HCL - Lenovo T430S - VT-d Problems

282 views
Skip to first unread message

Ethan Lewis

unread,
Dec 11, 2014, 10:38:05 AM12/11/14
to qubes...@googlegroups.com
Hi there, I'm new to this forum and pretty new to Qubes in general. I've wasted a lot of time trying to get it to work with problematic hardware (dell Precision workstation with a Broadcom BCM5761 NIC), and then trying to get it to dual-boot with windows 8.1. Not counting those side issues, Qubes has been pretty easy to install. Basic functionalities seem very good, only thing I've noticed so far is the Fn keys don't work, except for the keyboard illumination. Here's the HCL report:

Qubes release 2 (R2)
Model Name:    LENOVO 2349NL5
Kernel:        3.12.23-1
Xen:        4.1.6.1

RAM:        7854 Mb

CPU:        Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz
Chipset:    00:00.0 Host bridge [0600]: Intel Corporation 3rd Gen Core processor DRAM Controller [8086:0154] (rev 09)
VGA:        00:02.0 VGA compatible controller [0300]: Intel Corporation 3rd Gen Core processor Graphics Controller [8086:0166] (rev 09)

HDD:        WDC WD5000LPVX-2 Rev: 01.0
        DVDRAM GT80N     Rev: LT20

BIOS:        G1ET92WW (2.52 )
VT-x:        Active
VT-d:        Not Active

So there you have it, the fly in the ointment. VT-d isn't active. I enabled it in BIOS before installing qubes and double checked after running the HCL report, it still says "enabled". I'm not really sure what else to try, is there something to do at the OS level to enable it?

Thanks,

Ethan

Ethan Lewis

unread,
Dec 11, 2014, 10:40:06 AM12/11/14
to qubes...@googlegroups.com
Okay, slight revision, I guess this is a T430 not a T430S. Don't know how big a difference that makes (if any)

Ethan Lewis

unread,
Dec 11, 2014, 11:11:55 AM12/11/14
to qubes...@googlegroups.com
Found the solution. Alex nailed it:

Summary: disable VT-d in bios, save, reboot, shutdown, enable VT-d, save, reboot, voila.

https://groups.google.com/forum/#!topic/qubes-devel/LSVluAZ9Udo/discussion




On Thursday, December 11, 2014 9:38:05 AM UTC-6, Ethan Lewis wrote:

Hakisho Nukama

unread,
Dec 11, 2014, 11:12:10 AM12/11/14
to Ethan Lewis, qubes...@googlegroups.com
On Thu, Dec 11, 2014 at 3:40 PM, Ethan Lewis <ethan....@gmail.com> wrote:
> Okay, slight revision, I guess this is a T430 not a T430S. Don't know how
> big a difference that makes (if any)

Please append your posts in mailinglists on the bottom. Thanks
Hi, thanks for your report.

Can you also test TPM module?
What are the settings under
Security Chip - Intel TXT

https://groups.google.com/d/msg/qubes-devel/LSVluAZ9Udo/Fl3jmt4tWssJ
Maybe cprise and others with T430 can chime in.

Ethan Lewis

unread,
Dec 11, 2014, 11:34:10 AM12/11/14
to qubes...@googlegroups.com, ethan....@gmail.com

My apologies for top-posting. I wasn't paying attention.

TPM and TXT aren't enabled currently - will it break things if I just flip it on? I'd be glad to test it out and post the results, I've broken like 7 qubes installs so far so what's one more?

Ethan Lewis

unread,
Dec 11, 2014, 12:10:32 PM12/11/14
to qubes...@googlegroups.com, ethan....@gmail.com

BIOS says the Security chip is active, to be honest I don't know what that means in practical terms. I enabled TXT and rebooted and Qubes seems to be unharmed as far as I can tell. How do I go about verifying that TXT is functioning?

Hakisho Nukama

unread,
Dec 11, 2014, 12:16:02 PM12/11/14
to Ethan Lewis, qubes...@googlegroups.com
It shouldn't break thinks. But try it out.
And thanks for testing and reporting. :)

From the README:
http://git.qubes-os.org/?p=qubes-r2/antievilmaid.git;a=blob;f=README

Start the TCG Core Services Daemon:
[dom0]$ sudo systemctl start tcsd

If no service is recognized, install it (dependencies for AEM):
[dom0]$ sudo qubes.dom0-update tboot tpm-tools
For testing try it without AEM, otherwise:
[dom0]$ sudo qubes.dom0-update anti-evil-maid

Report the status of this daemon:
[dom0]$ sudo systemctl status tcsd

or
Display the output from the Platform Configuration Registers:
[dom0]$ find /sys/devices -name pcrs
[dom0]$ cat <path_to_pcrs>


or
Look into the logs:
[dom0]$ sudo journalctl -xn
and report lines with tcsd like this one:

$DATE dom0 tcsd[1234]: TCSD TDDL[1234]: TrouSerS ERROR: Could not find
a device to open!
$DATE dom0 systemd[1]: tcsd.service: control process exited,
code=exited status=137
$DATE dom0 systemd[1]: Failed to start TCG Core Services Daemon.
$DATE dom0 systemd[1]: Unit tcsd.service entered failed state.


It would be nice to pipe (>) the output into a file and attach these files
for Zrubi.
https://groups.google.com/d/msg/qubes-users/_fV28sDRlLU/n2FnZBLzTKAJ
He is going to implement this in the qubes-hcl-report.

[dom0]$ sudo systemctl status tcsd > tcsd-service.txt
[dom0]$ cat `find /sys/devices -name pcrs` > pcrs.txt

Then copy them from dom0 to your destinationvm:
https://wiki.qubes-os.org/wiki/CopyToDomZero

Best Regards,
Hakisho Nukama

Ethan Lewis

unread,
Dec 11, 2014, 1:17:21 PM12/11/14
to qubes...@googlegroups.com, ethan....@gmail.com

Here is the tcsd status. I don't quite know how to interpret the results, but it looks like something is running but I see the error "inappropriate ioctl for device".

I have not installed AEM yet, that's on to-do list but I'm trying to better understand all the moving parts involved.
tcsd-service.txt

Hakisho Nukama

unread,
Dec 11, 2014, 1:39:31 PM12/11/14
to Ethan Lewis, qubes...@googlegroups.com
Ah, this is different, to no TPM-Module installed.

Can you also try this:
[dom0]$ sudo tpm_version

Best Regards.
Hakisho Nukama

Ethan Lewis

unread,
Dec 11, 2014, 2:05:50 PM12/11/14
to qubes...@googlegroups.com, ethan....@gmail.com

 sudo: tpm_version: command not found

Am I correct in understanding that the security chip referenced in BIOS is the Intel vPro chip and not a TPM module? Is that the difference between T430 and T430S? Once again, I apologize if I'm not using these terms correctly. Most of my experience really fiddling around with this stuff has been with much older hardware that doesn't have most of these features, so learning about Qubes has meant a lot of learning on my side; it can be particularly confusing how vendors name things.

cprise

unread,
Dec 11, 2014, 2:17:29 PM12/11/14
to Ethan Lewis, qubes...@googlegroups.com
You would need to install tpm-tools:
$ sudo qubes-dom0-update tpm-tools


Am I correct in understanding that the security chip referenced in BIOS is the Intel vPro chip and not a TPM module? Is that the difference between T430 and T430S? Once again, I apologize if I'm not using these terms correctly. Most of my experience really fiddling around with this stuff has been with much older hardware that doesn't have most of these features, so learning about Qubes has meant a lot of learning on my side; it can be particularly confusing how vendors name things.
--

No, I believe "security chip" refers to the TPM. You need to have it enabled in order to use the TPM.

Hakisho Nukama

unread,
Dec 11, 2014, 2:27:08 PM12/11/14
to cprise, Ethan Lewis, qubes...@googlegroups.com
>> >> [dom0]$ sudo qubes-dom0-update tboot tpm-tools
>> >> For testing try it without AEM, otherwise:
>> >> [dom0]$ sudo qubes-dom0-update anti-evil-maid
Yes, security chip is the TPM.

Currently I have no module installed and following gives me:
[dom0]$ sudo modprobe tpm_tis force=1 interrupts=0
[dom0]$ dmesg

tpm_tis: 1.2 TPM (device-id 0xFFFF, rev-id 255)
tpm_tis: tpm_transmit: tpm_send: error -5
tpm_tis: A TPM error (-5) occurred attempting to determine the timeouts
tpm_tis: tpm_transmit: tpm_send: error -5
tom_tis: Could not get TPM timeouts and durations


Sorry for the typo in qubes.dom0-update -> qubes-dom0-update.

Best Regards,
Hakisho Nukama
Reply all
Reply to author
Forward
0 new messages