On 11/26/2016 07:14 PM, [email protected] wrote:
On Thu, 24 Nov 2016 09:33:23 +0100
Zrubi <[email protected]> wrote:
Well, as you noted the qubes-hcl-report tool relays on xl info, and xl
dmesg output.
If both states tat IOMMU is enabled:
virt_caps: hvm hvm_directio
(XEN) I/O virtualisation enabled
what else can it say?
If you 100% sure that this is a false positive, then we should address
this issue for sure.
However I can't see how we can check if IOMMU is really working? Maybe
we can try DMA attack PoC script and try to break out from a netvm for
example?
(of course not as part of the hcl report :)
Thanks for your reply. After reading it I realized that I should
probably ask at Xen devel mailing list. I am not 100% sure, but the
specs about my HW says so(and I am 100% sure about what HW I have).
Anyway, I like the idea of DMA PoC attack. Sounds like a definitve
measure of VT-d separation. Are there any PoCs publicly available?
Regards,
tezeb
One of the side problems is that interrupt remapping support (or the
lack of it) is not mentioned at all in HCL reports/tests and not
mentioned to the average user who doesn't understand intels weird
marketing speak [1], even some newer devices where the chipset
theoretically supports it have it not activated for whatever reason.
[1] intel says "VT-d" instead of IOMMU, to make it seem like they are
the only ones with the technology, and they fail to mention what version
of it the chips feature (newer versions have better performance and the
first few versions lack interrupt remapping which sucks and entirely
breaks their shitty TXT/TPM technologies - intels reply to support
message "buy a new computer")
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/b387c86a-ffad-f281-f372-b67bc43d5997%40gmx.com.
For more options, visit https://groups.google.com/d/optout.
