On Fri, December 1, 2017 15:33, Ivan Ivanov wrote:
I have thought that if Qubes sees HVM available it is always using it. (so if Qubes reports to you that HVM is enabled, that means its using HVM and without any problems). Am I wrong here?
That's true of 4.0 but not 3.2. Look for virt_mode under "qvm-prefs vmname" in 4.0 or type under "sudo xl list -l vmname" in 3.2. You'll see hvm and pv respectively by default (but we should probably take this off list).
Last resort is to flash back the OEM image but I'm hoping to avoid that.
It is rare that a default proprietary UEFI/BIOS has a good virtualization support, especially for AMD-based consumer level hardware. E.g. I am almost sure that no IOMMU supported by that InsydeH2O, but still it would be curious to hear your results...
At first glance, IOMMU doesn't appear to be enabled after flashing back the OEM image but I'm going to play with Xen iommu options. There are some workarounds for AMD IOMMU quirks. It did answer my question on CPU microcode though, in dmesg I'm seeing patch_level=0x06001119 now vs. 0x00000000 before. My test HVM started right up on Qubes 4.0 too which makes me wonder if it would have worked on Coreboot with a disabled IOMMU. Anyways, I won't bore you all with a play by play but I might have to ask for help locating the microcode in the image. There's no modules called "CPU MICROCODE HERE!" showing in UEFI_Tool, unfortunately. I'll keep digging.
Next time you disassemble, you could carefully cut a small window (e.g. using a heated knife or soldering iron) inside the bottom's half of a laptop. Please check out the attached image to see how to do it safely. After you cut this window - you could attach SOIC8 clip to a flash chip without completely disassembling your laptop. But, because of the same reason, someone may use your "quick access window" to quickly flash a "coreboot with added backdoors" image - since now he doesn't need to completely disassemble your laptop, can do it very quickly. So you will have to never leave your laptop unattended after this mod, or at least invent some additional security measures (vboot?) ...
Thanks, hopefully I won't need to go back to the OEM image much more often! Once it's corebooted again the internal flasher works fine.