[coreboot] Lenovo G505s AMD Hardware Virtualization

awokd awokd at elude.in
Fri Dec 1 20:44:22 CET 2017 

On Fri, December 1, 2017 15:33, Ivan Ivanov wrote:

> I have thought that if Qubes sees HVM available it is always using it.
> (so if Qubes reports to you that HVM is enabled, that means its using
> HVM and without any problems). Am I wrong here?

That's true of 4.0 but not 3.2. Look for virt_mode under "qvm-prefs
vmname" in 4.0 or type under "sudo xl list -l vmname" in 3.2. You'll see
hvm and pv respectively by default (but we should probably take this off
list).

>> Last resort is to flash back the OEM image but I'm hoping to avoid that.
> It is rare that a default proprietary UEFI/BIOS has a good virtualization
> support, especially for AMD-based consumer level hardware.
> E.g. I am almost sure that no IOMMU supported by that InsydeH2O,
> but still it would be curious to hear your results...

At first glance, IOMMU doesn't appear to be enabled after flashing back
the OEM image but I'm going to play with Xen iommu options. There are some
workarounds for AMD IOMMU quirks. It did answer my question on CPU
microcode though, in dmesg I'm seeing patch_level=0x06001119 now vs.
0x00000000 before. My test HVM started right up on Qubes 4.0 too which
makes me wonder if it would have worked on Coreboot with a disabled IOMMU.
Anyways, I won't bore you all with a play by play but I might have to ask
for help locating the microcode in the image. There's no modules called
"CPU MICROCODE HERE!" showing in UEFI_Tool, unfortunately. I'll keep
digging.

> Next time you disassemble, you could carefully cut a small window
> (e.g. using a heated knife or soldering iron) inside the bottom's half of
> a
> laptop. Please check out the attached image to see how to do it safely.
> After you cut this window - you could attach SOIC8 clip to a flash chip
> without completely disassembling your laptop. But, because of the
> same reason, someone may use your "quick access window" to quickly
> flash a "coreboot with added backdoors" image - since now he doesn't
> need to completely disassemble your laptop, can do it very quickly.
> So you will have to never leave your laptop unattended after this mod,
> or at least invent some additional security measures (vboot?) ...

Thanks, hopefully I won't need to go back to the OEM image much more
often! Once it's corebooted again the internal flasher works fine.

More information about the coreboot mailing list