What are the disadvantages of NOT having vt-d?
93 views
Skip to first unread message
Chris
Dec 13, 2017, 7:27:23 PM12/13/17
to qubes...@googlegroups.com
Hi,
I am an avid user of Qubes OS and I love what you have done. Finally I have a feeling of security and a peace of mind... I am not a security person but I kinda do care about it and have some basic understanding and am slightly paranoid.
I am currently running a DELL Precision 5520, which has vt-d. But it is owned by my company which I am leaving soon, and then I will have to switch back to my desktop, an old Intel 3700K without vt-d.
I am wondering, compared to my precision laptop with vt-d, what attack vectors will open up? The desktop will be connected to an Ubiquity router via Ethernet cable (no WLAN) which is in turn connected to a normal Cable modem. Is this reasonably safe? Is the NetVM mostly useful for WLAN or also for Ethernet?
I am a normal person, soon working as a developer at Amazon (so I would say while I am not high-profile, people might have interest in attacking me to gain access to AWS or any other Amazon service)...
Cheers
Mara
charly LEMMINKÄINEN
Dec 13, 2017, 7:40:15 PM12/13/17
to qubes-users
Chris
Dec 13, 2017, 7:43:04 PM12/13/17
to charly LEMMINKÄINEN, qubes-users
I see.. But currently I am using Qubes 3.2 and 4.0 last time I tried was VERY unpolished, I am not sure I am going to look at it before support for 3.2 expires...
It's not like I would not have the money to buy a 7700k, but I want to avoid spending money if not necessary that is why I want to get a clear picture...
--You received this message because you are subscribed to the Google Groups "qubes-users" group.To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.To post to this group, send email to qubes...@googlegroups.com.To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/02c07ac0-1578-4b33-96ff-1412de3ba133%40googlegroups.com.For more options, visit https://groups.google.com/d/optout.
charly LEMMINKÄINEN
Dec 13, 2017, 7:49:36 PM12/13/17
to qubes-users
About vt-d, the problem is more about usb controller and the fact that without vt-d you have not a good control about how they behave and are assigned but I could be wrong.
awokd
Dec 13, 2017, 8:09:21 PM12/13/17
to "charly LEMMINKÄINEN", qubes-users
https://www.qubes-os.org/news/2017/07/31/qubes-40-rc1/ of some of the
changes between 3.2 and 4.0. Look in the "Fully virtualized VMs" section
and links.
Tai...@gmx.com
Dec 13, 2017, 9:15:41 PM12/13/17
to Chris, qubes...@googlegroups.com
Please note that VT-d is intels marketing term for an IOMMU - AMD's
marketing term is AMD-Vi.
You can buy a system with a quality functional IOMMU that can play
modern games and doesn't have ME/PSP with the board+cpu only $100 total
Used SuperMicro H8SCM for $30 + used Opteron 4386 for $70 - I have this
board and it works well - it also supports SR-IOV
If you want libre firmware (coreboot with open source init) you can get
a KCMA-D8 board for around $300 - it also has libre OpenBMC firmware for
the BMC chip so you can have secure remote BMC access. Socket C32 so get
the same CPU it is the best available and its AM3+ equivilant is an FX-8310.
No need to buy one of intel's overpriced products.
marketing term is AMD-Vi.
You can buy a system with a quality functional IOMMU that can play
modern games and doesn't have ME/PSP with the board+cpu only $100 total
Used SuperMicro H8SCM for $30 + used Opteron 4386 for $70 - I have this
board and it works well - it also supports SR-IOV
If you want libre firmware (coreboot with open source init) you can get
a KCMA-D8 board for around $300 - it also has libre OpenBMC firmware for
the BMC chip so you can have secure remote BMC access. Socket C32 so get
the same CPU it is the best available and its AM3+ equivilant is an FX-8310.
No need to buy one of intel's overpriced products.
Tai...@gmx.com
Dec 13, 2017, 9:36:36 PM12/13/17
to Chris, qubes...@googlegroups.com
In terms of security not having an IOMMU means you can be attacked via
DMA if someone has an exploit for one of your DMA capable peripherals
such as a network interface, usb controller, etc. Those two are the most
popular.
Of course an x86-64 platform with Intel ME or AMD PSP is still
vulnerable to DMA exploits due to the ME IOMMU bypass and various
"debugging" mode features such as the recent USB skylake hack.
ME/PSP can't be truly disabled, me cleaner simply "cleans" it and sets
the HAP bit - all the companies that purport to offer a "disabled" me
are simply using me cleaner and not actually disabling ME simply nerfing
it due to its tight integration with the CPU (it brings up the CPU and
provides power management) on a modern x86-64 device it can't be
disabled there isn't even any proof that using me cleaner truly improves
security or that there isn't another super secret hidden backdoor in the
kernel, mask rom ETC which me cleaner can't clean/nerf.
If google can't get intel to open source ME then no one can certainly
not purism riding on the coat-tails of real security researchers - a
modern x86-64 system will never be free without intervention from the OEMs.
If you want a computer that lacks this hardware backdoor your choices
are either POWER9 (an owner controlled performance CPU arch from IBM of
all companies), select ARM systems or of course the slightly older
pre-PSP AMD stuff such as AM3+, C32, G34, FT3.
Feel free to email me any questions.
DMA if someone has an exploit for one of your DMA capable peripherals
such as a network interface, usb controller, etc. Those two are the most
popular.
Of course an x86-64 platform with Intel ME or AMD PSP is still
vulnerable to DMA exploits due to the ME IOMMU bypass and various
"debugging" mode features such as the recent USB skylake hack.
ME/PSP can't be truly disabled, me cleaner simply "cleans" it and sets
the HAP bit - all the companies that purport to offer a "disabled" me
are simply using me cleaner and not actually disabling ME simply nerfing
it due to its tight integration with the CPU (it brings up the CPU and
provides power management) on a modern x86-64 device it can't be
disabled there isn't even any proof that using me cleaner truly improves
security or that there isn't another super secret hidden backdoor in the
kernel, mask rom ETC which me cleaner can't clean/nerf.
If google can't get intel to open source ME then no one can certainly
not purism riding on the coat-tails of real security researchers - a
modern x86-64 system will never be free without intervention from the OEMs.
If you want a computer that lacks this hardware backdoor your choices
are either POWER9 (an owner controlled performance CPU arch from IBM of
all companies), select ARM systems or of course the slightly older
pre-PSP AMD stuff such as AM3+, C32, G34, FT3.
Feel free to email me any questions.
Andrew David Wong
Dec 13, 2017, 11:25:04 PM12/13/17
to Chris, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
We have an FAQ entry about this. Please take a look if you haven't already:
https://www.qubes-os.org/faq/#can-i-install-qubes-on-a-system-without-vt-d
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJaMf0QAAoJENtN07w5UDAwo7QP/if+YAzc9CmYMCOe4XMrBZhj
aetuZlSmBgJKWXqqmlrlI90NDzN12+WYioxNMQNMlBhgbk+idjGMBXaYxpjZ4YGc
fi/C6T+5tLO20rIszqlzhw3TSM2pGVDVC98+urtpj1q95rusN0S3RbV8/gRmwZIt
rkTzWwIg2WH3S5G+UTZdO7yeU9EEQQJlao9SbVWxoHl044OHPpz1vxhcNejHuoTC
kOxqfJ58JWni9Zohy01yeOvvs7bb3GP/EUsy4ZrG0U1gpm8DlnUpdbktBAkMzYSl
2f263Qf/w+fcFGlsDLfc4u+3cdCC/nLG5VNFzquQVZPF0x8ueaIoIEVAAZLL68vJ
K7vVrkucjhDPYus+BfpBdkHAQ6uldezoQGg8vWSNgOBWpO2qnNJbn84n6oPjJ3t2
lLlUO7PTaam0iGx2jrBihWA4qEde9K4eT5wThC9ZZBwg1JMs1uoraHDFUmCdbGQY
SHTjB3Vq+Am2fSZ5K3HnPBxaYI58zmhFFL23F8efRyl0k30XzsBks67vbfrSXbKB
BbupSWTFSj8LRN8PnUjvsl4DBmg+f2ZXtemxpAW8zCrBedWP58GZzHZxwRgCp0t6
ajFx4StmVI1ReI+gT3cRGlPBc/lq3emoTDJdslZ7wIq48NNcY142ZKNhgHcRwmgm
sKuB3DAbFdDkgMFdb05z
=t/93
-----END PGP SIGNATURE-----
Hash: SHA512
https://www.qubes-os.org/faq/#can-i-install-qubes-on-a-system-without-vt-d
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJaMf0QAAoJENtN07w5UDAwo7QP/if+YAzc9CmYMCOe4XMrBZhj
aetuZlSmBgJKWXqqmlrlI90NDzN12+WYioxNMQNMlBhgbk+idjGMBXaYxpjZ4YGc
fi/C6T+5tLO20rIszqlzhw3TSM2pGVDVC98+urtpj1q95rusN0S3RbV8/gRmwZIt
rkTzWwIg2WH3S5G+UTZdO7yeU9EEQQJlao9SbVWxoHl044OHPpz1vxhcNejHuoTC
kOxqfJ58JWni9Zohy01yeOvvs7bb3GP/EUsy4ZrG0U1gpm8DlnUpdbktBAkMzYSl
2f263Qf/w+fcFGlsDLfc4u+3cdCC/nLG5VNFzquQVZPF0x8ueaIoIEVAAZLL68vJ
K7vVrkucjhDPYus+BfpBdkHAQ6uldezoQGg8vWSNgOBWpO2qnNJbn84n6oPjJ3t2
lLlUO7PTaam0iGx2jrBihWA4qEde9K4eT5wThC9ZZBwg1JMs1uoraHDFUmCdbGQY
SHTjB3Vq+Am2fSZ5K3HnPBxaYI58zmhFFL23F8efRyl0k30XzsBks67vbfrSXbKB
BbupSWTFSj8LRN8PnUjvsl4DBmg+f2ZXtemxpAW8zCrBedWP58GZzHZxwRgCp0t6
ajFx4StmVI1ReI+gT3cRGlPBc/lq3emoTDJdslZ7wIq48NNcY142ZKNhgHcRwmgm
sKuB3DAbFdDkgMFdb05z
=t/93
-----END PGP SIGNATURE-----
Matteo
Dec 14, 2017, 12:48:38 PM12/14/17
to qubes...@googlegroups.com
> I see.. But currently I am using Qubes 3.2 and 4.0 last time I tried was
> VERY unpolished, I am not sure I am going to look at it before support
> for 3.2 expires...
Same here, and my pc doesn't have vt-d nor slat (second level addres
> VERY unpolished, I am not sure I am going to look at it before support
> for 3.2 expires...
tranlation); both required for Qubes 4
> It's not like I would not have the money to buy a 7700k, but I want to
> avoid spending money if not necessary that is why I want to get a clear
> picture...
also the chipset and the bios must have proper support so changing the
cpu only might be a waste of money.
There was a discussion about finding a notebook with proper support
https://groups.google.com/forum/#!topic/qubes-users/Sz0Nuhi4N0o
vt-d protect from dma (direct memory access) attacks.
for a demo take a look at "inception" that works via firmware interface.
i have personally tested against a windows xp and worked (from what i
have read, newer os are protected against this *specific* attack).
it protect you from bad/exploited dma devices like network card.
net vm is used for both ethernet and wifi.
for your use case (almost anyone use case) you don't need vt-d but we
are starting to see succesful attacks against network interfaces, and
thanks to the hard work of Qubes OS team and that genius person Joanna
Rutkovska we have that extra protection for free.
Reply all
Reply to author
Forward
0 new messages