Hi all,
iommu=no-igfx is a gamechanger for Qubes support through 3.1 RC1 release,
thanks to Xen 4.6 :)
The Lenovo X200 supports vt-x, vt-d and TPM as reported and required by
Qubes in the HCL attached to this e-mail. The problem is that when Qubes
launches it's netvm which uses IOMMU to talk to it's network card, it
freezes the whole system up. Even when specifying sync_console, I don't get
much more verbosity. I ordered a PCMCIA to serial adapter which will be
shipped to my door late January... Meanwhile, booting with iommu=0 makes
things work, but a potential hardware component being compromised has
chances to compromise the whole system since compartmentalization is not
guaranteed without IOMMU (vt-d).
A little more love is needed from xen to make that laptop line supported by
Qubes and a nice alternative to the costy Librem currently promoted by
Qubes-Purism
partnership
which
suggest that the laptop will be Respect Your Freedom compliant in the
future with Intel participation in removing ME and AMT
, which is not guaranteed at all.
If Xen 4.6 can cooperate with Penryn GM45 chipset, it's all MiniFree laptops
(and Libreboot support of
those ) that will be potential
candidates!
Please share the love so that the community has a cheap alternative.
Requirements to replicate bug:
Model: X200 745434U with p8700 CPU running 1067a microcode(important),
upgrable to 8go
BIOS: Lenovo 3.22/1.07 (latest from 2013
)
Network card supports FLReset+ as requested here
.
Bios settings: vt-d and vt-x needs to be enforced.
Xen command line option required
to boot:
iommu=no-igfx
Here is the current debug trace/status on Qubes side of things
.
If you have any hint, please contribute :)
Help me say happy new years to all security conscious people out there :)
Merry Christmas all,
Thierry Laurion
--
Thierry Laurion