Qubes 4.0 without IOMMU/VT-d/AMD-Vi or Interrupt Remapping
Utility Panel
IOMMU/VT-d/AMD-Vi
Interrupt Remapping
The installation went fine. I simply continued installing after the error message appeared just after the installation ISO completed its hardware check.
After installation, I was able to boot up to the desktop without any errors. I didn't do much additional testing because I thought that there might be a way to configure the BIOS on my machine to support the missing features; but alas, there is no such way.
Consequently, if I ever want to run 4.0, I am left with the following two choices:
A) Install 4.0 on this machine and live without the missing features.
B) Get a new computer that supports the missing features.
I prefer option A. Can anyone tell me what I might expect without IOMMU/VT-d/AMD-Vi and Interrupt Remapping?
I've heard that PCI passthrough won't work, but I could live without it.
What other problems might I encounter? Will 4.0 work without those features, or must I get a new machine to run 4.0?
Rusty Bird
Hash: SHA512
Utility Panel:
> Interrupt Remapping?
Rusty
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJaeMi+XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfeb4P/R7K8LDbdSkKYs+B1uLbNTyz
2YwohgIu89FSCM/wq8yamJ9OnQFLRlhM7yGhcjsqMaPiBCS0BOdlR463kTn6tWHy
893xxeor7h96XymKsrFr/7OP61zDsnO/4wp7LE7bynDxBgRc1RjR3KjZ48a1HOz5
TxWDliJlxHq+5Bk9XwOCDO1eTFUyfuZ5opWGqL3+4c9ZV52nk4aEYkizHxFFiWA5
WZlZN/O6HHepNkqtH+nNYV8BjRsueBzI8WaqO/R3adfppufrCaQHIndqeQYl06JL
KPZ87ANXHLoojNG4vomxRrAnSVB9Ho0yj4EWTU7UMzX/0UCfJrZp7wssIGDGjKbm
una0PQbOJckOcwGQoq9YClVgSQPCFADgnuj9fn9nwmJKLJZvL+dczGjPDw15vXDQ
NzjVLcwo+755tLC+zJ6bXoPS4O4yDEAcmj+EolnGGxHidOSXZoRBvWQT0OH4/0ku
wLSnEIZDg4PEmcsgwfxwtF90inlA/n2tJwQkL839nWAJvTnrza3rBAwn7hCIAwjq
qpLewtLTH87/d0GErjtRTmMLOw4vCmlh/bsDGLKtdrT2R0hD6jhem5wt+dSvrjaV
jWXfB64Jz/0IuWjoEOez2yW8z4ALfv4856dvAXXBjaXS6IBK7cf2Rr8Reu76MmOs
zkUB451uJxd4oUQntu2P
=/p4t
-----END PGP SIGNATURE-----
Utility Panel
Oh, darn. Worst case scenario.
Anyone interested in a pair of lightly used HP Z800 server work stations? Great machines. Cannot run Qubes 4.0 correctly.
-sigh-
Thanks for the link, Rusty.
awokd
> On Monday, February 5, 2018 at 4:12:50 PM UTC-5, Rusty Bird wrote:
>>> Can anyone tell me what I might expect without IOMMU/VT-d/AMD-Vi and
>>> Interrupt Remapping?
>
>
> Great machines. Cannot run Qubes 4.0 correctly.
If the latter, you might check to see if you can Coreboot it. Sometimes
that can fix these issues too.
Utility Panel
Ah. I hadn't considered the Coreboot option. My understanding is that the chipset is at fault.
The only documentation I've found was forwarded to me from another user on this list. It explains a solution that Zen recommended for this particular hardware problem; but as far as I can tell, the best-available fix is still not capable of resolving the issue sufficiently for Qubes 4.0:
awokd
> Ah. I hadn't considered the Coreboot option. My understanding is that the
> chipset is at fault.
>
> The only documentation I've found was forwarded to me from another user
> on this list. It explains a solution that Zen recommended for this
> particular hardware problem; but as far as I can tell, the best-available
> fix is still not capable of resolving the issue sufficiently for Qubes
> 4.0:
>
>
> https://support.citrix.com/article/CTX136517
workaround of Intel for the errata is to disable the Interrupt remapping
feature itself". Good work, Intel! Don't think Coreboot would help there.
brenda...@gmail.com
> On Monday, February 5, 2018 at 4:33:57 PM UTC-5, awokd wrote:
> > On Mon, February 5, 2018 9:20 pm, Utility Panel wrote:
> > > Anyone interested in a pair of lightly used HP Z800 server work stations?
> > > Great machines. Cannot run Qubes 4.0 correctly.
> >
> > Is the CPU in those not capable of it, or is it a manufacturer BIOS issue?
> > If the latter, you might check to see if you can Coreboot it. Sometimes
> > that can fix these issues too.
>
> Ah. I hadn't considered the Coreboot option. My understanding is that the
> chipset is at fault.
Recommendation, if you'd like, for a budget/beater VT-d:
I've picked up a couple of Lenovo Thinkpad W520 laptops off of Ebay recently. They were top of the line in 2011 (if you limited your choices to mobile CPUs only). They can be found around the $200-$300 mark (depending on luck, configuration and accessories).
Additional things to look out for:
Some units are dual core, but I'd look for the quad core ones: they have an i7-xxxxQM or XM processor which, unlike the duals, are built with with four working RAM slots giving a max of 32GB DDR3. Those without i7-xxxxQM or XM CPUs only have four slots but only two are working slots. 16GB can be a bit tight, esp. if you run any Win HVMs.
Machine also supports up to four native SATA devices, two 6Gbps (internal HD, hotswap ultrabay HD with optional carrier), two 3Gbps (mSATA and hotswap external eSATA with optional cable).
Always update the BIOS, most used w520 units come with the original 2011 BIOS but there is a 2015 or 2016 revision available that fixes some security issues (and may stop some linux kernel configs from having problems with the machine setup).
Lastly: set BIOS to integrated graphics (not NVidia nor Optimus, just Integrated). Occasionally the Nvidia GPUs go bad but if it isn't enabled in BIOS, it won't prevent you from posting. I learned the hard way with the W520 I bought back in 2011...they won't post into BIOS if you enable a bad Nvidia GPU and now you have a brick.
Brendan
PS - The W520 also is the last W5xx to support a nice Thinkpad keyboard. :)
Tai...@gmx.com
> PS - The W520 also is the last W5xx to support a nice Thinkpad keyboard. :)
>
with coreboot you can also buy and install a quad core ivy bridge CPU.
The G505S however is more secure due to not having ME/PSP, but the build
quality isn't as good and there is no dock/2nd battery option.
Utility Panel
Thank you for the confirmation, @awokd!
Thanks also to @Brendan & @Taiidan for the laptop recommendations as well. I've known about the G505S for a while now, but the W520 is a new option for me to consider.
Meanwhile, the machines I'm currently replacing are both server workstations with 96 gigs of EEC RAM. I'm looking to upgrade to something comparable, and I'm pretty certain at this point that I'll start building with either the KCMA-D8 or KGPE-D16. I've got one year after the release of 4.0 to make the transition, so I've got time to collect all the bits before 3.2 reaches end-of-life.
It's just too bad that the Z800 turns out to have a manufacturing defect. I bought them last year because they meet the minimum requirements for Qubes 4.0; or, they would have if they hadn't been borked at the chip factory.
Tim W
My 440p has been great running qubes and fully supports 4.0 as well. 16g ram has been plenty for a laptop (not workstation replacement).
For a workstation I would rather build one so I could have as close to an ideal config as possible but certainly not cheap $ option.
Tai...@gmx.com
It is a shame that qubes doesn't support POWER.
Due to the ceasing of manufacturing of the KGPE-D16 and D8 boards the
OpenPOWER9 TALOS 2 is soon the only reasonable brand new option for a
performance board with libre firmware/hardware.
It is of course possible to make a virtualization setup on POWER with
different security zones but it wouldn't be as slick as qubes and you
would lack xen's security features like stubdoms although arguably it
would still be more secure than a modern intel/amd system that has
ME/PSP and a litany of other anti-features and security holes.
Info:
* In terms of speed even the base 4 core CPU is faster than a fully
loaded dual 6386SE KGPE-D16 system, and much faster than an intel/amd
system one would buy for the $2.5K price of the TALOS 2 board/4 core cpu
combo.
* OpenPOWER sforza has SMT4 with 4 threads per core so even the base 4
core CPU is very fast, the system maxes out at 96 threads with dual 24
core CPU's.
* It has a nice open source secure IBM OpenBMC firmware for remote
management, PCI-e 4.0 with CAPI, POWER IOMMU and POWER-KVM (virtualization)
* There is absolutely no hardware code signing enforcement, you can even
load your own microcode (and if you are an EE/CS masters, learn how to
make modifications via the IBM provided documentation!)
* When they first were released a brand new KGPE-D16 and a 6386SE would
cost more than the TALOS 2 board/cpu, so it is a reasonable price (it
came down a lot from the previous POWER generation)
* IBM immediately released complete spectre fixes.
awokd
> Forgot to add:
>
>
> It is a shame that qubes doesn't support POWER.
What would need to happen for Qubes to run on POWER? Does Xen support it?
Zbigniew Łukasiak
<utility....@gmail.com> wrote:
> Meanwhile, the machines I'm currently replacing are both server workstations with 96 gigs of EEC RAM. I'm looking to upgrade to something comparable, and I'm pretty certain at this point that I'll start building with either the KCMA-D8 or KGPE-D16. I've got one year after the release of 4.0 to make the transition, so I've got time to collect all the bits before 3.2 reaches end-of-life.
>
high-end workstation and I was considering HP Z8 - thanks for the
warning!
So maybe Dell T7820? The plus is that you can request them with Linux
- so at least some of the compatibility problems go away.
I am not so eager to build something - as you can get into the same
compatibility issues with any part be it mother board, video etc. -
and then the issue just gets more complex (and also the recommended
KGPE-D16 looks old).
--
Zbigniew Lukasiak
https://medium.com/@zby
http://brudnopis.blogspot.com/
Utility Panel
Now, it actually seems easier to find data sheets on individual components (motherboards, CPUs, GPUs, and the like) than on the total builds offered by Dell, HP, Lenovo, and the like. The problem with the large assemblers is that their supply chains vary enough from run to run that the fine details about individual components are often not readily available, at least not on the used market. Sellers typically don't know how (or don't want) to give me the identifying information on their machines before purchasing, so all I could do is cross my fingers and roll the dice, which I'd rather avoid as much as possible from now on. But all of this may only apply to the used market. I can't speak to buying new, as I've only done it once or twice, decades ago.
Meanwhile, my interest in hardware has been rekindled, now that I better understand some of the privacy and security implications, and I've been inspired by the open-source hardware community to learn more by doing.
So, I've decided to build with the KGPE-D16. Thus far, I've got the motherboard and two 6386SE CPUs with air coolers. I buy the other components when the pricing is favorable.
Later, when I've got the machine built, I'll figure out how to flash the BIOS. I know it isn't difficult, and I think I've got some good instructions bookmarked. I just haven't done that before, so it will be a learning experience.
Like you, I am a tad concerned about how old the KGPE-D16 is, but it and the 6386SE are both a bit spiffier than the kit in my Z800s, and I was planning on riding them into obsolescence. So, my "new" build should have a bit more life in it than the Z800s, it will support Qubes 4.0, and I will gain the privacy and security benefits from using coreboot.
Zbigniew Łukasiak
<utility....@gmail.com> wrote:
...
>
> Later, when I've got the machine built, I'll figure out how to flash the BIOS. I know it isn't difficult, and I think I've got some good instructions bookmarked. I just haven't done that before, so it will be a learning experience.
>
> Like you, I am a tad concerned about how old the KGPE-D16 is, but it and the 6386SE are both a bit spiffier than the kit in my Z800s, and I was planning on riding them into obsolescence. So, my "new" build should have a bit more life in it than the Z800s, it will support Qubes 4.0, and I will gain the privacy and security benefits from using coreboot.
coreboot: https://www.coreboot.org/Board:asus/kgpe-d16#CPUs_recommended_by_users
I was also thinking about using a PCIe drive - but it looks like that
would not work on KGPE-D16 (or maybe require another adapter +
complications).
Z.
Tai...@gmx.com
> On Tue, Feb 6, 2018 at 2:01 PM, Utility Panel
> <utility....@gmail.com> wrote:
>
>> Meanwhile, the machines I'm currently replacing are both server workstations with 96 gigs of EEC RAM. I'm looking to upgrade to something comparable, and I'm pretty certain at this point that I'll start building with either the KCMA-D8 or KGPE-D16. I've got one year after the release of 4.0 to make the transition, so I've got time to collect all the bits before 3.2 reaches end-of-life.
>>
> Did you consider Dell workstations? I am also looking for some
> high-end workstation and I was considering HP Z8 - thanks for the
> warning!
both the board and the BMC, they are owner controlled as there is no
hardware code signing enforcement or ME/PSP and thus are a much better
choice for security.
Another excellent choice is the OpenPOWER9 libre firmware/hardware TALOS
2, while xen doesn't support POWER so you wouldn't be able to use qubes
it is a significantly faster and more secure choice than x86_64 even vs
the non ME/PSP stuff like the D8/D16.
It supports IOMMU-GFX so you can attach a video card to a VM, installing
some video cards and having a secure KVM switch would result in a high
level of security.
> - so at least some of the compatibility problems go away.
or drivers which will stop working once they are out of support.
> compatibility issues with any part be it mother board, video etc.
4.0 features (obviously besides intel's dynamic measured launch features
but that is a gimmick, you receive better security by signing your
kernels/initramfs and using a grub that supports the signing as your
coreboot/libreboot payload while disabling internal firmware flash)
I recommend an AMD video card as nvidia adds bugs to their drivers and
does many other things to make virtualization and linux more difficult.
> KGPE-D16 looks old).
new video games at max settings with a decent video card (it and the D8
also supports Crossfire XDMA for dual graphics) I recommend either the
6328 (equiv FX-8320) or the 6386SE (equiv dual FX-8300) or with the
KCMA-D8 the 4386
For the KGPE-D16 if you are on a budget the 6282SE is a decent 16 core
deal for around $100 on fleabay.
Newer x86-64 stuff is not and will never will be owner controlled and it
has either Intel ME or AMD PSP which is why for real security either you
need to get POWER (such as the libre firmware/hardware TALOS 2) or
settle for older x86-64 stuff.
A KGPE-D16 with dual 16 core opterons and 128GB RAM will be just as fast
as an equivalently priced brand new non-free dell.
MSRP:
KGPE-D16 $415
KCMA-D8 $315
Used opterons:
(buying a new cpu is pointless)
6386 - $200
6328 - $100
4386 - $80
I highly recommend obtaining a KGPE-D16 while you still can as they no
longer make them and supplies will soon run out, they are the last and
best owner controlled x86-64 devices if you still need to run x86-64
applications (otherwise a TALOS 2 is a much faster and better choice
with a higher freedom level)
https://www.coreboot.org/board_freedom_index
6282SE - $100 (not as fast, but affordable 16 cores)
Tai...@gmx.com
https://www.coreboot.org/Board_freedom_levels
Utility Panel
> coreboot: https://www.coreboot.org/Board:asus/kgpe-d16#CPUs_recommended_by_users
I saw that, but the same page mentions Taiidan's solution for providing the needed microcode updates. Luckily, Taiidan seems to like Qubes, so he's an easy guy to find. :)
Tai...@gmx.com
>> Apparently there are some problems with the 63xx series Opterons and
>> coreboot: https://www.coreboot.org/Board:asus/kgpe-d16#CPUs_recommended_by_users
> I saw that, but the same page mentions Taiidan's solution for providing the needed microcode updates. Luckily, Taiidan seems to like Qubes, so he's an easy guy to find. :)
>
games smoothly in a VM at max settings and not playing games smoothly in
a VM at max settings, get one.
I added a philosophical section at the bottom about microcode updates.
You gotta get a KGPE-D16 and one or two G34 CPU while you still can as
they have stopped making them.
Also when I get a better job and have money to spend I am going to get
and use for my primary computer a TALOS 2 even though it doesn't support
qubes as it is much faster and has a higher level of firmware/hardware
security.
As always people can bug me for libre hardware/firmware help off list if
they want, but then it isn't on the record and can't help others :D so I
recommend posting on a list either here or the coreboot list.