Fwd: AMD Ryzen working with IOMMU, HCL results attached
222 views
Skip to first unread message
Bjoern Christoph
May 15, 2017, 3:29:29 PM5/15/17
to qubes...@googlegroups.com
Posted by me on the qubes-user list, could also have gone to this one I guess...
Am Montag, 15. Mai 2017 21:24:30 UTC+2 schrieb Bjoern Christoph:
> Hi all,
>
> Attached are the HCL results of my Ryzen system.
>
> It did NOT work out of the box on Qubes - IOMMU was not available. However, Ubuntu stated it's working (BIOS IOMMU looks great) so I played around a bit.
>
> Basically, two things are needed for working IOMMU in Xen used by Qubes:
> 1) Update Xen with an IOMMU patch from AMD
> 2) Update Xen with family 17h == Ryzen
>
> For step 1): Apply this patch (part or Xen 4.8.0): https://patchwork.kernel.org/patch/9145119/
>
> For step 2): xen/arch/x86/oprofile/nmi_int.c - Create a "case 0x17:" entry which is the same as "case 0x15:"
>
> I installed Qubes, then proceeded as described to compile Qubes from scratch. Before I did "make vmm-xen" I changed the above files within the xen*.gz file. After that, I moved the files to dom0 and forced a reinstall of the RPM files.
>
> Rebooted and voila, you can see the resul in the files :) Now I can get a TPM I guess ;)
>
> I posted this nmi_int.c patch also on the xen-devel mailing list, let's see if it's enough for them.
>
> Maybe these two patches can be added to Qubes 3.2 (if they work properly). Not sure if there is anything else I can do to test if IOMMU is working properly, if something is there to test that please let me know!
>
> Cheers,
> Bjoern
Am Montag, 15. Mai 2017 21:24:30 UTC+2 schrieb Bjoern Christoph:
> Hi all,
>
> Attached are the HCL results of my Ryzen system.
>
> It did NOT work out of the box on Qubes - IOMMU was not available. However, Ubuntu stated it's working (BIOS IOMMU looks great) so I played around a bit.
>
> Basically, two things are needed for working IOMMU in Xen used by Qubes:
> 1) Update Xen with an IOMMU patch from AMD
> 2) Update Xen with family 17h == Ryzen
>
> For step 1): Apply this patch (part or Xen 4.8.0): https://patchwork.kernel.org/patch/9145119/
>
> For step 2): xen/arch/x86/oprofile/nmi_int.c - Create a "case 0x17:" entry which is the same as "case 0x15:"
>
> I installed Qubes, then proceeded as described to compile Qubes from scratch. Before I did "make vmm-xen" I changed the above files within the xen*.gz file. After that, I moved the files to dom0 and forced a reinstall of the RPM files.
>
> Rebooted and voila, you can see the resul in the files :) Now I can get a TPM I guess ;)
>
> I posted this nmi_int.c patch also on the xen-devel mailing list, let's see if it's enough for them.
>
> Maybe these two patches can be added to Qubes 3.2 (if they work properly). Not sure if there is anything else I can do to test if IOMMU is working properly, if something is there to test that please let me know!
>
> Cheers,
> Bjoern
Bjoern Christoph
May 16, 2017, 1:35:42 AM5/16/17
to qubes-devel
Ok, it's NOT working after all. Trying to install a HVM causes a reboot... so I guess there is more work left there after all.
You can ignore the HCL report then as well.
Chris Laprise
May 16, 2017, 10:24:53 AM5/16/17
to Bjoern Christoph, qubes-devel
correctly in the VM?
--
Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
Marek Marczykowski-Górecki
May 16, 2017, 2:29:18 PM5/16/17
to Chris Laprise, Bjoern Christoph, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Tue, May 16, 2017 at 10:24:47AM -0400, Chris Laprise wrote:
> I'm curious: Does the MMU work with PVMs like sys-net? Does the NIC work
> correctly in the VM?
PV do not need IOMMU for working PCI passthrough, only use it for
protection. So it isn't exactly easy to check if IOMMU really works
using only PV...
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJZG0T0AAoJENuP0xzK19cs3k8IAJscaPDDmfp0QRUbj2t/EbJc
jXXCgd4XxGJa3sEG0i8LIUoy6Uv9JQ9vGh42QgNbRk5oIyueF5FxlEWwgDYF62Lu
45qqZLKV9F3Jknlwgqx5CAwPMnsWcIUUyyo3vPLNvdpGp8qwdCZj04m5jdd3mDNb
2fBvK9e+AATa2eCUqz87aTjv2fUdNefHQYC+MBlelVZWmffvZ08mN6ITd846/nOF
dO2WUxCIEJhVLOdSOjoIhz4FdYQVhoUJ+wR7N6yIPLpWmj6jZfl90g2vobPbhCfS
K6xv8LWeYmyAfT+YuRtMrHTigIOL9FLM8KYTteWVkqa/zw+0fC0o5Gfj2qFFSbU=
=s1Ky
-----END PGP SIGNATURE-----
Hash: SHA256
On Tue, May 16, 2017 at 10:24:47AM -0400, Chris Laprise wrote:
> I'm curious: Does the MMU work with PVMs like sys-net? Does the NIC work
> correctly in the VM?
protection. So it isn't exactly easy to check if IOMMU really works
using only PV...
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJZG0T0AAoJENuP0xzK19cs3k8IAJscaPDDmfp0QRUbj2t/EbJc
jXXCgd4XxGJa3sEG0i8LIUoy6Uv9JQ9vGh42QgNbRk5oIyueF5FxlEWwgDYF62Lu
45qqZLKV9F3Jknlwgqx5CAwPMnsWcIUUyyo3vPLNvdpGp8qwdCZj04m5jdd3mDNb
2fBvK9e+AATa2eCUqz87aTjv2fUdNefHQYC+MBlelVZWmffvZ08mN6ITd846/nOF
dO2WUxCIEJhVLOdSOjoIhz4FdYQVhoUJ+wR7N6yIPLpWmj6jZfl90g2vobPbhCfS
K6xv8LWeYmyAfT+YuRtMrHTigIOL9FLM8KYTteWVkqa/zw+0fC0o5Gfj2qFFSbU=
=s1Ky
-----END PGP SIGNATURE-----
Chris Laprise
May 16, 2017, 4:39:23 PM5/16/17
to Marek Marczykowski-Górecki, Bjoern Christoph, qubes-devel
On 05/16/2017 02:29 PM, Marek Marczykowski-Górecki wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On Tue, May 16, 2017 at 10:24:47AM -0400, Chris Laprise wrote:
>> I'm curious: Does the MMU work with PVMs like sys-net? Does the NIC work
>> correctly in the VM?
>
> PV do not need IOMMU for working PCI passthrough, only use it for
> protection. So it isn't exactly easy to check if IOMMU really works
> using only PV...
>
So I guess there is no software path to test this unless you can easily
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On Tue, May 16, 2017 at 10:24:47AM -0400, Chris Laprise wrote:
>> I'm curious: Does the MMU work with PVMs like sys-net? Does the NIC work
>> correctly in the VM?
>
> PV do not need IOMMU for working PCI passthrough, only use it for
> protection. So it isn't exactly easy to check if IOMMU really works
> using only PV...
>
tell a NIC to "change address X, regardless of network buffers etc.".
Maybe a PCI card made for that purpose...
blacklight
May 18, 2017, 3:13:20 AM5/18/17
to qubes-devel, tas...@openmailbox.org, bchr...@googlemail.com
What would be a good way to test the functionality of IOMMU?
I mean I know you can see if its avaliable via the HCL, but how can you see if its actully working?
Andrew David Wong
May 20, 2017, 7:59:33 PM5/20/17
to blacklight, qubes-devel, tas...@openmailbox.org, bchr...@googlemail.com, Marek Marczykowski-Górecki
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2017-05-18 02:13, blacklight wrote:
>
>
> On Tuesday, 16 May 2017 20:29:18 UTC+2, Marek Marczykowski-Górecki
> wrote:
>>
> On Tue, May 16, 2017 at 10:24:47AM -0400, Chris Laprise wrote:
>>>> I'm curious: Does the MMU work with PVMs like sys-net? Does
>>>> the NIC work correctly in the VM?
>
> PV do not need IOMMU for working PCI passthrough, only use it for
> protection. So it isn't exactly easy to check if IOMMU really works
> using only PV...
>
>
then use the output to determine whether IOMMU/VT-d is supported. If
the HCL report says yes, we assume it's working.
I'm not aware of a surefire way to test that it's actually working in
practice, though (short of trying to perform a DMA attack against
yourself).
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJZINhXAAoJENtN07w5UDAwgwAP/1AprDPB8QjtdL0qtCv77vzg
8t1DTnxI3PnBKEloV7v0VITJzylE/ZudyjUGFazIq7Um5SfJBxpvAZ9yh5Rvbc1G
JtF0h7xXTEeeCrHIOpCVtSOaPCT0DFksysKE8Nmcw0dOB5GmnF8ypvIlqeUMNm44
XedqcS8KA7NObndCuSuNHcB/5Pdp28PtUJsvPFfiL5vvyGrtwT+CNLrjaml9mNLj
7tkZdWedRAQ3jpgxw7pwNWKoLIg/sdLvTeM6DwaylN/VcPr40J3rXUjT8RuFigia
81jnfxBiChv42IrKIjW6GgtQ9p7tuBGdQyvUWARYwBjC5gmHzKrfZTNemmO1J1a4
1IYG0iFVVwT6MlAyAZfjbG+At1isiB4hINLkBs/3pveWCpJyUk2wxkt5nh0DPhnq
qxasnQTi5vzyZlOnH1zNxwug0tSMSHK1gZVSk9DW+i/4e59Ww6rggu6UxXi4wK33
hyvJjVMeVfuEmuGEPtokh5KYQoPb4a/Ia24AYUyhAGNLn68iTTveCwJp8AVTLPfV
+lni2kO85RHRMmPjBhKhhzUwTIIuSV2J1g0zJkuJQ0ngP3YlACb/dJ0uaujg3KpU
EazlsLdBgjfKpL+W4U+Q6AbpCbTxJfSJoFqmn+/Ie+SdgBuuGIYlVS+SkfKJ79Pn
a7X1yXygQaaS68D3LGWR
=jJ+K
-----END PGP SIGNATURE-----
Hash: SHA512
On 2017-05-18 02:13, blacklight wrote:
>
>
> On Tuesday, 16 May 2017 20:29:18 UTC+2, Marek Marczykowski-Górecki
> wrote:
>>
> On Tue, May 16, 2017 at 10:24:47AM -0400, Chris Laprise wrote:
>>>> I'm curious: Does the MMU work with PVMs like sys-net? Does
>>>> the NIC work correctly in the VM?
>
> PV do not need IOMMU for working PCI passthrough, only use it for
> protection. So it isn't exactly easy to check if IOMMU really works
> using only PV...
>
>
> What would be a good way to test the functionality of IOMMU? I mean
> I know you can see if its avaliable via the HCL, but how can you
> see if its actully working?
>
That's a good question. Typically we just say to run qubes-hcl-report,
> I know you can see if its avaliable via the HCL, but how can you
> see if its actully working?
>
then use the output to determine whether IOMMU/VT-d is supported. If
the HCL report says yes, we assume it's working.
I'm not aware of a surefire way to test that it's actually working in
practice, though (short of trying to perform a DMA attack against
yourself).
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJZINhXAAoJENtN07w5UDAwgwAP/1AprDPB8QjtdL0qtCv77vzg
8t1DTnxI3PnBKEloV7v0VITJzylE/ZudyjUGFazIq7Um5SfJBxpvAZ9yh5Rvbc1G
JtF0h7xXTEeeCrHIOpCVtSOaPCT0DFksysKE8Nmcw0dOB5GmnF8ypvIlqeUMNm44
XedqcS8KA7NObndCuSuNHcB/5Pdp28PtUJsvPFfiL5vvyGrtwT+CNLrjaml9mNLj
7tkZdWedRAQ3jpgxw7pwNWKoLIg/sdLvTeM6DwaylN/VcPr40J3rXUjT8RuFigia
81jnfxBiChv42IrKIjW6GgtQ9p7tuBGdQyvUWARYwBjC5gmHzKrfZTNemmO1J1a4
1IYG0iFVVwT6MlAyAZfjbG+At1isiB4hINLkBs/3pveWCpJyUk2wxkt5nh0DPhnq
qxasnQTi5vzyZlOnH1zNxwug0tSMSHK1gZVSk9DW+i/4e59Ww6rggu6UxXi4wK33
hyvJjVMeVfuEmuGEPtokh5KYQoPb4a/Ia24AYUyhAGNLn68iTTveCwJp8AVTLPfV
+lni2kO85RHRMmPjBhKhhzUwTIIuSV2J1g0zJkuJQ0ngP3YlACb/dJ0uaujg3KpU
EazlsLdBgjfKpL+W4U+Q6AbpCbTxJfSJoFqmn+/Ie+SdgBuuGIYlVS+SkfKJ79Pn
a7X1yXygQaaS68D3LGWR
=jJ+K
-----END PGP SIGNATURE-----
blacklight
May 21, 2017, 1:59:01 PM5/21/17
to qubes-devel
I see, maybe does @Marek knows a way to test it?
Since performing a dma attack is not in the abilities of the average user, it might be benifical for a users security to be able to check it
Since performing a dma attack is not in the abilities of the average user, it might be benifical for a users security to be able to check it
Marek Marczykowski-Górecki
May 21, 2017, 4:53:41 PM5/21/17
to blacklight, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Sun, May 21, 2017 at 10:59:00AM -0700, blacklight wrote:
> I see, maybe does @Marek knows a way to test it?
> Since performing a dma attack is not in the abilities of the average user, it might be benifical for a users security to be able to check it
I don't know any generic method.
I have tried in the past a simple modification to a driver (AFAIR
e1000e) to command the device to send received data (DMA) to completely
different address. Then, with IOMMU disabled, it crashed the whole host,
but with IOMMU enabled, it crashed only that VM or even just the device
didn't worked.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJZIf5RAAoJENuP0xzK19csqvAH/jtQJOhePefqHS0XrRyQmQJc
9CXPs6588ziwad0hGismlyfuC6bwWAlpMIxB/yeR5dqTsARC1/59WBSgPMQXo0wr
0HfvDztN8c8k84IVoxC8++Ak14PJpLxRXqZtR1RIsQNNBFyqQsWAaUl8nJA+yImh
tK6kKxEGI5Tq6kqexrM1hdNKbl5x/4V/7y8O/cOisUnjAF8LD5b8HjmCB4cZ6BWp
3nzSdE3GkOX4c1wBCvMHjQXYtTe2ZTSLRvZq9Iu0sJ8eDgTA71FxD79AbxRyqKZX
lo/54ndP2eEjuIfA70gAWLxpHk91Gb7K97o+XgHHcSYEInCCmoUoI17f/6C1sRI=
=1wLg
-----END PGP SIGNATURE-----
Hash: SHA256
On Sun, May 21, 2017 at 10:59:00AM -0700, blacklight wrote:
> I see, maybe does @Marek knows a way to test it?
> Since performing a dma attack is not in the abilities of the average user, it might be benifical for a users security to be able to check it
I have tried in the past a simple modification to a driver (AFAIR
e1000e) to command the device to send received data (DMA) to completely
different address. Then, with IOMMU disabled, it crashed the whole host,
but with IOMMU enabled, it crashed only that VM or even just the device
didn't worked.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
9CXPs6588ziwad0hGismlyfuC6bwWAlpMIxB/yeR5dqTsARC1/59WBSgPMQXo0wr
0HfvDztN8c8k84IVoxC8++Ak14PJpLxRXqZtR1RIsQNNBFyqQsWAaUl8nJA+yImh
tK6kKxEGI5Tq6kqexrM1hdNKbl5x/4V/7y8O/cOisUnjAF8LD5b8HjmCB4cZ6BWp
3nzSdE3GkOX4c1wBCvMHjQXYtTe2ZTSLRvZq9Iu0sJ8eDgTA71FxD79AbxRyqKZX
lo/54ndP2eEjuIfA70gAWLxpHk91Gb7K97o+XgHHcSYEInCCmoUoI17f/6C1sRI=
=1wLg
-----END PGP SIGNATURE-----
blacklight
May 21, 2017, 5:04:11 PM5/21/17
to qubes-devel
I understand. I guess we have to rely on the hcl reports for now, thanks for the heads up!
Alex Floyd
Jul 19, 2017, 10:10:13 PM7/19/17
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
>
> On Sun, May 21, 2017 at 10:59:00AM -0700, blacklight wrote:
>> I see, maybe does @Marek knows a way to test it? Since performing
>> a dma attack is not in the abilities of the average user, it
>> might be benifical for a users security to be able to check it
>
> I don't know any generic method. I have tried in the past a simple
> modification to a driver (AFAIR e1000e) to command the device to
> send received data (DMA) to completely different address. Then,
> with IOMMU disabled, it crashed the whole host, but with IOMMU
> enabled, it crashed only that VM or even just the device didn't
> worked.
For Intel systems there is an application called Chipsec that runs all
Hash: SHA256
>
> On Sun, May 21, 2017 at 10:59:00AM -0700, blacklight wrote:
>> I see, maybe does @Marek knows a way to test it? Since performing
>> a dma attack is not in the abilities of the average user, it
>> might be benifical for a users security to be able to check it
>
> I don't know any generic method. I have tried in the past a simple
> modification to a driver (AFAIR e1000e) to command the device to
> send received data (DMA) to completely different address. Then,
> with IOMMU disabled, it crashed the whole host, but with IOMMU
> enabled, it crashed only that VM or even just the device didn't
> worked.
sorts of UEFI tests, including DMA. The only downside to Chipsec is
that it must be run in dom0, making it potentially extremely
vulnerable. Read the warning.txt for more info. It is better for
running in a live distro, unless it is made into a package that scrubs
everything from the warning.txt after the report is output. Chipsec
currently does not help out any of the AMD users, but I am working on
porting it to AMD systems.
Here is a link directly to the Chipsec module that tests the DMA
protection:
https://github.com/chipsec/chipsec/blob/master/chipsec/modules/smm_dma.p
y
>> On 05/15/2017 10:35 PM, 'Bjoern Christoph' via qubes-devel
>> wrote:
>>> Ok, it's NOT working after all. Trying to install a HVM causes
>>> a reboot... so I guess there is more work left there after
>>> all.
>>>
>>> You can ignore the HCL report then as well.
>>>
Bjoern,
>>> Ok, it's NOT working after all. Trying to install a HVM causes
>>> a reboot... so I guess there is more work left there after
>>> all.
>>>
>>> You can ignore the HCL report then as well.
>>>
Have you made any progress on this, and are you still looking for help
with this? I would love to help get Qubes up and running on Ryzen.
-----BEGIN PGP SIGNATURE-----
iQJPBAEBCAA5FiEE/uqpYKVXMvPi+oujATVgIguBe+gFAllwECMbHGVtZXJnZW5j
eW1leGljYW5AZ21haWwuY29tAAoJEAE1YCILgXvo4o0QAJZSC/Ed3lOQFT22aFnx
I0kASQf8dNrzmrUyGIStEwJMxlFlw+ZYVC5kubVsI2wWlsu3djyEECpzhvlIO7O1
MelVoMM2FJv9wFAegyVSPRNA4+RfLojHGmfpkLK4OwAJ46acYBZOmHNPiwKg6YJI
bbEfBinQpwmUxqXpIz6qOwg2VSoKFa42jiAu+7iz007h3EO2vlefpfkj4h0uftxC
Y3OFY55Db6wzOCoAMHtUfA1rWN4t7d3E7sV+nB9DDHoaSZdwmACaekxZCGMAwqVu
pHFzcv1Iie1c3VDmcAzA11meYudR8e7tMBJlq9BP2N7ZfD+zktTREaKF2+L5HAXx
DbYKpTfa2AsbGtbD8DMSYchvbYIqfxyBXraXlFY4GcqWEpNahxSmyBbpUj2FT0Wi
bxZIRi47YoE4/S5NR29iWTF9jnTbzlCHcGPwEtRkuzy0cW5vSwfY4pr6K28D/5tg
phgF9dpTf4W+Kh35IDaKYX81TciiXJmEEV2VLxlbnn6wNQ8A4awf26JX2P4ZfAUV
1oGWIA9QcwVmXj/i5yvtc+xt2Qp9eX4j0uvJZ9U2Cv7ER2580bVHqFuX24WCcH9G
1Vr23Gg+JcaUUrlZdmZG3KLbBAgWs7NhzsKLmSS/m7OdNMXjQ35GVYCcR1cR65+R
w+bu+9zrMRT3RDE5AxZ9UZEa
=aiKl
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages