From mboxrd@z Thu Jan 1 00:00:00 1970 From: Thierry Laurion Subject: Re: Lenovo X200 IOMMU support through Xen 4.6 iommu=no-igfx switch Date: Sun, 28 Feb 2016 19:03:23 +0000 Message-ID: References: <568D342602000078000C3FCE@prv-mh.provo.novell.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2566258346569751314==" Return-path: In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" To: Jan Beulich Cc: xen-devel@lists.xen.org List-Id: xen-devel@lists.xenproject.org --===============2566258346569751314== Content-Type: multipart/alternative; boundary=001a113aab82482b67052cd9307f --001a113aab82482b67052cd9307f Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable The problem wasn't with xen iommu support but kms/drm and i915 driver. Passing to the kernel i915.preliminary_hw_support=3D1 fixes it all :) Thanks Le mer. 6 janv. 2016 =C3=A0 22:11, Thierry Laurion a =C3=A9crit : > Nope. That commit is present in 4.6 and results in x200 being able to boo= t > xen. > > Not having that option makes xen hang at boot. > > If present, it works until other vm access pass-through devices, which I'= m > not able to troubleshoot even through amt SOL. > > See here for debug logs: > https://groups.google.com/forum/m/#!topic/qubes-users/bHQHjXqinaU > > Le mer. 6 janv. 2016 09:35, Jan Beulich a =C3=A9crit = : > >> >>> On 22.12.15 at 19:04, wrote: >> > iommu=3Dno-igfx is a gamechanger for Qubes support through 3.1 RC1 >> release, >> > thanks to Xen 4.6 :) >> > >> > The Lenovo X200 supports vt-x, vt-d and TPM as reported and required b= y >> > Qubes in the HCL attached to this e-mail. The problem is that when Qub= es >> > launches it's netvm which uses IOMMU to talk to it's network card, it >> > freezes the whole system up. Even when specifying sync_console, I don'= t >> get >> > much more verbosity. I ordered a PCMCIA to serial adapter which will b= e >> > shipped to my door late January... Meanwhile, booting with iommu=3D0 m= akes >> > things work, but a potential hardware component being compromised has >> > chances to compromise the whole system since compartmentalization is n= ot >> > guaranteed without IOMMU (vt-d). >> > >> > A little more love is needed from xen to make that laptop line >> supported by >> > Qubes and a nice alternative to the costy Librem currently promoted by >> > Qubes-Purism >> > partnership >> >> Is all of the above and below a quite complicated way of expressing >> that you'd like to see commit 146341187a backported to 4.6.x? >> >> Jan >> >> > < >> http://arstechnica.com/gadgets/2015/12/qubes-os-will-ship-pre-installed-= on-p >> > urisms-security-focused-librem-13-laptop/>which >> > suggest that the laptop will be Respect Your Freedom compliant in the >> > future with Intel participation in removing ME and AMT >> > , which is not guaranteed at all. >> > < >> http://www.phoronix.com/scan.php?page=3Dnews_item&px=3DPurism-Librem-Sti= ll-Blobbe >> > d> >> > If Xen 4.6 can cooperate with Penryn GM45 chipset, it's all MiniFree >> laptops >> > (and Libreboot support >> of >> > those ) that will be potentia= l >> > candidates! >> > Please share the love so that the community has a cheap alternative. >> > >> > Requirements to replicate bug: >> > Model: X200 745434U with p8700 CPU running 1067a microcode(important), >> > upgrable to 8go >> > BIOS: Lenovo 3.22/1.07 (latest from 2013 >> > ) >> > Network card supports FLReset+ as requested here >> > . >> > Bios settings: vt-d and vt-x needs to be enforced. >> > Xen command line option required >> > to boot: >> > iommu=3Dno-igfx >> > >> > Here is the current debug trace/status on Qubes side of things >> > . >> > If you have any hint, please contribute :) >> > >> > Help me say happy new years to all security conscious people out there >> :) >> > >> > Merry Christmas all, >> > Thierry Laurion >> > >> > >> > >> > >> > >> > -- >> > Thierry Laurion >> >> >> >> --001a113aab82482b67052cd9307f Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
The problem wasn't with xen iommu support but kms/drm = and i915 driver.

Passing to the kernel i915.preliminary_hw_support= =3D1 fixes it all :)

Thanks
<= /span>

Le=C2=A0mer. 6 janv. 2016 =C3=A0=C2=A022:11, Thierry Laurion <thierry.laurion@gmail.com> a= =C3=A9crit=C2=A0:
Nope. That commi= t is present in 4.6 and results in x200 being able to boot xen.

Not having that option makes xen hang at boot.

=
If present, it works until other vm access pass-through devices, which= I'm not able to troubleshoot even through amt SOL.

See here for debug logs:

Le=C2=A0mer. 6 = janv. 2016 09:35,=C2=A0Jan Beulich <JBeulich@suse.com> a =C3=A9crit=C2=A0:
<= blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px= #ccc solid;padding-left:1ex">>>> On 22.12.15 at 19:04, <thierry.laurion@gm= ail.com> wrote:
> iommu=3Dno-igfx is a gamechanger for Qubes support through 3.1 RC1 rel= ease,
> thanks to Xen 4.6 :)
>
> The Lenovo X200 supports vt-x, vt-d and TPM as reported and required b= y
> Qubes in the HCL attached to this e-mail. The problem is that when Qub= es
> launches it's netvm which uses IOMMU to talk to it's network c= ard, it
> freezes the whole system up. Even when specifying sync_console, I don&= #39;t get
> much more verbosity. I ordered a PCMCIA to serial adapter which will b= e
> shipped to my door late January... Meanwhile, booting with iommu=3D0 m= akes
> things work, but a potential hardware component being compromised has<= br> > chances to compromise the whole system since compartmentalization is n= ot
> guaranteed without IOMMU (vt-d).
>
> A little more love is needed from xen to make that laptop line support= ed by
> Qubes and a nice alternative to the costy Librem currently promoted by=
> Qubes-Purism
> partnership

Is all of the above and below a quite complicated way of expressing
that you'd like to see commit 146341187a backported to 4.6.x?

Jan

> <http://arstechn= ica.com/gadgets/2015/12/qubes-os-will-ship-pre-installed-on-p
> urisms-security-focused-librem-13-laptop/>which
> suggest that the laptop will be Respect Your Freedom compliant in the<= br> > future with Intel participation in removing ME and AMT
> <http://libreboot.org/faq/#intelme>, which is not gu= aranteed at all.
> <http:/= /www.phoronix.com/scan.php?page=3Dnews_item&px=3DPurism-Librem-Still-Bl= obbe
> d>
> If Xen 4.6 can cooperate with Penryn GM45 chipset, it's all MiniFr= ee laptops
> <http://minifree.org/product-category/laptops/<= /a>> (and Libreboot support of
> those <http://libreboot.org/docs/hcl/x200.html>= ;) that will be potential
> candidates!
> Please share the love so that the community has a cheap alternative. >
> Requirements to replicate bug:
> Model: X200 745434U with p8700 CPU running 1067a microcode(important),=
> upgrable to 8go
> BIOS: Lenovo 3.22/1.07 (latest from 2013
> <http://support.lenovo.com/ca/en/downloads= /ds015007>)
> Network card supports FLReset+ as requested here
> <http://wiki.xen.org/wiki/VTd_HowTo>.
> Bios settings: vt-d and vt-x needs to be enforced.
> Xen command line option required
> <http://www.gossamer-threads.com/lists= /xen/devel/393647> to boot:
> iommu=3Dno-igfx
>
> Here is the current debug trace/status on Qubes side of things
> <https://groups.google.com/fo= rum/#!topic/qubes-users/bHQHjXqinaU>.
> If you have any hint, please contribute :)
>
> Help me say happy new years to all security conscious people out there= :)
>
> Merry Christmas all,
> Thierry Laurion
>
>
>
>
>
> --
> Thierry Laurion



--001a113aab82482b67052cd9307f-- --===============2566258346569751314== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWRldmVs IG1haWxpbmcgbGlzdApYZW4tZGV2ZWxAbGlzdHMueGVuLm9yZwpodHRwOi8vbGlzdHMueGVuLm9y Zy94ZW4tZGV2ZWwK --===============2566258346569751314==--