Benefits of running Qubes on server-grade hardware?

[grzegorz....@gmail.com]

I know that QubesOS is developed mostly with notebook use in mind, however some users, me included, opt to run it on desktop computers. The question is, is there any advantage of building a Qubes-dedicated machine on workstation/server components?
Will Qubes be able to take advantage of higher core count in Xeon processors?
Or two processors if a user decides to build a dual-CPU rig?
Does the system performance scale with the number of available cores/ clock speed?
Can it take advantage of ECC RAM?
Server hardware that is few years old can be bought for dirt cheap (Xeon E5-2670 has 8 cores and costs about 75$).

I'll be upgrading from my current PC and I'm seriously considering building a rig around a Xeon processor and a motherboard with ECC RAM but if there is no real benefit then what's the point?

[pixel fairy]

On Saturday, September 3, 2016 at 2:32:54 AM UTC-7, grzegorz....@gmail.com wrote:
> I know that QubesOS is developed mostly with notebook use in mind, however some users, me included, opt to run it on desktop computers. The question is, is there any advantage of building a Qubes-dedicated machine on workstation/server components?

mostly ecc ram. its a shame non-ecc is so prevalent. in practice, i dont think the difference is worth it. there are many more important variables.

> Will Qubes be able to take advantage of higher core count in Xeon processors?
> Or two processors if a user decides to build a dual-CPU rig?
> Does the system performance scale with the number of available cores/ clock speed?

yes.

> Can it take advantage of ECC RAM?
> Server hardware that is few years old can be bought for dirt cheap (Xeon E5-2670 has 8 cores and costs about 75$).

it will benefit the same as any another machine from ecc ram.

> I'll be upgrading from my current PC and I'm seriously considering building a rig around a Xeon processor and a motherboard with ECC RAM but if there is no real benefit then what's the point?

apparently price is the advantage, but think of your ears! server hardware is loud.

if your willing to spend more on good hardware, go for a good ssd, and good ddr4 ram (G.Skill or Geil) in case bitflipping attacks start showing up.

http://news.softpedia.com/news/rowhammer-attack-now-works-on-ddr4-memory-501898.shtml

[grzegorz....@gmail.com]

Xeon it is then. As for the rowhammering attack as far as I know ECC RAM is not vulnereable to that. t's a shame that the more powerful Xeon CPUs don't come with a built in GPU, I'll have to make do with a current one. Added benefit here is that pretty much all Xeons support technologies necessary for Qubes 4.0 compliance. Wonder why they aren't more popular among desktop users.

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Unfortunately, that's not true:

"Tests show that simple ECC solutions, providing single-error
correction and double-error detection (SECDED) capabilities, are not
able to correct or detect all observed disturbance errors because some
of them include more than two flipped bits per memory word."

https://en.wikipedia.org/wiki/Row_hammer#Mitigation

> t's a shame that the more powerful Xeon CPUs don't come with a
> built in GPU, I'll have to make do with a current one. Added
> benefit here is that pretty much all Xeons support technologies
> necessary for Qubes 4.0 compliance. Wonder why they aren't more
> popular among desktop users.
>

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIbBAEBCgAGBQJXyr3BAAoJENtN07w5UDAwvucP+IL6Pht912BBzr/rsGBbwXMX
L97rBovZ4L21UimjrIwqSqrgvOzntD3+ltaG0qZFW/r//Qbp9WAEUk/E7Pm/9WPQ
bTlvY4cAn6nU8Ogg08LB5kJd4/wIMetIQ90SEtgUTiVuLJu7ykbXZTGknqoQmXtW
6l8nNkEoN/3KaSggJIJGBvNl3fZTlpkPfQkucUTKJNPI42r/ARvqdgCuLzIdCzXk
ol4CdrUUz06NpZODQ7NCJPanZ2ZsaPjbyAFRBNQ1RF/jJuRUwr12VqBLIhxMzWoA
zu2Hegh2kGig8GIU1S6Dsqdc+ykv3Btj55C0l0McrznC3IawK0G3Dp3xNYvScRvz
m8MlMIo6X64a8Ku0tXq6qKd4UWDJGBGAV2fwESnaJMNT+nts47TV8JuOJl9jI5Wt
GJro4ui0nE736cb6IVfMIYKtIeFWkdTK87NCyOv/uEOaNjzsQG6LvtFdie8Q3s8j
YPeBzxyfmVT3hKIkxNfM5BgU2CcLH+LrgtnfSRKjlDTz4Ynh8DUITpUPGK4xfHLB
ZpQx6a2WSDLI7tfaUiejWHFtAuQGF+791Vf9u8kubLct3Mp+vc9E5rWv4YnpEKML
zocxarGY2pY6X5EMxmUCQAA0wITLUvcvqxJ2LmJ2g6+9qc3trkWROqp9PuCCc7Go
mboB023gu1AyH/5oO5E=
=e2ZE
-----END PGP SIGNATURE-----

[grzegorz....@gmail.com]

Back to the drawing board it is then. What other precautions can we take to mitigate this?

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-09-03 05:15, grzegorz....@gmail.com wrote:
> W dniu sobota, 3 września 2016 14:11:04 UTC+2 użytkownik Andrew
> David Wong napisał:
>>

>>> Xeon it is then. As for the rowhammering attack as far as I
>>> know ECC RAM is not vulnereable to that.
>>
>> Unfortunately, that's not true:
>>
>> "Tests show that simple ECC solutions, providing single-error
>> correction and double-error detection (SECDED) capabilities, are
>> not able to correct or detect all observed disturbance errors
>> because some of them include more than two flipped bits per
>> memory word."
>>
>> https://en.wikipedia.org/wiki/Row_hammer#Mitigation
>>
> Back to the drawing board it is then. What other precautions can
> we take to mitigate this?
>

You may want to test memory (by hammering it and checking for bit
flips) or rely on the test results others have reported:

<https://groups.google.com/d/topic/rowhammer-discuss/i1zya99LC1U/discuss
ion>

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXyr/cAAoJENtN07w5UDAwGT8P+wX1ilw/t6oeq3KpcT2Zr4p5
nCs+Qyl0ntn89QAtGxTcpYYsTSHZ3Iw6F3ovWJEtDcwFCC/i86Cgnp+VB9VZWKfk
tDt+3x3fUyFQ6I1wGIxjjvbVNmYFUo+cbMjQK2Y0OHfF2j+0zWJ/Nqaue2oems8O
EXPWAdt1KHkm5VlwqaKNjmuPKrJUlNw4ha90nQXNvtf5U9UDOmFnjrh19/PacZgH
Bk7Y2XUjxKHqaBAa6dv+fkH1x37LxeNmmUiyyLze6o5hNlhECeMjSxlLKbyE7asC
mrCemmsGEIuEbuiNTHZrRTJaViTT5EyccJQX708iiEwiEz5zVS3KwBLSHMMaaMBs
Aquld1b42OPezUTOCtTuSU/+oCCZJpqbWb3VB5GK/eLvYFoa2h4rD8E89Lwa4kNQ
vpz7AbZFn4YmVBfQ8rrS7qpay8JgRGChQM75pOSDlZzk8nf3uhYywlg+T1VlT6fL
RTQdzGLn67HBNdD7xIcd1utbLxNXSXfS+5FNMaBeZe3out96+jsNAwZADAkaNU6R
b1xNUSdZQSZ+j8j6w6b5EA7ddg6mH47BKcSMS0x4KP43xrHAP4maH1LCEVcaTJRK
P6kJzOvxrOhxVe5mtewzlRoXLDV1iyoJtlZA+So4ASyfi/ijRo1aZP90Yzwcsu/d
Ilpt015m7KVmu4KVzpmA
=nxuo
-----END PGP SIGNATURE-----

[grzegorz....@gmail.com]

What about Xeon processors? Any other caveats I should know about before I buy one of these?

[Ilpo Järvinen]

On Sat, 3 Sep 2016, Andrew David Wong wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 2016-09-03 04:58, grzegorz....@gmail.com wrote:
> > W dniu sobota, 3 września 2016 13:37:27 UTC+2 użytkownik pixel
> > fairy napisał:
> >> On Saturday, September 3, 2016 at 2:32:54 AM UTC-7,
> >> grzegorz....@gmail.com wrote:
> >>
> >>> Can it take advantage of ECC RAM? Server hardware that is few
> >>> years old can be bought for dirt cheap (Xeon E5-2670 has 8
> >>> cores and costs about 75$).
> >>>

> >>> I'll be upgrading from my current PC and I'm seriously
> >>> considering building a rig around a Xeon processor and a
> >>> motherboard with ECC RAM but if there is no real benefit then
> >>> what's the point?
> >>
> >> apparently price is the advantage, but think of your ears!
> >> server hardware is loud.
> >>
> >> if your willing to spend more on good hardware, go for a good
> >> ssd, and good ddr4 ram (G.Skill or Geil) in case bitflipping
> >> attacks start showing up.
> >>
> >> http://news.softpedia.com/news/rowhammer-attack-now-works-on-ddr4-mem
> ory-501898.shtml
> >
> > Xeon it is then. As for the rowhammering attack as far as I know
> > ECC RAM is not vulnereable to that.

Sandy Bridge (E5-2670) does not support DDR4. All DDR3 designs probably
predate rowhammer discovery, so I wouldn't really trust them to properly
mitigate rowhammer attacks as it was not a factor when the chips were
designed. Obviously rehashing old products is even less likely to occur
due to cost and soon to be obsoleted products.

When considering rowhammer, TRR (targeted row refresh) is much more
important feature than ECC actually, and Xeons at least should supports
TRR (probably since Ivy Bridge although that bit of information is based
on sources I wouldn't fully trust, i.e., some random vendor marketing
material, IIRC). AFAIK, there is no publically available official
confirmation from Intel that Xeons really do support TRR, however, there
are some errata entries that indicate that TRR with LRDIMMs won't work
which indicates that it likely works with RDIMMs at least. Thus, it
seems mainly as a problem of finding RDIMM that actually implements
TRR properly and likely also a motherboard which enables CPU's TRR
functionality is needed.

AFAIK, there is no information whether non-E5/E7 CPUs would support
TRR or not.

> Unfortunately, that's not true:
>
> "Tests show that simple ECC solutions, providing single-error
> correction and double-error detection (SECDED) capabilities, are not
> able to correct or detect all observed disturbance errors because some
> of them include more than two flipped bits per memory word."
>
> https://en.wikipedia.org/wiki/Row_hammer#Mitigation

While I don't doubt a second that there are vulnerable ECC memories
too (especially DDR3 ones), I noticed one interesting oddity in the
recent DRAMA attack paper:

The paper first mentions that their dual E5-2630 v3 system is fitted
with Samsung DDR4 ECC RDIMM when they did the address bits reverse
engineering part. However, later in the paper when they actually
exploited rowhammer bugs, the dual E5-2630 v3 system is, for some
reason, reconfigured to use Crucial DDR4s. Could it perhaps indicate
that they (while not reporting it), didn't succeed in rowhammer
against Samsung ones so they tried to other ones just to prove
a point... It would make things very interesting if that would be
true.

In the last Spring rowhammer paper, Micron-based DIMMs seemed
to be particularly bad (close to magnitude worse than the other
brands mostly, IIRC) so the ability to trigger rowhammer issues
with Micron-based DDR4 ECCs in particular doesn't surprise me that
much. I know that Micron mem chip specs indicate as if they
would have some non-TRR based solution built-in but that doesn't
seem to help (or work).

Other vendors information I've come across:
* Samsung: DDR4 specs mention TRR support and have timing diagrams on
how that is performed. One presentation with a high ranked Samsung
person as the author claims that rowhammer is mitigated in their
DDR4s (or it might have mentioned TRR directly, I don't remember
anymore the wording)
* IIRC, both Hynix and Intel have a patent related to rowhammer but
that won't prove anything about real products

> > t's a shame that the more powerful Xeon CPUs don't come with a
> > built in GPU, I'll have to make do with a current one. Added
> > benefit here is that pretty much all Xeons support technologies
> > necessary for Qubes 4.0 compliance. Wonder why they aren't more
> > popular among desktop users.

Indeed. Given how much effort Intel has put into GPU virtualization,
it's really shame that there aren't any more than 4 core CPUs with iGPU
in the first place and as far as the leaks about upcoming ones can be
trusted, there won't be any in the near future either (but take this
with a grain of salt obviously). It would be quite interesting product
especially as Intel seems to really put significant effort on getting
iGVT to work in Xen and Intel GPU virtualization support might
eventually make itself into Qubes too.


--
i.

[pixel fairy]

does qubes do any rowhammer mitigation?