Hi all, iommu=no-igfx is a gamechanger for Qubes support through 3.1 RC1 release, thanks to Xen 4.6 :)
The Lenovo X200 supports vt-x, vt-d and TPM as reported and required by Qubes in the HCL attached to this e-mail. The problem is that when Qubes launches it's netvm which uses IOMMU to talk to it's network card, it freezes the whole system up. Even when specifying sync_console, I don't get much more verbosity. I ordered a PCMCIA to serial adapter which will be shipped to my door late January... Meanwhile, booting with iommu=0 makes things work, but a potential hardware component being compromised has chances to compromise the whole system since compartmentalization is not guaranteed without IOMMU (vt-d). A little more love is needed from xen to make that laptop line supported by Qubes and a nice alternative to the costy Librem currently promoted by Qubes-Purism partnership <http://arstechnica.com/gadgets/2015/12/qubes-os-will-ship-pre-installed-on-purisms-security-focused-librem-13-laptop/>which suggest that the laptop will be Respect Your Freedom compliant in the future with Intel participation in removing ME and AMT <http://libreboot.org/faq/#intelme>, which is not guaranteed at all. <http://www.phoronix.com/scan.php?page=news_item&px=Purism-Librem-Still-Blobbed> If Xen 4.6 can cooperate with Penryn GM45 chipset, it's all MiniFree laptops <http://minifree.org/product-category/laptops/> (and Libreboot support of those <http://libreboot.org/docs/hcl/x200.html>) that will be potential candidates! Please share the love so that the community has a cheap alternative. Requirements to replicate bug: Model: X200 745434U with p8700 CPU running 1067a microcode(important), upgrable to 8go BIOS: Lenovo 3.22/1.07 (latest from 2013 <http://support.lenovo.com/ca/en/downloads/ds015007>) Network card supports FLReset+ as requested here <http://wiki.xen.org/wiki/VTd_HowTo>. Bios settings: vt-d and vt-x needs to be enforced. Xen command line option required <http://www.gossamer-threads.com/lists/xen/devel/393647> to boot: iommu=no-igfx Here is the current debug trace/status on Qubes side of things <https://groups.google.com/forum/#!topic/qubes-users/bHQHjXqinaU>. If you have any hint, please contribute :) Help me say happy new years to all security conscious people out there :) Merry Christmas all, Thierry Laurion -- Thierry Laurion
Qubes-HCL-LENOVO-745434U-20151212-193925.yml
Description: application/yaml
x200_vtd_works_on_latest_bios_with_no-igfx
Description: Binary data
_______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
