Google Groupes

Re: work on vt-d support in libreboot for Intel GM45/Penryn yet?

Thierry Laurion 10 déc. 2015 08:48
Envoyé au groupe : qubes-users
Hey. I'm still on that case, since I want low budget people to still have access to security and privacy if needed.

There is 5 distinct problems to seperate here (maybe more, i'm trying to figure out the chain myself)

Bottom-up possible problems:
-Latest CPU microcode version present in the CPU. (no need for microcode update in that case. 1067a seems to be the latest version available. I have some models to test with. )
-Corrupted DMAR tables in GM45 (For graphic card initialisation only on latest BIOS. There seems to be workaround to test: "intel_iommu=igfx_off" i stumbled upon. Will test it ASAP. Here is what was outputed without it.)
-Bios initialisation of it. 
-Libreboot/Coreboot initialisation of it.
-XEN usage of it (Qubes released 3.1 rc1 yesterday with newer xen 4.6)


Until proven otherwise, it seems that this hardware is supposed to support vt-d.
It it is the case, I can confirm that with 8GB or ram, this laptop doesn't make it's age and will provide needed security for most use cases.

I continue to think that this laptop requires a little more love from XEN/Libreboot guys.

Regards,
Thierry



Le dimanche 6 décembre 2015 05:58:47 UTC-5, Pudding4Brains a écrit :
Howdy,

As I'm looking to get a ThinkPad T400 (or some such) and flash it with libreboot (out of technical curiousity and also princple to have at least one unblobbed system available), I was wondering if anyone knows if there is any work being done on vt-d support for this architecture yet?

Two fairly recent posts by Thierry Laurion suggest it wasn't/isn't available on the libreboot for his x200 (similar arch.):
https://groups.google.com/d/msg/qubes-users/ty7EsA5xBb4/B5PbNg7QDgAJ
https://groups.google.com/d/msg/qubes-devel/044FDrqJDPc/ooFd1g-uBAAJ

Searching the coreboot site only rendered one message, mentioning some support of IOMMU tables for ACPI for the newer Sandy Bridge and Ivy Bridge architectures.
http://blogs.coreboot.org/blog/2015/11/10/coreboot-changelog-5/

My understanding of what is needed for full vt-d support (for OSes such as Qubes) is rudimentary to non-existant (sorry :-/ )

Is there any hope at all of getting this done at all, especially with the ME cut out of the loop the way it is done for libreboot?

Historically I have worked quite a bit with low level firmware/software (PC-BIOS, chip level / device driver assembly programming) but that is all some time ago (8088-486 era). What I've read so far the whole setup as run on "modern" Intel platforms seems quite complex/daunting - but hey: never stop learning :o)

Is there any point at all in setting myself up with some stuff (laptop, current ISP SOIC-programmer etc) and any chance at all of getting my hands on some usefull documentation to maybe help with some work (programming/testing?) in this direction?

Or is it a total nonstarter to begin with?

I realize, there would still be the microcode in the CPU as a "kinda blob" to keep some sort of uncomfortability going, that won't easily go away, so maybe efforts would be put to better use in the ARM camp, but I'm way more familiar with x86 stuff than all that, so this seemed to be a nice hook to start some tinkering with low level stuff again :o)

So, in short:
- Could it theoretically be done, or is true vt-d support for libreboot a nonstarter due to issues with the architecture (ME etc)
- Anyone working on this yet?

Cheers!