On 11/17/2016 08:04 PM, te...@outoftheblue.pl wrote:
> Hi everyone,
> 
> I was about to add my hcl report to wiki when I noticed that for some
> reson it reports IOMMU as enabled, while to my best knowledge it should
> not be supported on my system. As googling didn't help me understand
> what's going on I hope someone here can shed some light on this.
> 
> I have Intel i5-2540,Sandy Bridge, with VT-d):
> http://ark.intel.com/products/50072/Intel-Core-i5-2540M-Processor-3M-Cache-up-to-3_30-GHz
> and Intel HM65 chipset:
> http://ark.intel.com/products/52808/Intel-BD82HM65-PCH)
> which does not support VT-d. 
> According to every resource I was able to find, both(and BIOS) shall
> support it in order for VT-d to be enabled, but my hcl report(attached)
> states:
> IOMMU: "yes",
> which is confirmed(somehow) by:
> xl info | grep virt_caps
> virt_caps: hvm hvm_directio
> as well as:
> xl dmesg reporting:
> (XEN) Intel VT-d iommu 0 supported page sizes: 4kB.
> (XEN) Intel VT-d iommu 1 supported page sizes: 4kB.
> (XEN) Intel VT-d Snoop Control not enabled.
> (XEN) Intel VT-d Dom0 DMA Passthrough not enabled.
> (XEN) Intel VT-d Queued Invaldiation enabled
> (XEN) Intel VT-d Interrupt Remapping enabled.
> (XEN) Intel VT-d Shared EPT tables not enabled.
> (XEN) I/O virtualisation enabled
> ...
> (XEN) VMX: Supported advanced features:
> (XEN)  - APIC MMIO access virtualisation
> (XEN)  - APIC TPR shadow
> (XEN)  - Extended Page Tables (EPT)
> (XEN)  - Virtual-Processor Identifiers (VPID)
> (XEN)  - Virtual NMI
> (XEN)  - MSR direct-access bitmap
> (XEN)  - Unrestricted Guest
> (XEN) HVM: VMX enabled
> 
> It seems as if at least part of VT-d is enabled so shall I trust Intel
> specs or log outputs? Is hcl tool working correctly? 

Well, as you noted the qubes-hcl-report tool relays on xl info, and xl
dmesg output.
If both states tat IOMMU is enabled:

> virt_caps: hvm hvm_directio
> (XEN) I/O virtualisation enabled

 what else can it say?

If you 100% sure that this is a false positive, then we should address
this issue for sure.
However I can't see how we can check if IOMMU is really working? Maybe
we can try DMA attack PoC script and try to break out from a netvm for
example?
(of course not as part of the hcl report :)


-- 
Zrubi

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b54c71e3-fe01-afe8-477e-b61084473eba%40zrubi.hu.
For more options, visit https://groups.google.com/d/optout.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to