Re: [qubes-users] Re: X470 and IOMMU Groups...

2018-08-16 Thread taii...@gmx.com
On 08/16/2018 10:18 AM, FaB wrote:
>>
 Hi, Taiidan! The OP seemed to recognize it was ideal to have devices in
>>
>>> separate IOMMU groups, so I assumed he was familiar with the warnings in
>>> https://www.qubes-os.org/doc/assigning-devices/#pci-passthrough-issues and
>>> just wondering if it was technically possible.
> 
> I am fully aware of the security problematics of PCI passthrough, but until
> there is a secure solution to passthrough GFX to a VM (Qubes 4.1 I hope !)
> I am going to continue this way and accept the security decline.

There won't really be.

The issue mainly comes from:

* Hostile firmware re-writes.
* Lack of FLR on most graphics devices.
* The additional complexity of IOMMU-GFX assignment vs regular IOMMU
assigned devices like a network device or HBA.

It isn't that bad if you only assign a single card to a single VM and if
you need it you need it.

Practical reality is that short of being assange or some other very high
profile person no one is going to waste such a high tech exploit on you
when there are much easier ways to go about things.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d956988e-d697-3585-0468-adfa912f6c19%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Re: X470 and IOMMU Groups...

2018-08-16 Thread taii...@gmx.com
On 08/16/2018 07:47 AM, Marcus Linsner wrote:
>>
>> I've observed that Qubes installation rarely ever succeeds on X370 
>> motherboards so I believe the same case applies to X470 motherboards with a 
>> higher chance of failure since it is newer. The reason for this I believe is 
>> because these high-end gaming motherboards have alot of functionalities/bugs 
>> that break/interfere with Qubes installation which is an awful letdown.
> 
> I've had no issues installing Qubes R4.0 several times(for fun) on Asus PRIME 
> X370-A motherboard. 
> 
> As an aside, this motherboard even has a setting to use Z370's Trusted 
> Platform Module (TPM) [1] - BIOS setting "Firmware-based Trusted Platform 
> Module (fTPM)", so I assume that I can set up Anti Evil Maid in Qubes but 
> haven't tried yet. 
> 
> [1] shown as Intel® Platform Trust Technology (Intel® PTT) [2] in this link: 
> https://www.intel.com/content/www/us/en/products/chipsets/desktop-chipsets/z370.html
> [2] PTT to TPM mapped in this link: 
> https://www.intel.com/content/www/us/en/support/articles/07452/mini-pcs.html
> 

fTPM is an ME application - it is fake security and usually won't work
with anything that wants a real TPM.

I of course always recommend purchasing a device with no black box
supervisor processors like ME/PSP.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/72c2fe14-4d70-082f-fb57-42070ca3720e%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Re: X470 and IOMMU Groups...

2018-08-16 Thread FaB
>
> >>Hi, Taiidan! The OP seemed to recognize it was ideal to have devices in
>
>>separate IOMMU groups, so I assumed he was familiar with the warnings in
>>https://www.qubes-os.org/doc/assigning-devices/#pci-passthrough-issues and
>>just wondering if it was technically possible.

I am fully aware of the security problematics of PCI passthrough, but until
there is a secure solution to passthrough GFX to a VM (Qubes 4.1 I hope !)
I am going to continue this way and accept the security decline.

On Thursday, August 16, 2018 at 1:47:15 PM UTC+2, Marcus Linsner wrote:
> >
> > I've observed that Qubes installation rarely ever succeeds on X370
motherboards so I believe the same case applies to X470 motherboards with a
higher chance of failure since it is newer. The reason for this I believe
is because these high-end gaming motherboards have alot of
functionalities/bugs that break/interfere with Qubes installation which is
an awful letdown.
>
> I've had no issues installing Qubes R4.0 several times(for fun) on Asus
PRIME X370-A motherboard.
My bad: I just realized you were talking about X370 not Z370, and I've
typoed Z370-A above

Qubes 4.0 installs great on X470 Taichi Ultimate (Compatibility Support
Module mode, didn't try true UEFI) and R7 2700 ! GFX passthrough of AMD
5850 in Windows 10 Guest on xl instructions works too. I continue the
testing before posting a complete HCL of the platform. Some error messages
to sort out.

Thanks for the help :)


>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "qubes-users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/to
> pic/qubes-users/chNyDUt5suI/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/ms
> gid/qubes-users/931176ba-4506-4f88-b5b6-5470069d4d94%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CADCAy78U1TUKhkjXZixnG_TF-HtrocBOjw2eCyxRsoyhqLto_g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: X470 and IOMMU Groups...

2018-08-16 Thread Marcus Linsner
On Thursday, August 16, 2018 at 1:47:15 PM UTC+2, Marcus Linsner wrote:
> > 
> > I've observed that Qubes installation rarely ever succeeds on X370 
> > motherboards so I believe the same case applies to X470 motherboards with a 
> > higher chance of failure since it is newer. The reason for this I believe 
> > is because these high-end gaming motherboards have alot of 
> > functionalities/bugs that break/interfere with Qubes installation which is 
> > an awful letdown.
> 
> I've had no issues installing Qubes R4.0 several times(for fun) on Asus PRIME 
> X370-A motherboard. 
My bad: I just realized you were talking about X370 not Z370, and I've typoed 
Z370-A above

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/931176ba-4506-4f88-b5b6-5470069d4d94%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: X470 and IOMMU Groups...

2018-08-16 Thread Marcus Linsner
> 
> I've observed that Qubes installation rarely ever succeeds on X370 
> motherboards so I believe the same case applies to X470 motherboards with a 
> higher chance of failure since it is newer. The reason for this I believe is 
> because these high-end gaming motherboards have alot of functionalities/bugs 
> that break/interfere with Qubes installation which is an awful letdown.

I've had no issues installing Qubes R4.0 several times(for fun) on Asus PRIME 
X370-A motherboard. 

As an aside, this motherboard even has a setting to use Z370's Trusted Platform 
Module (TPM) [1] - BIOS setting "Firmware-based Trusted Platform Module 
(fTPM)", so I assume that I can set up Anti Evil Maid in Qubes but haven't 
tried yet. 

[1] shown as Intel® Platform Trust Technology (Intel® PTT) [2] in this link: 
https://www.intel.com/content/www/us/en/products/chipsets/desktop-chipsets/z370.html
[2] PTT to TPM mapped in this link: 
https://www.intel.com/content/www/us/en/support/articles/07452/mini-pcs.html

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5c2ce6f6-39a5-4259-94ef-3911689a8260%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: X470 and IOMMU Groups...

2018-08-13 Thread Sphere
On Thursday, August 9, 2018 at 1:30:49 AM UTC+8, 3mp...@gmail.com wrote:
> Hi everyone,
> 
> actually I'm a happy Qubes 3.2 user on Intel platform for more than a year 
> now !
> 
> I'm looking to upgrade my actual Skylake build with an AMD one with the new 
> Ryzen Pinnacle Ridge CPU (R7 2700) and installing Qubes 4.0 on the same 
> occasion. The Asrock X470 Taichi seems a really nice motherboard for it.
> 
> I've found the IOMMU Groups of this motherboard on reddit : 
> https://www.reddit.com/r/VFIO/comments/8i8yqq/iommu_groups_for_asrock_taichi_x470/
> 
> and it seems there's a big group 13 with LAN, USB and SATA controllers. I 
> wonder if the netVM and USB VM will actually be able to passthrough these 
> controllers if they are in the same IOMMU Group ?
> 
> Any Ryzen / Qubes users can confirm this works OK or this is a no go ?
> 
> Thanks for your help !

I've observed that Qubes installation rarely ever succeeds on X370 motherboards 
so I believe the same case applies to X470 motherboards with a higher chance of 
failure since it is newer. The reason for this I believe is because these 
high-end gaming motherboards have alot of functionalities/bugs that 
break/interfere with Qubes installation which is an awful letdown.

So while that mobo having separate IOMMU groups being a plus, it doesn't matter 
much when you're still in the installation phase of Qubes (Which is the real 
hard phase to overcome when it comes to Qubes).

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9e610861-0b9c-4a49-a65e-25d1592a9388%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: X470 and IOMMU Groups...

2018-08-13 Thread Sphere
On Thursday, August 9, 2018 at 1:30:49 AM UTC+8, 3mp...@gmail.com wrote:
> Hi everyone,
> 
> actually I'm a happy Qubes 3.2 user on Intel platform for more than a year 
> now !
> 
> I'm looking to upgrade my actual Skylake build with an AMD one with the new 
> Ryzen Pinnacle Ridge CPU (R7 2700) and installing Qubes 4.0 on the same 
> occasion. The Asrock X470 Taichi seems a really nice motherboard for it.
> 
> I've found the IOMMU Groups of this motherboard on reddit : 
> https://www.reddit.com/r/VFIO/comments/8i8yqq/iommu_groups_for_asrock_taichi_x470/
> 
> and it seems there's a big group 13 with LAN, USB and SATA controllers. I 
> wonder if the netVM and USB VM will actually be able to passthrough these 
> controllers if they are in the same IOMMU Group ?
> 
> Any Ryzen / Qubes users can confirm this works OK or this is a no go ?
> 
> Thanks for your help !

On a side note, I wanna ask
Do you play games/tried playing games on that Qubes 3.2 installation of yours 
by any chance?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/23f00eb8-8f36-49c4-be7c-fa84c27677de%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.