Qubes 4.0, CPU Ryzen 5 2400G, MB ASRock B450 Pro4, GPU Radeon R7 370, 32 GB RAM
I can update templates and install appvms without issues. Everything works.
My question is now: On Boot screen i get some error messages (see following screen). Possibly there is a lack of safety i can not estimate. Everything works but under the surface i did not know if it is as safe as it should be. Are there some basic tests which should be made? Or is it enough when the system works?
How about give us keywords to help us search this and have it at the first search result?
As for stefanne's inquiry, here are my thoughts:
It's usually normal to see error messages on start of a linux system cause consumer motherboards production processes still have no proper arrangement to fully support Linux operating systems much to our dismay.
To check the level of your safety, I recommend you produce one of these and see the results:
https://www.qubes-os.org/doc/hcl/#generating-and-submitting-new-reports
If it's a yes on HVM, IOMMU, and SLAT then that means your hardware works very well on Qubes. To further increase security, I recommend you to turn off SMT (Simultaneous Multi-threading) as recently there's been a high surge of vulnerabilities involving multi-threading/hyperthreading and will probably haunt us for years to come.
Additionally, if you have an entry of IOMMU=no
Go search around your BIOS setup for an option like AMD-Vi or IOMMU and set that to enabled.
Product another report to check and see if the entry changes to IOMMU=yes
IOMMU is essential because it protects you from alot of complex attacks like Direct Memory Access (DMA) attacks.
Lastly, check for updates everyday and never neglect them for maximum security!
After all this, you may want to configure a VPN.
As for the Platform Security Processor, well it's an option for people whether or not they would go with it.
@ Sphere
result
hvm:'yes'
iommu:'yes'
slat:'yes'
tpm:'unknown'
remap:'yes'
it seems everything works fine. thank you very much for the link. i will report the results to qubes-users email
@ Tseng Wynn
after update kernel-latest it didn#t boot correctly. i tried it already a few weeks ago and had to install qubes from the scratch.
@ Taiidan
thx. interesting. do you have some keywords for the search to get more infos?
--
ps i have an ASRock TPM Modul (TPM2-S). would it be a good idea to install on mainboard? i am a little cautious as its running now.
TPM is only used for the Anti-Evil Maid feature. You can read up on it and if your threat model includes such an attack or not. Tip, the deal breaker decision: you loose sys-usb, USB isolation, if you enable AEM because it has to be attached to dom0. (Well, last I used it with R3.2 that was). My personal threat model are random USB sticks I use in various work a double client computers. So I'd rather have the USB isolation than AEM, IMO. But each person should review their own threat models. That's why we love qubes.
Tai's valid concerns is that AMD has implemented a remote system monitoring and maintenance utility that remote sys admins use to manage the system, same as Intel ME (now called vPro I think that had wider and wireless adoption). Intel's ME can be neutered to still pass TLS validation given the right hardware (or like me, disable the NIC port and change the vPro wireless device from 9265 to a non-vPro 9260). However, there is no such disabling for AMD - mostly because no one has tried. And no, disabling it in your bios does not turn it off.
> Nice setup. I have an 2950x under the tree waiting for qubes for my kiddo.
:-) Next year i give a try and update my CPU and Bios with AMD Ryzen 3000 Series and much more cores.
I checked KGPE-D16 KCMA-D8 g505s coreboot and it seems good so long as you have enough budget. Say I would make a KVM server or ESXi server out of this for the purpose of gaming VMs running AAA games, which CPU and RAM models would you suggest?