VT-d not enabled in BIOS (coreboot)

Firmware Coreboot
1

Hello,

I really enjoy my LibremV3, however I have discovered a significant problem. It seems VT-d is not enabled on Purism devices.

$ sudo qubes-hcl-report personal

Qubes release 3.2 (R3.2)

Brand: Purism
Model: Librem 15 v3
BIOS: 4.6-a86d1b-Purism-4

Xen: 4.6.5
Kernel: 4.9.35-19

RAM: 16282 Mb

CPU:
Intel(R) Core™ i7-6500U CPU @ 2.50GHz
Chipset:
Intel Corporation Skylake Host Bridge/DRAM Registers [8086:1904] (rev 08)
VGA:
Intel Corporation HD Graphics 520 [8086:1916] (rev 07) (prog-if 00 [VGA controller])
Intel Corporation Device [8086:9d24] (rev 21)

Net:
Qualcomm Atheros AR9462 Wireless Network Adapter (rev 01)

SCSI:
Samsung SSD 850 Rev: 2B6Q
Samsung SSD 850 Rev: 1B6Q

HVM: Active
I/O MMU: Not active
HAP/SLAT: Yes
TPM: Device not found
Remapping: no

Qubes HCL Files are copied to: ‘personal’
Qubes-HCL-Purism-Librem_15_v3-20170819-150425.yml - HCL Info

$ cat /proc/cpuinfo | grep lm
flags : fpu de tsc msr pae mce cx8 apic sep mca cmov pat clflush acpi mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc arch_perfmon rep_good nopl nonstop_tsc eagerfpu pni pclmulqdq monitor est ssse3 sdbg fma cx16 sse4_1 sse4_2 movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch fsgsbase bmi1 avx2 bmi2 erms rdseed adx xsaveopt xsavec dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp

$ cat /proc/cpuinfo | grep vmx
$

This is a major blocker to your users running qubes or even KVM inside of PureOS. Its my understanding the Qubes 4.0 will not support devices without VT-d or VT-x enabled, not to mention the significant performance impact. Additionally, VT-d and VT-x provide key security protections for virtualized systems. Is this a setting that needs to be enabled in coreboot? Once installed can coreboot be flashed via software or does it still require additional hardware & expertise?

Edit: I found a thread on coreboot relating to this issue: [coreboot] VT-d on Pixel 2015 (samus)
if I read correctly, coreboot leaves it to the user to enable. Not wanting to experiment on my new device, has this been tested on Purism devices and if so, what is the recommended way of enabling these features on Purism devices?

8 Likes
2

Hey, hate to bump this but do Purism folks have any idea when VT-d will be enabled on the Librem 15v3? Qubes 4.0-rc2 just came out and I was super hyped to switch to it before I realized my model’s coreboot doesn’t do VT-d yet, which Qubes 4 requires.

3 Likes
3

It’s planned : https://tracker.pureos.net/T179
There’s no ETA for it though. However, it’s the next priority item on the list of tasks.

2 Likes
4

I have a Librem 15v3 and coreboot. I had the same issue with Qubes 4 RC2 and not supported hardware. Checking cpuinfo on that OS does show a lack of vmx, etc.

I wanted to use the laptop while waiting for this fix, and installed Linux Mint. When looking at cpuinfo there, I see ept, vmx, and all the necessary features. It appears that coreboot exposes this correctly for Linux Mint et all, however, the mechanism that Qubes uses to detect hardware support has this masked, even at the lowest level. Thus, there is likely some other solution required, and not a coreboot update

5

No, this is definitely a coreboot problem. I’m not sure but if I had to guess, I’d say that you probably didn’t see those CPU features in Qubes because you checked /proc/cpuinfo in a VM without those features exposed. Note that the laptop already has most of the requirements enabled, which is what you’re seeing - the one remaining feature is VT-d.

6

I thought with vmx, ept that denote vt-d. I looked at this in dom0 which isn’t the VM per se, if I recall Xen arch correctly.

7

I do now see that /sys is missing remarks of IOMMU, so that’s probably what’s missing.

8

So, do we have any update on when coreboot is to be updated, and how that even gets distributed to existing systems?

BUMP?? The coreboot page said that instructions to install would be forthcoming, but no updates there either.

1 Like
9

Hey, sorry to bump this again but I’ve been tracking both Git and Phabricator and haven’t seen any activity for the past month. What’s up? Is this still high on the priority list?

I’m sure you guys have other stuff to deal with, especially with Meltdown and Spectre having just been unembargoed - I just want to get a feel for a potential timeline here.

1 Like
10

Ping? Can we get a response?

11

This is being actively worked on. Keep an eye on the tracker ticket. We will definitely make sure the world knows once we implement this, a lot of people (including yours truly) are looking forward to this feature.

3 Likes
12

In the mean time I posted a workaround for Qubes 4 here:

1 Like
13

I’m happy to announce we have successfully added IOMMU (VT-d) support into our coreboot image:
https://puri.sm/posts/qubes4-fully-working-on-librem-laptops/
We are finishing up testing and cleaning up the code a bit, and then we will publish it so you can update.

7 Likes
14

This is phenomenal. Congrats to everyone involved!!

3 Likes
15

As a follow-up, here are the steps to install the IOMMU-enabled coreboot update yourself:
https://puri.sm/posts/february-2018-coreboot-update/

1 Like
16

And because we all tear our hair at those who whine on forums and never follow on if their issue was fixed or not, after a successful coreboot update using your flashing script, this issue is now solved!

$ cat fixed.txt
$ sudo qubes-hcl-report work
Qubes release 3.2 (R3.2)

Brand: Purism
Model: Librem 15 v3
BIOS: 4.7-Purism-2

Xen: 4.6.6
Kernel: 4.9.56-21

RAM: 16298 Mb

CPU:
Intel® Core™ i7-6500U CPU @ 2.50GHz
Chipset:
Intel Corporation Skylake Host Bridge/DRAM Registers [8086:1904] (rev 08)
VGA:
Intel Corporation HD Graphics 520 [8086:1916] (rev 07) (prog-if 00 [VGA controller])
Intel Corporation Device [8086:9d24] (rev 21)

Net:
Qualcomm Atheros AR9462 Wireless Network Adapter (rev 01)

SCSI:
Samsung SSD 850 Rev: 2B6Q
Samsung SSD 850 Rev: 1B6Q

HVM: Active
I/O MMU: Active
HAP/SLAT: Yes
TPM: Device not found
Remapping: yes

YOU ROCK! THANKS!