On 11/17/2016 08:04 PM, te...@outoftheblue.pl wrote: > Hi everyone, > > I was about to add my hcl report to wiki when I noticed that for some > reson it reports IOMMU as enabled, while to my best knowledge it should > not be supported on my system. As googling didn't help me understand > what's going on I hope someone here can shed some light on this. > > I have Intel i5-2540,Sandy Bridge, with VT-d): > http://ark.intel.com/products/50072/Intel-Core-i5-2540M-Processor-3M-Cache-up-to-3_30-GHz > and Intel HM65 chipset: > http://ark.intel.com/products/52808/Intel-BD82HM65-PCH) > which does not support VT-d. > According to every resource I was able to find, both(and BIOS) shall > support it in order for VT-d to be enabled, but my hcl report(attached) > states: > IOMMU: "yes", > which is confirmed(somehow) by: > xl info | grep virt_caps > virt_caps: hvm hvm_directio > as well as: > xl dmesg reporting: > (XEN) Intel VT-d iommu 0 supported page sizes: 4kB. > (XEN) Intel VT-d iommu 1 supported page sizes: 4kB. > (XEN) Intel VT-d Snoop Control not enabled. > (XEN) Intel VT-d Dom0 DMA Passthrough not enabled. > (XEN) Intel VT-d Queued Invaldiation enabled > (XEN) Intel VT-d Interrupt Remapping enabled. > (XEN) Intel VT-d Shared EPT tables not enabled. > (XEN) I/O virtualisation enabled > ... > (XEN) VMX: Supported advanced features: > (XEN) - APIC MMIO access virtualisation > (XEN) - APIC TPR shadow > (XEN) - Extended Page Tables (EPT) > (XEN) - Virtual-Processor Identifiers (VPID) > (XEN) - Virtual NMI > (XEN) - MSR direct-access bitmap > (XEN) - Unrestricted Guest > (XEN) HVM: VMX enabled > > It seems as if at least part of VT-d is enabled so shall I trust Intel > specs or log outputs? Is hcl tool working correctly?
Well, as you noted the qubes-hcl-report tool relays on xl info, and xl dmesg output. If both states tat IOMMU is enabled: > virt_caps: hvm hvm_directio > (XEN) I/O virtualisation enabled what else can it say? If you 100% sure that this is a false positive, then we should address this issue for sure. However I can't see how we can check if IOMMU is really working? Maybe we can try DMA attack PoC script and try to break out from a netvm for example? (of course not as part of the hcl report :) -- Zrubi -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b54c71e3-fe01-afe8-477e-b61084473eba%40zrubi.hu. For more options, visit https://groups.google.com/d/optout.
Description: OpenPGP digital signature