HVM create fails with: cannot make domain: -3

[Sebastian Hültenschmidt]

Hello @all,

merry xmas to everyone.

i am currently trying to create a HVM domain exactly as described in the HVMCreate wiki page.

Unfortunately it fails upon qvm-create invocation with:

libxl: error: libxl_create.c:319:libxl__domain_make domain creation fail
cannot make domain: -3
libxl: error: libxl.c:713:libxl_domain_destroy non-existant domain -1

I did not find any useful logs.
My cpu is a core i7 820qm, 8g mem, 64 gb ssd.

any suggestion?

[Joanna Rutkowska]

Can you send some more log info (xl dmesg, dmesg, /var/log/xen/xl-xxx)?

And, are you 100% sure VT-x has been enabled in your BIOS? HVM do
require VT-x in contrast to standard AppVMs, which do not.

joanna.

[shueltenschmidt]

Hi Joanna,


xl dmesg and your comment put me on the right track. I verified that vt-x and vt-d are enabled before i posted the first message of course. But today i learned that enabling intel txt without actually using it will disable vt-x and vt-d. Disabling intel txt did the trick. It is working now. Would you have known that?
So you might add lenovo thinkpad w510 with intel core i7 820qm to the hcl.

thx a bunch,
best wishes and happy new year,

Sebastian

[Joanna Rutkowska]

On 12/27/12 20:38, shueltenschmidt wrote:
>> And, are you 100% sure VT-x has been enabled in your BIOS? HVM do
>>>
>>> require VT-x in contrast to standard AppVMs, which do not.
>>>
>>>
>>>
>>> joanna.
> Hi Joanna,
>
>
> xl dmesg and your comment put me on the right track. I verified that
> vt-x and vt-d are enabled before i posted the first message of
> course. But today i learned that enabling intel txt without actually
> using it will disable vt-x and vt-d. Disabling intel txt did the
> trick. It is working now. Would you have known that? So you might add
> lenovo thinkpad w510 with intel core i7 820qm to the hcl.
>
> thx a bunch, best wishes and happy new year,
>
> Sebastian

Yes, this behavior (allowing VT-x when in or out of TXT) is controlled
by the IA32_FEATURE_CONTROL MSR. This allows the BIOS to lock down VMXON
(so enabling VT-x mode) to be available only when inside SMX operation.
There is also a bit that allows VT-x outside of SMX, which, when set,
doesn't require TXT launch to be performed to use VT-x. I suspect that
your BIOS cleared this very bit when you enabled TXT, forcing you this
way to perform proper TXT launch before you start using VT-x (Note, how
BIOS people always know better what's good for you!).

The idea behind this VT-x locking mechanism is to provide some
meaningful "carrot and stick" for the attacker to execute SENTER... Wait
a sec, you might say, isn't the best "carrot and stick" for launching
TXT the unsealed secret from the TPM or the correct TPM Quote packet
used in Remote Attestation? Well, yes, I also think so, but apparently
the sealing/unsealing mechanism and TPM Quote turned out way too
difficult to comprehend for most people, at least according to Intel
engineers, and this is why they decided to introduce also TXT Launch
Control Policies (LCP) which try to turn TXT into an explicit
white-listing mechanism, something that IMHO would never work. And hence
such superficial "carrots and sticks" had to be brought up to the
delight of BIOS people :)

joanna.