I'm not a Xen expert, so don't flog me too harshly, and I did search the posts for this subject, but couldn't find it.
There is a painfully well known problem of having to "trust" Intel to properly implement their "Intel Management Engine". Only very recently has there been a hardware solution to fixing that problem on more recent chipsets, however, I have not heard much from the Qubes community on this point. Reference: http://hackaday.com/2016/11/28/neutralizing-intels-management-engine/ Xen is capable of booting a VM with its own BIOS. Why would it not be possible, for extreme privacy cases, to Xen virtualize Qubes (nested VMs) such that IME does not matter, as IME would only affect Xen on the hardware, not the VM with the open source BIOS which is running Qubes. Reference: https://wiki.xenproject.org/wiki/Hvmloader I realize this is hardly efficient, but, if it would work, it would eliminate having to "trust" Intel. ...or, what, would the Intel hardware still be able to peek into the the hardware, even though the hardware, the Xen VM with Qubes in it, and the Qubes VMs are all running VT-x and VT-d? Thanks, John E. Mayorga -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7021fc83-ace4-4d63-b98b-7a46ca6167a4%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
