VT-d support in hcl report

[te...@outoftheblue.pl]

Hi everyone,

I was about to add my hcl report to wiki when I noticed that for some
reson it reports IOMMU as enabled, while to my best knowledge it should
not be supported on my system. As googling didn't help me understand
what's going on I hope someone here can shed some light on this.

I have Intel i5-2540,Sandy Bridge, with VT-d):
http://ark.intel.com/products/50072/Intel-Core-i5-2540M-Processor-3M-Cache-up-to-3_30-GHz
and Intel HM65 chipset:
http://ark.intel.com/products/52808/Intel-BD82HM65-PCH)
which does not support VT-d.
According to every resource I was able to find, both(and BIOS) shall
support it in order for VT-d to be enabled, but my hcl report(attached)
states:
IOMMU: "yes",
which is confirmed(somehow) by:
xl info | grep virt_caps
virt_caps: hvm hvm_directio
as well as:
xl dmesg reporting:
(XEN) Intel VT-d iommu 0 supported page sizes: 4kB.
(XEN) Intel VT-d iommu 1 supported page sizes: 4kB.
(XEN) Intel VT-d Snoop Control not enabled.
(XEN) Intel VT-d Dom0 DMA Passthrough not enabled.
(XEN) Intel VT-d Queued Invaldiation enabled
(XEN) Intel VT-d Interrupt Remapping enabled.
(XEN) Intel VT-d Shared EPT tables not enabled.
(XEN) I/O virtualisation enabled
...
(XEN) VMX: Supported advanced features:
(XEN) - APIC MMIO access virtualisation
(XEN) - APIC TPR shadow
(XEN) - Extended Page Tables (EPT)
(XEN) - Virtual-Processor Identifiers (VPID)
(XEN) - Virtual NMI
(XEN) - MSR direct-access bitmap
(XEN) - Unrestricted Guest
(XEN) HVM: VMX enabled

It seems as if at least part of VT-d is enabled so shall I trust Intel
specs or log outputs? Is hcl tool working correctly? Are the enabled
VT-d features enough for running Qubes 4.x?

Best Regards,
tezeb

[Zrubi]

Well, as you noted the qubes-hcl-report tool relays on xl info, and xl
dmesg output.
If both states tat IOMMU is enabled:

> virt_caps: hvm hvm_directio
> (XEN) I/O virtualisation enabled

what else can it say?

If you 100% sure that this is a false positive, then we should address
this issue for sure.
However I can't see how we can check if IOMMU is really working? Maybe
we can try DMA attack PoC script and try to break out from a netvm for
example?
(of course not as part of the hcl report :)


--
Zrubi

[te...@outoftheblue.pl]

On Thu, 24 Nov 2016 09:33:23 +0100
Zrubi <ma...@zrubi.hu> wrote:

>
> Well, as you noted the qubes-hcl-report tool relays on xl info, and xl
> dmesg output.
> If both states tat IOMMU is enabled:
>
> > virt_caps: hvm hvm_directio
> > (XEN) I/O virtualisation enabled
>
> what else can it say?
>
> If you 100% sure that this is a false positive, then we should address
> this issue for sure.
> However I can't see how we can check if IOMMU is really working? Maybe
> we can try DMA attack PoC script and try to break out from a netvm for
> example?
> (of course not as part of the hcl report :)

Thanks for your reply. After reading it I realized that I should
probably ask at Xen devel mailing list. I am not 100% sure, but the
specs about my HW says so(and I am 100% sure about what HW I have).

Anyway, I like the idea of DMA PoC attack. Sounds like a definitve
measure of VT-d separation. Are there any PoCs publicly available?

Regards,
tezeb

[Tai...@gmx.com]

On 11/26/2016 07:14 PM, te...@outoftheblue.pl wrote:

One of the side problems is that interrupt remapping support (or the
lack of it) is not mentioned at all in HCL reports/tests and not
mentioned to the average user who doesn't understand intels weird
marketing speak [1], even some newer devices where the chipset
theoretically supports it have it not activated for whatever reason.

[1] intel says "VT-d" instead of IOMMU, to make it seem like they are
the only ones with the technology, and they fail to mention what version
of it the chips feature (newer versions have better performance and the
first few versions lack interrupt remapping which sucks and entirely
breaks their shitty TXT/TPM technologies - intels reply to support
message "buy a new computer")