I have read, that to use Qubes I have to have a processor with Intel
VT-d. I have alsow read some time before (at tomshardware I think) the
interview with you. You have alsow mentioned only about Intel VT. What
about competition implementations? Is there any specific reason that
AMD V is not supported? It is about lack of some instructions or
because of security reason?
Alsow can I use Qubes on AMD processor and (if yes) how will that affect Qubes?
Best Regards,
Michał Janowski
AMD-v seems to be functionally identical to VT-x (or perhaps even better
in some aspects, e.g. due to tagged TLB, that VT-x still doesn't have).
Also, AMD has its own implemention of IOMMU, that is just called...
IOMMU, that should be functionally identical to VT-d (or perhaps even
better because they might have interrupt remapping support).
The only issue with AMD-v/IOMMU is... that it is so difficult to buy a
laptop with AMD processor, and AFAIK, most of them would not have AMD
IOMMU, which apparently is only used on servers platforms (Opterns,
something else?). So, because Qubes targets desktop market, and this
market is dominated by laptops running Intel processors (and chipsets),
we focus on VT-x/VT-d technologies.
>
> Alsow can I use Qubes on AMD processor and (if yes) how will that affect Qubes?
>
Yes. Please note that Xen doesn't require AMD-v/VT-x for running PV VMs,
and Qubes AppVMs are nothing else than Xen PV domains. So, you can run
Qubes on any IA32 64-bit processor, regardless of whether it has any
virtualization extensions or not (AMD-v, VT-x).
But, you need VT-d to run netvm (actually you can also run it without
VT-d, but than there is DMA protection, so it doesn't make any sense). I
think that Xen also has support for AMD IOMMU, but I've never got such a
system to test, so I don't know for sure.
Perhaps AMD would be willing to donate some hardware for testing? :)
joanna.
Apu a10 support vt-d as far as i know. Athlon x4 aslo. You just need to enable it in bios.
[...]
you need VT-d to run netvm (actually you can also run it without
VT-d, but than there is DMA protection, so it doesn't make any sense).
Can I install Qubes on a system without VT-d?
Yes. You can even run a NetVM, but you will not benefit from DMA protection for driver domains. On a system without VT-d, everything should work in the same way, except there will be no real security benefit to having a separate NetVM, as an attacker could always use a simple DMA attack to go from the NetVM to Dom0. Nonetheless, all of Qubes’ other security mechanisms, such as AppVM separation, work without VT-d. Therefore, a system running Qubes will still be significantly more secure than one running Windows, Mac, or Linux, even if it lacks VT-d.
A DMA attack is a type of side channel attack in computer security, in which an attacker can penetrate a computer or other device, by exploiting the presence of high-speed expansion ports that permit Direct Memory Access ("DMA").
[...]
Mitigations:
DMA attacks can be prevented by physical security against potentially malicious devices.
--
You received this message because you are subscribed to a topic in the Google Groups "qubes-devel" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/qubes-devel/2UL9ZcIPT6Y/unsubscribe.
To unsubscribe from this group and all its topics, send an email to qubes-devel...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20160323232933.GG1726%40mail-itl.
For more options, visit https://groups.google.com/d/optout.