Qubes HCL Diagnostic

[Don Hemminger]

Would it be possible to create a simple diagnostic that could be run on a PC to summarize the Qubes Hardware Compatibility of that machine. It could quickly diagnose and report on the compatibility level of each major requirement (e.g HVM, IOMMU, TPM 1.2 or 2.0), and indicate possible issues or conflicts. It would take a lot of the guesswork out of the HCL process. I'd love to run it on my new Dell Optiplex 3050.

[awokd]

qubes-hcl-report. Or are you suggesting something that could be run
outside of Qubes?

[Yuraeitha]

hmm, maybe something that could be run in Windows or other Linux OS's that most people have running before going Qubes? I wonder, it might not have to be Qubes specific right? As long as it looks for those VM related hardware support features.

The question then would be, what programs are available that can do this? I can't think of any at the top of my head atm at least.

[Don Hemminger]

The boot up report is very helpful, but if it could be run outside of Qubes, it would be quicker, and could provide comprehensive specific details (e.g. TPM 1.2 or 2.0) on specific platforms.  I'm not sure how feasible that would be.  It's just a suggestion.

[Yuraeitha]

Definitely, but I don't think it's something they'd work on right now. They have limited resources and a lot planned to do atm. It could be something for the future perhaps? If it's not on the issue tracker on Github already, then you could add it there so that it maybe one day gets picked up and solved.

But I don't think the HCL report is much different from other tools, this report won't tell you if you will run into UEFI issues and bugs, poor kernel drivers for your hardware, or other hickups that can happen. Even the Qubes HCL report can't tell you so much about that.

So if your goal is just to verify the different features, you can get far on Windows/Mac/Linux by running other diagnostic tools to tell what kind of virtulisation your hardware supports. This can also be foind in the specs, though, if people are unsure, having a program that can run in Windows/Mac/linux is definitely a good idea, I agree. Even more so if drivers can be tested, but that'd require much more work I imagine.

UEFI/BIOS issues is more of a poor motherboard lottry risk, I'm not sure if this can be tested from another system.

But if you have the essential featues, which is easy to find with other tools and hardware specs, then at least you got one major hurdle out of the way, with remamining potential issues in bad drivers and firmware support.

[Yuraeitha]

On Tuesday, February 27, 2018 at 3:40:53 PM UTC+1, Don Hemminger wrote:

So for exampæe if you look up the laptops compatibility with other Linux systems, or you know from experience that it runs other Linux distributions well, then you know the kernel will likely run somewhat fine on Qubes.

If you use other diagnostic tools or look up the hardware specs, then you can narrow down which features your system support. Though if using diagnostic tools, it must first be enabled in UEFI/BIOS too, even the HCL report requires this though, so it's all the same there anyway.

Poor UEFI/BIOS you can do research on too, for example does other people have issues with that particular motherboard? Especially with these virtualisation features and/or Linux in general?

It isn't all easy to do, but you can get a lot more information this way. The HCL report is actually quite limited in contrast to what you can quickly gather with research on a search engine. You would need something akin to an A.I. if you want it to be able to outsmart a person researching, the modern programs can't do it that well.

[Unman]

For 3.2 I have a Qubes Live that can be run from DVD/USB and generate HCL from
that.
http://www.qubes-3isec.org

A major issue is that programs like HCL will report on the current capabilities,
not necessarily what the machine is capable of. For that you really need
to look in BIOS (to see what can be enabled) and check the documentation
for your mb/processor combo.
To work efficiently,a program as you envisage it would need to hold a
database of board/processors to provide accurate report, I think.

unman

[awokd]

On Tue, February 27, 2018 3:24 pm, Unman wrote:

> To work efficiently,a program as
> you envisage it would need to hold a database of board/processors to
> provide accurate report, I think.

That's true but it would be next to impossible to keep that database up to
date with errata about broken chipsets/processor opcodes, various EFI
firmware revisions (some functional, some not) etc. etc. etc.

Seems best to report on currently enabled processor & IOMMU capabilities-
which your live image approach allows!

[Yuraeitha]

It could be interesting if a small simple A.I. was made to look into the HCL thread though, maybe it won't need to be so sophisticated to pull of a feat like that. I.e. run down the list online when HCL report is being processed. Maybe this won't even need to be an A.I. but an automated search engine that quotes from the HCL report list if one is available? It won't be perfect, but it'd be an improvement for people that don't check the HCL list themselves. But it's kind of a luxury problem right now though.

[Don Hemminger]

Thanks for all the comments and suggestions. I just thought it might be something to consider if someone could re-purpose some of the code from Qubes for a diagnostic that could help individuals (like myself) to quickly determine and document (in the HCL) systems that are or are not compatible.

[Steve Coleman]

On 02/27/18 10:24, Unman wrote:

>
> For 3.2 I have a Qubes Live that can be run from DVD/USB and generate HCL from
> that.
> http://www.qubes-3isec.org

Is that perhaps:

http://qubes.3isec.org/Live/
http://qubes.3isec.org/Live/Qubes.iso
http://qubes.3isec.org/Live/QubesTor.iso

With a '.' rather than a '-' in the name? I'm just mentioning the
correction in case others may try to find it. I know it took a lot of
work to make that ISO so its a good resource.

Its a shame the 4.x was not cooperating. Was it a matter of time or a
specific technical issue? In any case thanks for working on it as long
as you did. One day I hope to figure out how to make one, with specific
options compiled in.

[Unman]

Yes, it is Steve.
Thanks.

I actually do have a bare rc4 iso, which needs some more testing before I
post it. But it isn't a priority for me right now.

cheers

unman