My Intel system doesn't have Vt-x and Vt-d, please help me understand the implications.
50 views
Skip to first unread message
5vo30m+lpi66...@guerrillamail.com
Jan 6, 2017, 3:04:13 PM1/6/17
to qubes...@googlegroups.com
Hi everyone!
First off happy new year! :)
To get into the subject, I'm trying to get as many Qubes users around me as possible to convert my family and friends from Windowsism to Qubism. However in some cases I see that the Intel®™ (backdoor℠ inside®) hardware that they have does not support VT-x and VT-d.
So I would like to better understand the implications of this. From the User FAQ:
https://www.qubes-os.org/doc/user-faq/#can-i-install-qubes-on-a-system-without-vt-x
I understand that this means that:
o Not being able to use fully virtualized VMs (e.g., Windows-based qubes)
o No security benefit in having a separate NetVM
But the points I wont to understand are:
~ Does this mean that one wont be able to install Windows in a VM in such system (that's it?)? What does fully virtualized VM really mean?
~ How is this relevant practically speaking? In other words, could an attacker deploy malware to NetVM (from an AppVM that is connected to the NetVM)? If not, in which situations can attacker get to the NetVM and therefore to dom0?
Thanks for all the help!
----
Sent using Guerrillamail.com
Block or report abuse: https://www.guerrillamail.com//abuse/?a=UFR2AB5NVqcQmh2U93EQdRjCStifx8dDiadNcQ%3D%3D
Marek Marczykowski-Górecki
Jan 6, 2017, 8:37:50 PM1/6/17
to 5vo30m+lpi66...@guerrillamail.com, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Fri, Jan 06, 2017 at 08:04:08PM +0000, 5vo30m+lpi66xm176ugr7ruk via qubes-users wrote:
> Hi everyone!
>
> First off happy new year! :)
>
> To get into the subject, I'm trying to get as many Qubes users around me as possible to convert my family and friends from Windowsism to Qubism. However in some cases I see that the Intel®™ (backdoor℠ inside®) hardware that they have does not support VT-x and VT-d.
>
> So I would like to better understand the implications of this. From the User FAQ:
>
> https://www.qubes-os.org/doc/user-faq/#can-i-install-qubes-on-a-system-without-vt-x
>
> I understand that this means that:
>
> o Not being able to use fully virtualized VMs (e.g., Windows-based qubes)
>
> o No security benefit in having a separate NetVM
>
> But the points I wont to understand are:
>
> ~ Does this mean that one wont be able to install Windows in a VM in such system (that's it?)?
Yes.
> What does fully virtualized VM really mean?
https://www.qubes-os.org/doc/glossary/#hvm
In short: a VM running OS not necessary modified to be running in a VM.
> ~ How is this relevant practically speaking? In other words, could an attacker deploy malware to NetVM (from an AppVM that is connected to the NetVM)? If not, in which situations can attacker get to the NetVM and therefore to dom0?
The way you've descried, or using some remote attack directly on NetVM -
because NetVM is what is facing external network directly.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJYcEZoAAoJENuP0xzK19cs10AIAJJTAtko8yOjdDXcWOaq7lRB
2fKeGJDIG5x9ZILWfJbDrqaAgd14NuQyCU4UAMokk3dkgo6u6/0gjr55tshp5pyx
Ah6i253s+16MRatC+vBYohD+NJWE3tZG1vsr6IiDQxuqb/pykrqywbDcKUMIEtgs
xrlorH5liM5LuWxiKPJSqtV9LtQb4Y3EILXBSeJuiDPeqbcaYu1lniSQMsoUUR7J
HES0ygE552wH4HhMiqE3f3FOy7yQSF8lmjSRnl50X7Pzw0y1Ojs5CUgV/oYPh/XP
vye8F6PGDxQpAx6HHCsuUSQgAoIUhWDrZJcXKHHvIoMKkgDPahP1IDt8eRa5m38=
=qXgS
-----END PGP SIGNATURE-----
Hash: SHA256
On Fri, Jan 06, 2017 at 08:04:08PM +0000, 5vo30m+lpi66xm176ugr7ruk via qubes-users wrote:
> Hi everyone!
>
> First off happy new year! :)
>
> To get into the subject, I'm trying to get as many Qubes users around me as possible to convert my family and friends from Windowsism to Qubism. However in some cases I see that the Intel®™ (backdoor℠ inside®) hardware that they have does not support VT-x and VT-d.
>
> So I would like to better understand the implications of this. From the User FAQ:
>
> https://www.qubes-os.org/doc/user-faq/#can-i-install-qubes-on-a-system-without-vt-x
>
> I understand that this means that:
>
> o Not being able to use fully virtualized VMs (e.g., Windows-based qubes)
>
> o No security benefit in having a separate NetVM
>
> But the points I wont to understand are:
>
> ~ Does this mean that one wont be able to install Windows in a VM in such system (that's it?)?
> What does fully virtualized VM really mean?
In short: a VM running OS not necessary modified to be running in a VM.
> ~ How is this relevant practically speaking? In other words, could an attacker deploy malware to NetVM (from an AppVM that is connected to the NetVM)? If not, in which situations can attacker get to the NetVM and therefore to dom0?
because NetVM is what is facing external network directly.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJYcEZoAAoJENuP0xzK19cs10AIAJJTAtko8yOjdDXcWOaq7lRB
2fKeGJDIG5x9ZILWfJbDrqaAgd14NuQyCU4UAMokk3dkgo6u6/0gjr55tshp5pyx
Ah6i253s+16MRatC+vBYohD+NJWE3tZG1vsr6IiDQxuqb/pykrqywbDcKUMIEtgs
xrlorH5liM5LuWxiKPJSqtV9LtQb4Y3EILXBSeJuiDPeqbcaYu1lniSQMsoUUR7J
HES0ygE552wH4HhMiqE3f3FOy7yQSF8lmjSRnl50X7Pzw0y1Ojs5CUgV/oYPh/XP
vye8F6PGDxQpAx6HHCsuUSQgAoIUhWDrZJcXKHHvIoMKkgDPahP1IDt8eRa5m38=
=qXgS
-----END PGP SIGNATURE-----
Andrew David Wong
Jan 7, 2017, 3:29:56 AM1/7/17
to Marek Marczykowski-Górecki, 5vo30m+lpi66...@guerrillamail.com, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2017-01-06 17:37, Marek Marczykowski-Górecki wrote:
> On Fri, Jan 06, 2017 at 08:04:08PM +0000, 5vo30m+lpi66xm176ugr7ruk via qubes-users wrote:
>> Hi everyone!
>
>> First off happy new year! :)
>
>> To get into the subject, I'm trying to get as many Qubes users around me as possible to convert my family and friends from Windowsism to Qubism. However in some cases I see that the Intel®™ (backdoor℠ inside®) hardware that they have does not support VT-x and VT-d.
>
>> So I would like to better understand the implications of this. From the User FAQ:
>
>> https://www.qubes-os.org/doc/user-faq/#can-i-install-qubes-on-a-system-without-vt-x
>
>> I understand that this means that:
>
>> o Not being able to use fully virtualized VMs (e.g., Windows-based qubes)
>
>> o No security benefit in having a separate NetVM
>
>> But the points I wont to understand are:
>
>> ~ Does this mean that one wont be able to install Windows in a VM in such system (that's it?)?
> Yes.
>
>> What does fully virtualized VM really mean?
>
> https://www.qubes-os.org/doc/glossary/#hvm
>
> In short: a VM running OS not necessary modified to be running in a VM.
>
>> ~ How is this relevant practically speaking? In other words, could an attacker deploy malware to NetVM (from an AppVM that is connected to the NetVM)? If not, in which situations can attacker get to the NetVM and therefore to dom0?
>
> The way you've descried, or using some remote attack directly on NetVM -
> because NetVM is what is facing external network directly.
>
Another, additional way of answering this question:
"On a system without VT-d, everything should work in the same way,
except there will be no real security benefit to having a separate
NetVM, as an attacker could always use a simple DMA attack to go from
the NetVM to Dom0."
Then read this:
https://www.qubes-os.org/doc/user-faq/#what-is-a-dma-attack
Basically, read the next two FAQ entries after the one you linked. :)
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYcKbyAAoJENtN07w5UDAw380P/3vH/GlHBGsYV5qmU1fDdRu8
JHz9ZG5tWVIba219sYMNCHa4F+Wc907prEyooG0XRBwtIKoZ/qXP5bMKX6WBuXSw
8wQfEewrWvSU7vCGW67DEc4OYcwKNwiV8mX6ebFSt/dtKHshLmyCylnaJ0Sg59Kn
PwIdkG1E7Gzt7pt0Ti2WUzjKeWMY0GWZm9kuYG5DL1iRguanGrmVyn+RRAZMn5af
WRrP7GBFAK7ykOWP4zTpZ8onlL7En9s+MNp7Mn6hyDyIYKvwQ2LcE63p2H8dozku
5cDGkxWJIB/dqhd9URnVhq/cVKdXvHXGztGBR62tSpq2neuYhi8FyTpdKqxuspvV
1zMsBGp8DP8Q03Mf8AeJ7DLfrHfZYi1HmwhYa3uOZnntAHd3x93QRXOyiWiLr88e
aBiYHCQMdy+o8FMrikvPfQi8Wd7JGSqmzOzw8TMhnuQ8QlZCa6GdYfQa23oBi4El
t12M2RBykur2grLfRf/wUcMiTRxZ1WTVXrY4YPDoH+79QzEV5xhJrrlWKFYEYySG
SsnOpToBa/iHwWtrVKqDfubca1umDnSRjYJuKjWourzO5LEpG9hkjFdUg0olTMet
C05tE/Hlg8+PeLg2y06PCavQZK7nRkN7L3U0SEYck8RVovslKmbUeKFWtMM+rqQi
ZPisdXAjwa+YtnEsdwbz
=EXu4
-----END PGP SIGNATURE-----
Hash: SHA512
On 2017-01-06 17:37, Marek Marczykowski-Górecki wrote:
> On Fri, Jan 06, 2017 at 08:04:08PM +0000, 5vo30m+lpi66xm176ugr7ruk via qubes-users wrote:
>> Hi everyone!
>
>> First off happy new year! :)
>
>> To get into the subject, I'm trying to get as many Qubes users around me as possible to convert my family and friends from Windowsism to Qubism. However in some cases I see that the Intel®™ (backdoor℠ inside®) hardware that they have does not support VT-x and VT-d.
>
>> So I would like to better understand the implications of this. From the User FAQ:
>
>> https://www.qubes-os.org/doc/user-faq/#can-i-install-qubes-on-a-system-without-vt-x
>
>> I understand that this means that:
>
>> o Not being able to use fully virtualized VMs (e.g., Windows-based qubes)
>
>> o No security benefit in having a separate NetVM
>
>> But the points I wont to understand are:
>
>> ~ Does this mean that one wont be able to install Windows in a VM in such system (that's it?)?
> Yes.
>
>> What does fully virtualized VM really mean?
>
> https://www.qubes-os.org/doc/glossary/#hvm
>
> In short: a VM running OS not necessary modified to be running in a VM.
>
>> ~ How is this relevant practically speaking? In other words, could an attacker deploy malware to NetVM (from an AppVM that is connected to the NetVM)? If not, in which situations can attacker get to the NetVM and therefore to dom0?
>
> The way you've descried, or using some remote attack directly on NetVM -
> because NetVM is what is facing external network directly.
>
"On a system without VT-d, everything should work in the same way,
except there will be no real security benefit to having a separate
NetVM, as an attacker could always use a simple DMA attack to go from
the NetVM to Dom0."
Then read this:
https://www.qubes-os.org/doc/user-faq/#what-is-a-dma-attack
Basically, read the next two FAQ entries after the one you linked. :)
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYcKbyAAoJENtN07w5UDAw380P/3vH/GlHBGsYV5qmU1fDdRu8
JHz9ZG5tWVIba219sYMNCHa4F+Wc907prEyooG0XRBwtIKoZ/qXP5bMKX6WBuXSw
8wQfEewrWvSU7vCGW67DEc4OYcwKNwiV8mX6ebFSt/dtKHshLmyCylnaJ0Sg59Kn
PwIdkG1E7Gzt7pt0Ti2WUzjKeWMY0GWZm9kuYG5DL1iRguanGrmVyn+RRAZMn5af
WRrP7GBFAK7ykOWP4zTpZ8onlL7En9s+MNp7Mn6hyDyIYKvwQ2LcE63p2H8dozku
5cDGkxWJIB/dqhd9URnVhq/cVKdXvHXGztGBR62tSpq2neuYhi8FyTpdKqxuspvV
1zMsBGp8DP8Q03Mf8AeJ7DLfrHfZYi1HmwhYa3uOZnntAHd3x93QRXOyiWiLr88e
aBiYHCQMdy+o8FMrikvPfQi8Wd7JGSqmzOzw8TMhnuQ8QlZCa6GdYfQa23oBi4El
t12M2RBykur2grLfRf/wUcMiTRxZ1WTVXrY4YPDoH+79QzEV5xhJrrlWKFYEYySG
SsnOpToBa/iHwWtrVKqDfubca1umDnSRjYJuKjWourzO5LEpG9hkjFdUg0olTMet
C05tE/Hlg8+PeLg2y06PCavQZK7nRkN7L3U0SEYck8RVovslKmbUeKFWtMM+rqQi
ZPisdXAjwa+YtnEsdwbz
=EXu4
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages