include anything that could be used to identify you,

The HCL page is clearly states that the .cpio.gz file may contain
numerous hardware details (the output of dmidecode)

As I wrote the script - I will modify it to make the detailed
information optional.


For now: If you do not wish to make this information public, please do
not send the .cpio.gz file to the public mailing list - but the .txt
would be really useful.



--
Zrubi

[Oleg Artemiev]

On Thu, Sep 4, 2014 at 3:16 PM, Zrubi <ma...@zrubi.hu> wrote:
> On 09/04/14 13:03, Gorka Alonso wrote:
>> El jueves, 4 de septiembre de 2014 12:24:17 UTC+2, Oleg Artemiev escribió:
>>
>>
>> I'm not planning to publish full hcl report, since it may contain
>> device IDs that may be used to identify my
>> hardware. Simply, since I don not understand everything and how it
>> could be used in identification,
>> then no reason to show entire report.
>
> The standard output (and the.txt file) is safe from any unique IDs.
> And actually it is help us to fill the HCL page with CORRECT information.
>
>
>> HCL script does *not* include anything that could be used to identify you,
>
> The HCL page is clearly states that the .cpio.gz file may contain
> numerous hardware details (the output of dmidecode)

Yes, I extracted files from this archive and looks like the
information should be forensic sensitive,
though I had never a forensic expert job.

>
> As I wrote the script - I will modify it to make the detailed
> information optional.

That should be cool. :)

> For now: If you do not wish to make this information public, please do
> not send the .cpio.gz file to the public mailing list - but the .txt
> would be really useful.

Well, I see some numbers (in format xx:xx.x) in chipset and vga
information there.
These numbers are required and not unique for my device?

Also I see HDD information with revision IDs. HDD revision IDs should
be unique, aren't them?

Do you really need HDD info?

RAM amount and HDD amount is not the same as I bought the laptop, do
you really need amount of RAM since if it is non-default?

Here is my info from the TXT file generated by qubes-hcl-report, where
potentially identifiable part is replaced with 'x':
---------------------------------------------------------------------------------------------------
Qubes release 2 (R2)
Model Name: ASUSTeK_COMPUTER_INC. N56VZ
Kernel: 3.12.23-1
Xen: 4.1.6.1

RAM: XXXX Mb

CPU: Intel(R) Core(TM) i7-3610QM CPU @ 2.30GHz
Chipset: xx:xx.x Host bridge [xxxx]: Intel Corporation 3rd Gen
Core processor DRAM Controller [xxxx:xxxx] (rev [xx])
VGA: xx:xx.x VGA compatible controller [xxxx]: Intel
Corporation 3rd Gen Core processor Graphics Controller [xxxx:xxxx]
(rev xx)
xx:xx.x VGA compatible controller [xxxx]: NVIDIA
Corporation GK107M [GeForce GT 650M] [xxxx:xxxx] (rev xx)

HDD: Samsung SSD xxx Rev: xxxx
STxxxxLMxxx xx-xx Rev: xxxx

BIOS: N56VZ.216
VT-x: Active
VT-d: Not Active
---------------------------------------------------------------------------------------------------

After changes above HCL information still has sense or becomes useless?

Info from html part of HCL text file report doesn't containg identifiers:
---------------------------------------------------------------------------------------------------
<tr align='center'>
<td rowspan='1'>
ASUSTeK_COMPUTER_INC. N56VZ<br>
(CPU, Chipset, embedded VGA)
</td>
<td rowspan='1'>N56VZ.216</td> <!-- BIOS
version # reported BIOS version -->
<td rowspan='1' class='hcl-good'></td> <!-- HVM
# HVM can be created? -->
<td rowspan='1' class='hcl-bad'></td> <!-- IOMMU
# PCI-Devices can be assigned to a HVM? -->
<td rowspan='1' class='hcl-unknown'></td> <!-- TPM
# Anti Evil Made works? -->
<td rowspan='1'></td> <!-- spacing
(QSL) --> # best achievable QSL - (Qubes Security Level) -->

<td rowspan='1' class='hcl-FIXME'>R2</td> <!-- Qubes
version # first reported Qubes version -->
<td rowspan='1' class='hcl-FIXME'>3.12.23-1</td> <!-- dom0
kernel # Boots with this kernel version (refer to exact
kernel version). -->
<td rowspan='1' class='hcl-FIXME'>

</td> <!-- Remarks -->
<td rowspan='1' class='hcl-reportedby'>
<a class='ext-link' href='FIXLINK'><span class='icon'></span>insert name</a>
</td> <!-- Reported by -->
</tr>
---------------------------------------------------------------------------------------------------

[Gorka Alonso]

El jueves, 4 de septiembre de 2014 15:50:23 UTC+2, Oleg Artemiev escribió:

Well, I see some numbers (in format xx:xx.x) in chipset and vga
information there.
These numbers are required and not unique for my device?

Also I see HDD information with revision IDs. HDD revision IDs should
be unique, aren't them?

Do you really need HDD info?

RAM amount and HDD amount is not the same as I bought the laptop, do
you really need amount of RAM since if it is non-default?

It could helps other users to know if some problems could be caused because of not enought free memory, or poor memory allocation. Same happens with HDD/SSD.

 

Here is my info from the TXT file generated by qubes-hcl-report, where
potentially  identifiable part  is replaced with 'x':

The hardware vendors sell diferent revisions of the hardware and those revisions usually behave slighty different. Providing as much info as possible, including that one you replaced, could help to identify the hardware it runs with no problems, with slighty problems or doesnt run at all. 

The information you replaced with 'X's does *not* identify computer. Only provides information on what slot the devices are plugged in and what model (and revision) are.

 

[Hakisho Nukama]

> On Wed, Sep 3, 2014 at 6:20 PM, Oleg Artemiev <grey...@gmail.com> wrote:
>There's no qubes-hcl-script in my or root $PATH in dom0. I guess
'>qubes-hcl-report dom0'

Yes, you are right.

> is an "Intel HM67 Express Chipset", that does not support VT-d.
> The Asus website lists CPUs for the N56VZ that *do not* support VT-d.
I have Core-i7, and assume it should support both - vt-d and vt-x. Am I wrong?

Yes, you are wrong:
http://ark.intel.com/products/64899/Intel-Core-i7-3610QM-Processor-6M-Cache-up-to-3_30-GHz
http://ark.intel.com/products/52809/Intel-BD82HM67-PCH

Best Regards,
Hakisho Nukama

[Oleg Artemiev]

Thank you very much. According to asus http://www.asus.com/ru/Notebooks_Ultrabooks/N56VZ/specifications/ I've Core-i7-3610QM, same I see in /proc/cpuinfo in Dom0,
from URLs you gave I see my Asus has no VT-D , only VT-X. :|  This saves me from upgrading BIOS - this will not enable VT-D for me. Asus N56vz is crap.

 

[kra...@gmail.com]

So, is it possible anyway to get internet on qubesos on N56VZ?
Thanks.