How to find a notebook with VT-d (IOMMU) support

36,845 views
Skip to first unread message

knock...@gmail.com

unread,
Aug 20, 2013, 2:12:12 PM8/20/13
to qubes...@googlegroups.com
VT-d, which provides IOMMU services, is a very important feature for realizing the security promises of Qubes OS.  Without it, although the CPU isolates VMs, their memory lies open to relatively easy DMA-based attacks, with network devices and GPUs being some of the more well-known pieces of hardware for executing such attacks.

Finding a system - especially a notebook system - that supports VT-d is a serious challenge.  Unfortunately, a great majority of laptop/notebook systems do not even have the hardware necessary to use VT-d, and the presence or absence of this feature is not well documented by vendors.  Although the Hardware Compatability List (https://wiki.qubes-os.org/trac/wiki/HCL) is a helpful resource, it only lists a handful of models, many of which have been discontinued.  It is helpful to have a more systematic way of identifying systems that at least have the necessary hardware to support VT-d (BIOS support, discussed below, presents a secondary issue). 


What to look for:

For Ivy Bridge, BOTH the CPU and chipset must support VT-d, which compounds the problem of finding a VT-d capable system.  The most common issue is that although the CPU will support VT-d, the chipset does not.  However, there are systems where not even the CPU has the needed support (such as all of the mobile i3 models?).

To save you some hassle: only 2 (out of 7!) Ivy Bridge chipsets will work: QM77 and QS77.  Unfortunately, most systems use the HM7x chipsets...

For Haswell, the issue is simpler, because the CPU and chipset are in a single package, which eliminates mixing & matching.  Nevertheless, only some Haswell chips have VT-d support, with most Haswell laptops/notebooks I have seen listed not having VT-d.

On Sandy Bridge, there is VT-d support to be found, although probably with the same chipset issues as Ivy Bridge.


Where to look:

I have found the following two websites very helpful in identifying notebooks with supporting hardware:

1) CPU and chipset specifications available at http://ark.intel.com/ (for example, http://ark.intel.com/products/75033/Intel-Core-i5-4350U-Processor-3M-Cache-up-to-2_90-GHz for the Haswell i5-4350U)

Typically, I just drop the CPU or chipset identifier into Google, and the corresponding ark.intel.com page will show up towards the top of the results.

For VT-d, the feature you are looking for is labeled "Intel® Virtualization Technology for Directed I/O (VT-d)", and you want the table to say "Yes" for this item.

Examples:

2) Chipset- and CPU-specific pages at http://www.notebookcheck.com/

The Intel pages are the authoritative reference for what CPUs and chipsets support VT-d, but how do you determine (a) what CPU+chipset is in a given notebook model, or (b) what notebook models make use of given CPUs+chipsets?  With Ivy Bridge, vendors will almost never indicate the chipset model.  For one system, I ended up starting from chip markings shown in an iFixIt teardown, and web searching back from that to determine the chipset model.

Luckily, there is at least one website providing a better way to go about this: http://www.notebookcheck.com/, which has taken the time & effort to document which CPUs & chipsets are present in various models.

For Ivy Bridge chipsets, http://www.notebookcheck.com/Intel-Ivy-Bridge-Chipsaetze-7-Series-Chipsets.88194.0.html gives links to pages for each chipset, such as QM77 and HM77.  Then, on each chipset-specific page is a list of notebooks identified as using that chipset.  As I mentioned above, the chipset is usually the weak link, so working back from the supporting chipsets, and then confirming there is also a supporting CPU, seems the way to go.

Here are links to the only two supporting chipsets I mentioned above:

The page provided for Haswell, http://www.notebookcheck.com/Intel-Dual-Core-Ableger-der-Haswell-Generation-vorgestellt.93523.0.html, is extremely helpful, because the tables on that page directly indicate which models support various Intel technologies, including VT-d.

As can be seen on the charts, only the least expensive models in each lineup lack VT-d support.  Unfortunately, those are also the models I have most frequently seen included in the announced or released Haswell notebooks.  Once you start digging around, you will see most Haswell notebooks include the i7-4500U or the i5-4200M.  However, there are Haswell notebooks out there with the right chips.  I do not know if this is a result of the lower-end chips getting rolled out in higher volumes at first, but if Ivy Bridge is any indication, most Haswell notebooks will not have VT-d support.


The above info will help you get past the first, but most prevalent, issue of hardware support.  If you home in on a few notebook models of interest, I suggest digging a little deeper to find another source that confirms the right chips or VT-d support is in place.  I would not expect a salesperson or a level 1 or 2 tech to give you reliable info.


The other piece - BIOS support:

Even if the hardware supports VT-d, it will not work if not properly enabled by the system BIOS.  Issues include:
- No VT-d support in BIOS.  The BIOS does not configure VT-d at all.  This seems to be rare, at least for Intel systems.
- incorrect ACPI tables.  The BIOS configures VT-d correctly, but incorrectly reports information via ACPI (usually in the DMAR table), which Xen uses to determine what is going on with VT-d.  This seems a little more common than there being no BIOS support.
- VT-d/IOMMU feature must be enabled in BIOS.  Trivial to fix, but overlooked many times.  Go into BIOS config, find the item, and enable it.

Do not expect a vendor to ever respond to the first 2 issues - just move on.  If you already own a laptop, and it's just an ACPI issue, it may be possible to hack around it (which is what I did on my MacBook Air 2012), but just avoid it if you are buying something new.

Once you have identified a model, you can often find a manual covering the BIOS config screens.  This can provide a quick way to confirm there is BIOS support, by finding documentation for a config screen allowing you to toggle VT-d/IOMMU.


Test the actual system:

A final step, or perhaps a shortcut around the above steps, would be to actually run Xen or Qubes OS on the machine you intend to use.  For example, you could put the Qubes OS installer on a USB drive, boot the system off of it, and run the qubes-hcl-report script.  Alternatively, in dom0 (under Qubes OS or Xen more generally) you could grep for "virtualisation" or "VT-d".  You should either see "I/O virtualisation enabled" or "I/O virtualisation disabled", or some items about VT-d.

If you cannot physically access a sample of the system (for example, ordering a system online), you might try to persuade the vendor to do the above USB boot, if they will download and run an unfamiliar 1.2GB installer...  A smaller image providing a dedicated IOMMU Xen-based tester might be better for this, but does not currently exist.  There might be "off the shelf" Linux boot discs with IOMMU-enabled kernels where you could grep through dmesg for the appropriate boot message, although Xen and Linux may have a different take on things.


Other issues:

- Get a system with 6+ GB of RAM.  You can run with 4 GB, but it will likely become an issue if you want to run a non-Linux VM like Windows - particularly if more than one concurrent Windows VM.  Most "ultrabooks" have 4 GB of RAM and are not upgradeable.
- Get a system with a TPM.  Allows use of Anti Evil Maid.  Many consumer laptops do not have a TPM.  Note that even when there is a TPM, it often is not listed in the product specifications.
- Probably also make sure the system offers Intel TXT support, using the above techniques for VT-d.  Although Joanna et al have exposed multiple issues with TXT as a standalone solution, it appears it will be relevant if you want to run Anti Evil Maid. See https://groups.google.com/forum/#!topic/qubes-devel/c_S06lNpiso  There are a number of CPUs that support VT-d, but not also TXT.  
- Possible UEFI Secure Boot problems?  I am unfamiliar with this, and it sounds like today this generally can be disabled in BIOS, but there also seems to be concern about future machines only doing Secure Boot.  However, Redhat seems to have worked out some kind of a shim boot solution for the time being.
- AMD motherboard vendors made a big mess of things.  AMD did a great job pitching IOMMUs some time ago, hardware support is just a matter of the right chipset, and AMD provided BIOS vendors with the code for proper configuration.  However, most of the vendors still fail to enable the hardware correctly and/or have bad ACPI tables (which generally causes Xen to disable the IOMMU).  I have not seen any instance where a vendor has resolved such issues, even for simple and clearly identified ACPI issues.  This issue was prevalent enough to help give rise to Xen Security Advisory 36.  If you still want to use AMD for IOMMU, you have been warned...

Fernando Mumbach

unread,
Aug 21, 2013, 6:09:46 AM8/21/13
to qubes...@googlegroups.com
Thanks for sharing. Now I know I don't have stop

Joanna Rutkowska

unread,
Aug 28, 2013, 4:55:41 AM8/28/13
to qubes...@googlegroups.com
> http://ark.intel.com/products/75033/Intel-Core-i5-4350U-Processor-3M-Cache-up-to-2_90-GHzfor the Haswell i5-4350U)
> http://www.notebookcheck.com/Intel-Ivy-Bridge-Chipsaetze-7-Series-Chipsets.88194.0.htmlgives links to pages for each chipset, such as QM77 and HM77. Then, on
> - Get a system with a TPM. Allows use of Anti Evil Maid<http://qubes-os.org/trac/wiki/AntiEvilMaid>.
> Many consumer laptops do not have a TPM. Note that even when there is a
> TPM, it often is not listed in the product specifications.
> - Probably also make sure the system offers Intel TXT support, using the
> above techniques for VT-d. Although Joanna et al have exposed multiple
> issues with TXT as a standalone solution, it appears it will be relevant if
> you want to run Anti Evil Maid. See
> https://groups.google.com/forum/#!topic/qubes-devel/c_S06lNpiso There are
> a number of CPUs that support VT-d, but not also TXT.
> - Possible UEFI Secure Boot problems? I am unfamiliar with this, and it
> sounds like today this generally can be disabled in BIOS, but there also
> seems to be concern about future machines only doing Secure Boot. However,
> Redhat seems to have worked out some kind of a shim boot solution for the
> time being.
> - AMD motherboard vendors made a big mess of things. AMD did a great job
> pitching IOMMUs some time ago, hardware support is just a matter of the
> right chipset, and AMD provided BIOS vendors with the code for proper
> configuration. However, most of the vendors still fail to enable the
> hardware correctly and/or have bad ACPI tables (which generally causes Xen
> to disable the IOMMU). I have not seen any instance where a vendor has
> resolved such issues, even for simple and clearly identified ACPI issues.
> This issue was prevalent enough to help give rise to Xen Security Advisory
> 36. If you still want to use AMD for IOMMU, you have been warned...
>

Thanks, I linked to this message from our HCL page.

Just a comment regarding testing Qubes "on site" -- it's perfectly fine
to install Qubes onto a USB3 pendrive, then take this pendrive with you
to a computer shop and boot Qubes out of it there. All you will need to
adjust is the list of PCI devices assigned to the netvm (via Qubes Manager).

joanna.

signature.asc

jt.t...@gmail.com

unread,
Jul 18, 2014, 6:14:47 AM7/18/14
to qubes...@googlegroups.com
Eric, thanks for this. I have been looking for a laptop specifically for experimenting with Qubes. I've found one I like with an i7-4810MQ CPU, it has VT-d along with VT-x and even vPro with Intel 4600 graphics. WiFi is the Intel AC-7260 adapter. The laptop was actually designed for, and ships with, Ubuntu. I should be ok with this, eh? Thanks.

Here is the rig I have on the top of my short list: https://system76.com/laptops/model/kudp1

They list four CPU models available for it but only two of the four support VT-d.

- JT

cprise

unread,
Jul 18, 2014, 9:22:28 PM7/18/14
to jt.t...@gmail.com, qubes...@googlegroups.com
Their pages seem short on details to me. For one, there is no mention of
a TPM (a feature I look for, but not required to run Qubes). Also, their
components may support VT-d, but that's no guarantee the motherboard or
BIOS will manage that feature properly (if at all). My suggestion is to
google for discussions about VT-d or passthrough on that model,
preferably in relation to Qubes or Xen.


Manuel Amador (Rudd-O)

unread,
Jul 30, 2014, 3:54:01 AM7/30/14
to jt.t...@gmail.com, qubes...@googlegroups.com

On 07/18/2014 03:14 AM, jt.t...@gmail.com wrote:
> {...}
> - JT

This is one way you find a notebook with everything that you need to run
Qubes:

- You search for MSI GS60.
- You select the RAM capacity (16GB minimum) and the CPU model in the
particular laptop choices you have onscreen
- You ensure that the laptop's processor has VT-x and VT-d support
- You ensure that the CPU does not have any of that vPro garbage
- You roll with it, preferably from a location nearby you as opposed to
mailed to you

Not cheap. But... this is how you find a laptop that can run Qubes to
its fullest and safest extent, while not having to deal with firmware
that will allow others to control your machine.

--

Rudd-O
http://rudd-o.com/


signature.asc

Joanna Rutkowska

unread,
Jul 30, 2014, 4:24:26 AM7/30/14
to Manuel Amador (Rudd-O), jt.t...@gmail.com, qubes...@googlegroups.com
Have you actually tried this laptop with Qubes OS? How is the temperature?

This one also looks cool:

http://www.razerzone.com/gaming-systems/razer-blade

... although without an option to have more than 8GB of RAM.

joanna.

signature.asc

Pedro Martins

unread,
Jul 30, 2014, 3:00:16 PM7/30/14
to qubes...@googlegroups.com
On 30-07-2014 09:24, Joanna Rutkowska wrote:
> On 07/30/14 09:53, Manuel Amador (Rudd-O) wrote:
>>
>> On 07/18/2014 03:14 AM, jt.t...@gmail.com wrote:
>>> {...}
>>> - JT
>>
>> This is one way you find a notebook with everything that you need to run
>> Qubes:
>>
>> - You search for MSI GS60.
>> - You select the RAM capacity (16GB minimum) and the CPU model in the
>> particular laptop choices you have onscreen
>> - You ensure that the laptop's processor has VT-x and VT-d support
>> - You ensure that the CPU does not have any of that vPro garbage
>> - You roll with it, preferably from a location nearby you as opposed to
>> mailed to you
>>
>> Not cheap. But... this is how you find a laptop that can run Qubes to
>> its fullest and safest extent, while not having to deal with firmware
>> that will allow others to control your machine.
>>

Not quite; specs say "Chipset: Intel HM77 Chipset" which doesn't support
VT-d nor TXT [1]

>
> Have you actually tried this laptop with Qubes OS? How is the temperature?
>
> This one also looks cool:
>
> http://www.razerzone.com/gaming-systems/razer-blade
>
> ... although without an option to have more than 8GB of RAM.
>

This one has HM87 which supports VT-d but doesn't say anything on
support for TXT [1].

QM87 supports VT-d and TXT.

It is really testing to find something that really has all one needs and
nothing more. For instance, {Q/H}M87 also support vPro and Small
Business Advantage which seem to exist to drive further intel business
on software.


[1] http://ark.intel.com/compare/75525,75528,64339
--
Pedro Martins

Manuel Amador (Rudd-O)

unread,
Jul 31, 2014, 1:28:14 PM7/31/14
to qubes...@googlegroups.com
The machine runs absolutely fine with Qubes.
--
Rudd-O
http://rudd-o.com/

signature.asc

Manuel Amador (Rudd-O)

unread,
Jul 31, 2014, 1:30:44 PM7/31/14
to qubes...@googlegroups.com
On Wed 30 Jul 2014 12:00:13 PM PDT, Pedro Martins wrote:
> Not quite; specs say "Chipset: Intel HM77 Chipset" which doesn't
> support VT-d nor TXT [1]

Qubes release 2 (R2)
Model Name: Micro-Star_International_Co.,_Ltd. ..
Kernel: 3.12.18-1
Xen: 4.1.6.1

CPU: Intel(R) Core(TM) i7-4700HQ CPU @ 2.40GHz
Chipset: 00:00.0 Host bridge [0600]: Intel Corporation Xeon E3-1200
v3/4th Gen Core Processor DRAM Controller [8086:0c04] (rev 06)
VGA: 00:02.0 VGA compatible controller [0300]: Intel Corporation 4th
Gen Core Processor Integrated Graphics Controller [8086:0416] (rev 06)

BIOS: E16H2IMS.103
VT-x: Active
VT-d: Active

Sorry.

--
Rudd-O
http://rudd-o.com/

signature.asc

cprise

unread,
Jul 31, 2014, 2:36:22 PM7/31/14
to Manuel Amador (Rudd-O), qubes...@googlegroups.com
Maybe Intel made a typo. I typed HM77 into the search field, and only
this one product came up:
http://ark.intel.com/products/64339/Intel-BD82HM77-PCH
VT-d: No
Trusted Execution Technology: No


JT Croteau

unread,
Jul 31, 2014, 2:38:42 PM7/31/14
to qubes...@googlegroups.com
I too am surprised VT-d works as I was under the impression only QM87 supported VT-d.  Manuel, what about TPM does that work as well?  TPM and VT-d are deal breakers for me.  Thanks.





--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscribe@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
Visit this group at http://groups.google.com/group/qubes-users.
For more options, visit https://groups.google.com/d/optout.

cprise

unread,
Jul 31, 2014, 2:38:55 PM7/31/14
to Manuel Amador (Rudd-O), qubes...@googlegroups.com
Of course, assuming these features were moved into the CPU package for
Haswell, then it wouldn't matter.

Rainier Wolfcastle

unread,
Aug 5, 2014, 10:58:27 AM8/5/14
to qubes...@googlegroups.com

If you go to the Intel ARK website (http://ark.intel.com/) and choose the "Processor Feature Filter" menu from the "ARK Home" dropdown menu in the top left of the page you can filter for mobile processors (Vertical Segment = MBL) that have VT-d (Intel Virtualization Technology for Directed i/o (VT-d) = yes).

paige...@gmail.com

unread,
Jan 6, 2015, 3:31:46 PM1/6/15
to qubes...@googlegroups.com
Something I haven't been able to figure out is whether or not VT-d implies that you can attach the laptop's video adapter to a virtual machine, can someone confirm this?

Eric Shelton

unread,
Jan 7, 2015, 6:43:10 PM1/7/15
to qubes...@googlegroups.com, paige...@gmail.com
Yes, and in fact this is a planned feature for Qubes 3.1, according to http://theinvisiblethings.blogspot.com/2014/11/qubes-r3odyssey-initial-source-code.html  Given how DMA-active GPUs are, and the likelihood of GPU driver exploits, it would be nice to isolate it from the dom0 control domain.

This feature is used outside of Qubes: some Xen, KVM, and VMWare users put a second GPU into their desktop system and do a "GPU passthrough" of the GPU to an HVM.  This enables them to run 3D graphics intensive programs, such as games, in a guest OS, as it has an actual display adapter instead of the emulated VGA adapter.  However, thanks to DMCA-type issues, the PCI passthrough of GPUs turns out to be very difficult, because ATI and NVIDIA have abused PCI config and MMIO spaces in all kinds of undocumented ways (various doorbells and memory mappings)that varies from model to model.  It is a problem that has been tackled over the last few years, but you still have to be selective about the model of GPU you purchase, and most of the work is captured in very recent versions of QEMU, which unfortunately cannot be run in a Xen stub domain at this time (which Qubes relies on to isolate the very exploitable QEMU from dom0), although my guess is that will change with Xen 4.6 (which is likely on a similar schedule as Qubes 3.0).  However, some of NVIDIA's Quadro line of display adapters have guest-friendly drivers (under the label of "GRID Virtualization," which Citrix XenServer works along with); my guess is that one of these could be successfully passed through to a Qubes HVM running Windows, and the Windows driver would work just fine with it.

Another possibility for those with notebooks with combined Intel integrated and NVIDIA adapters (under the Optimus name) might be to use the Intel GPU to drive the display, and assign the NVIDIA adapter to a guest, which could use it for headless 3D rendering.  Essentially, such an idea would work much like the Optimus technology already does (in which the high-speed NVIDIA adapter renders into a buffer displayed by the low-speed Intel adapter, but with a VT-d enforced divide.  The Bumblebee project might illuminate how to coordinate the NVIDIA and Intel adapters.  A related approach, might be to assign the NVIDIA adapter to a headless VirtualGL server, although I don't know if VirtualGL ever took off enough that it could really be applied.

One other solution for those pursuing improved guest 3D performance, recently mentioned by someone in qubes-devel, is XenGT, which promises to allow virtualizing certain Intel integrated adapters, and deliver a significant performance improvement.  However, it's not clear that the project will really advance beyond a "tech demo" status.  Even if it does, you're then allowing a guest to interact somewhat directly with the GPU; if a GPU exploit were found, all of the careful work done in Qubes to prevent guests from capturing windows from other guests could be broken down - a problem that would not be solved by moving the GPU into a guest domain.

- Eric

paige...@gmail.com

unread,
Jan 7, 2015, 10:53:50 PM1/7/15
to qubes...@googlegroups.com, paige...@gmail.com
what laptop are you using?

Arqwer

unread,
Nov 7, 2015, 2:33:16 PM11/7/15
to qubes-users
Yandex Market has very powerful filter by characteristics including CPU code, chipset and many others (https://market.yandex.ru/catalog/54544/filters?hid=91013&exc=1&how=dpop). It is in Russian only and doesn't work correctly under google translate, but i don't think that language is such a big problem for shopping list. All you need is to set ticks next to appropriate CPUs under "код процессора" and click "Показать подходящие" in the bottom. Hope it will help.
Doesn't English internet has a web site like that?

Bill Wether

unread,
Jan 21, 2016, 2:09:40 PM1/21/16
to qubes-users


On Tuesday, August 20, 2013 at 6:12:12 PM UTC, Eric Shelton wrote:
VT-d, which provides IOMMU services, is a very important feature for realizing the security promises of Qubes OS.  Without it, although the CPU isolates VMs, their memory lies open to relatively easy DMA-based attacks, with network devices and GPUs being some of the more well-known pieces of hardware for executing such attacks.
<snip>

The other piece - BIOS support:

Even if the hardware supports VT-d, it will not work if not properly enabled by the system BIOS.  Issues include:
- No VT-d support in BIOS.  The BIOS does not configure VT-d at all.  This seems to be rare, at least for Intel systems.
- incorrect ACPI tables.  The BIOS configures VT-d correctly, but incorrectly reports information via ACPI (usually in the DMAR table), which Xen uses to determine what is going on with VT-d.  This seems a little more common than there being no BIOS support.
- VT-d/IOMMU feature must be enabled in BIOS.  Trivial to fix, but overlooked many times.  Go into BIOS config, find the item, and enable it.
 <snip>

- AMD motherboard vendors made a big mess of things.  AMD did a great job pitching IOMMUs some time ago, hardware support is just a matter of the right chipset, and AMD provided BIOS vendors with the code for proper configuration.  However, most of the vendors still fail to enable the hardware correctly and/or have bad ACPI tables (which generally causes Xen to disable the IOMMU).  I have not seen any instance where a vendor has resolved such issues, even for simple and clearly identified ACPI issues.  This issue was prevalent enough to help give rise to Xen Security Advisory 36.  If you still want to use AMD for IOMMU, you have been warned...

I have a Supermicro H8DGi-F mobo with two 8-core Opterons and a TPM.  Initially it had all the troubles you list, but after reflashing the BIOS to 3.5a (September 2015) and disabling SATA/IDE Combined Mode, it works great--IOMMU enabled on both processors and TPM as well.  See
<https://groups.google.com/forum/#!topic/qubes-users/BnQy67kxdrY> .

Cheers

BillW
 

ab0f...@opayq.com

unread,
Jul 28, 2016, 4:16:42 AM7/28/16
to qubes-users
I have an AMD CPU and won't be throwing it away to test and possibly adopt Qubes. Are you trying to say I shouldn't even bother with Qubes since I have an AMD rig?

Andrew David Wong

unread,
Jul 28, 2016, 4:39:24 AM7/28/16
to ab0f...@opayq.com, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-07-28 01:16, ab0f...@opayq.com wrote:
> On Tuesday, 20 August 2013 21:12:12 UTC+3, Eric Shelton wrote:
>> [...] AMD motherboard vendors made a big mess of things. AMD did a great
>> job pitching IOMMUs some time ago, hardware support is just a matter of
>> the right chipset, and AMD provided BIOS vendors with the code for proper
>> configuration. However, most of the vendors still fail to enable the
>> hardware correctly and/or have bad ACPI tables (which generally causes
>> Xen to disable the IOMMU). I have not seen any instance where a vendor
>> has resolved such issues, even for simple and clearly identified ACPI
>> issues. This issue was prevalent enough to help give rise to Xen Security
>> Advisory 36. If you still want to use AMD for IOMMU, you have been
>> warned...
>
> I have an AMD CPU and won't be throwing it away to test and possibly adopt
> Qubes. Are you trying to say I shouldn't even bother with Qubes since I
> have an AMD rig?
>

I don't think that's what he's saying. I think he's just pointing out that it
can be very problematic. It's still worth trying if you have an AMD rig, since
your combination of hardware (CPU, motherboard, etc.) might be compatible.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXmcSoAAoJENtN07w5UDAwFvQQAJfplJ35awhu/q6ZQ9WrnqE4
S39MHl/ApxO9gshZwSbsHN+3k+IbYfKYJCNI5gW8PDVyCDXV7r/NW+HGLlC/q1GC
dN3+63l74HYzTu2H4sCHy7F8K1nLBDKkZIKiIF7Xvx5utMXHndKgmCznSyMhRb8p
Nj7EIU51DAa8OJilTLwi5B7X3k6ZX+Zbia92mpDXqwlTLi4q+kzvgTU6cVR1585B
fydDBb0ofas3d4RXlLzcsfnKgA/cew7UDbyoiJtAM1BAPONpc5T3+Ol/niZOdjME
1Um3AItmJYTyzrstMom8ScVJZULfHm3iodc5/4HYHt632reJKDJbj04dTfgmfor+
h6Gw1cvpYEUG5UC9qfPiCf4kCcTj7q1PNguvlWFT88mJxPe6Y0Y4UsGdeQPPDLey
7cebI+vHjvq+85de3DO04/2OtdYz2Dp8cOhxZZ1+uTrujqNY0PscEDbbKQxKiBYV
wgSF9rS9cktg7nf7ozy92wNU2/XcW2HpgJ7y230KkaNlKYtV2ukUNlctHpTUbEwx
pXSaDFaKREfIGSkhjE1/r2KyeGI2IJnkG7TzeY0ZpWY6H2cyMMOMlclI1/+iSptl
TeJSczuQnrAZqOR9Iwf34pyeghahRKa9x5cLgUfOKPhW+xKYYkuFeWYwMIINjPiX
w18jvmMMgfjIaCNCa8A+
=cDOm
-----END PGP SIGNATURE-----

ab0f...@opayq.com

unread,
Jul 28, 2016, 4:43:52 AM7/28/16
to qubes-users, ab0f...@opayq.com
On Thursday, 28 July 2016 11:39:24 UTC+3, Andrew David Wong wrote:
> I don't think that's what he's saying. I think he's just pointing out that it
> can be very problematic. It's still worth trying if you have an AMD rig, since
> your combination of hardware (CPU, motherboard, etc.) might be compatible.
>
> - --
> Andrew David Wong (Axon)
> Community Manager, Qubes OS
> https://www.qubes-os.org

Thanks for the quick reply! As a complete newb to this level of IT security, how can I tell if Qubes works properly or not? Or will it just fail to install and run properly? Also, I assume 8 GB of RAM won't allow me to run too many VMs in parallel.

Andrew David Wong

unread,
Jul 28, 2016, 5:57:43 AM7/28/16
to ab0f...@opayq.com, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-07-28 01:43, ab0f...@opayq.com wrote:
> On Thursday, 28 July 2016 11:39:24 UTC+3, Andrew David Wong wrote:
>> I don't think that's what he's saying. I think he's just pointing out
>> that it can be very problematic. It's still worth trying if you have an
>> AMD rig, since your combination of hardware (CPU, motherboard, etc.)
>> might be compatible.
>>
>
> Thanks for the quick reply! As a complete newb to this level of IT
> security, how can I tell if Qubes works properly or not?

You can check basic hardware compatibility with the qubes-hcl-report command
after installing, as explained here:

https://www.qubes-os.org/doc/hcl/

> Or will it just fail to install and run properly?

It *may* fail to install and run properly, but it may install successfully even
if you do not have, e.g., IOMMU. If you're missing, e.g., IOMMU, then that
will be reported on the HCL report mentioned above. At that point, you can
read about any missing or unsupported features and decide whether you're
comfortable using Qubes without them.

> Also, I assume 8 GB of RAM won't allow me to run too many VMs in parallel.

8 GB should be fine to run a few VMs. It really depends on your personal usage
habits. Many people use Qubes with 8GB and are happy with it. Others need more.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXmdcPAAoJENtN07w5UDAw+XEQALO8No8/mkLMcd+8jBVTFbQ4
ePmj+8CHpM/465aeCbJXqjnf2DfhsKnkdOzAaVBOma86TuwumMmp+VlWzxSnUzIb
/tjZ6xB7HE2Er2DwOwtKVXhlXFY/MBY9BPneQb+Lmkx7HH5pYxJ0kEjktkB7iXcf
Ep9FFOo6Wd4xXX5CO7uKK95qD+kW54gc3JAj0CKBsMqxWXpw8jQgoL5/BmEFZLgT
AjZgAK6IKkXfygKZZxM2sXFwx0hUXPGnS1DSl73Dpn8yGxf1lO+edGclnDPex87Y
WxLQJyRGuOXa2RkrUXOqRArh4KQIS3DaDiJAweg7OqZtjAMawT5U+KKVvq+QHLHC
zxxOjvB2xxVl9JcQIzLJ5iDMrMS6nlSKv5iInk2Ji4yOiWZqhDJZSQhuMY34GgjD
UMJcC7XKMFyE2WW+2s/2AtMgD+bsU5l5luHqTZwOfT5gliiDRTusWYEL/phmggve
YCRoe5UQ6WtjNZ+BSWIldZROF58zjCarAR1qiJDBKHcFsD7ImbDXRfM42vD5ke2g
+zxUnKiI/olBGdZRLgUUqH6m/1XnBDiBcpc5W65syAwn6FdmYIpPbTGzHeROY+Mk
XcHEAb2wDCnbGz83RvZoe6mh7JLXAz8sanqUVwm0h07EfAJ/NKpVKizCkYLp1jB4
w93zhBUumF53hlzaV0eX
=lDjT
-----END PGP SIGNATURE-----

ab0f...@opayq.com

unread,
Jul 28, 2016, 6:02:48 AM7/28/16
to qubes-users, ab0f...@opayq.com

Will definitely try it soon then! Thanks a lot for your time and patience :)

ni...@kobschaetzki.net

unread,
Jul 28, 2016, 7:26:09 AM7/28/16
to ab0f...@opayq.com, qubes-users
> On July 28, 2016 at 10:43 AM ab0f...@opayq.com wrote:
>
> On Thursday, 28 July 2016 11:39:24 UTC+3, Andrew David Wong wrote:
>
> > I don't think that's what he's saying. I think he's just pointing out that it
> > can be very problematic. It's still worth trying if you have an AMD rig, since
> > your combination of hardware (CPU, motherboard, etc.) might be compatible.
> >
> > * --
> > Andrew David Wong (Axon)
> > Community Manager, Qubes OS
> > https://www.qubes-os.org
>
> Thanks for the quick reply! As a complete newb to this level of IT security, how can I tell if Qubes works properly or not? Or will it just fail to install and run properly? Also, I assume 8 GB of RAM won't allow me to run too many VMs in parallel.

I have 8GB of RAM and have 7 VMs permanently open (sys-net, sys-firewall, untrusted, mail, personal, vault, sync-vault) and use the RAM-eater Chrome. The only problem arises when I use a special USB-VM to get some devices working which doesn't assigns RAM dynamically but statically. Since that VM needs to run Chrome etc I gave it 4GB of RAM and then it's getting problematic for running too many of the other VMs.

Niels
Reply all
Reply to author
Forward
0 new messages