Problem with HEADS (BIOS) and Qubes 4.1.0 - Clean Installation

Hello!
The inplace-Upgrade from QubesOS just destroyed my whole Qubes-System and i wasnt able to fix it. So i Decided to make the clean install of the Qubes Os.
I first updated the firmware like explained here, without any problems:
https://docs.nitrokey.com/nitropad/qubes/firmware-update.html

Then i followed the Installation Steps Described in Qubes (and also Nitrokey Documentation). But at start of the installation wizard, there is this warning message:

"Unsupported Hardware Detected

This hardware lacks features required by Qubes OS. Missing features: IOMMU/VT-d/AMD-Vi, interrupt Remapping. Without these features, Qubes OS will nit fuction normally. It is recommended that only developers and power users proceed with the installation. For more information on supported hardware, please refer to System requirements | Qubes OS"

As it is Explained in the Qubes Installation Guide (Installation guide | Qubes OS), there isnt any reason for Panic, i just have to enable the IOMMU Virtualisation, and also the VT-d and AMD-Vi. I found many guides to enable this with UEFI, BIOS…But i dont find any way to configure virtualisation in the HEADS Bios - with which i got my NitroPC.

I Use the Thinkpad x230 with QubesOS preconfigured by Nitrokey.

Do you miss to configure the IOMMU based Virtualisation? - this will be a big big problem, described in the installation guide: “If the setting is not configured correctly, it means that your hardware won’t be able to leverage some Qubes security features, such as a strict isolation of the networking and USB hardware.”

Should I install the Stock BIOS and then enable IOMMU based V.; and then install qubes, and reinstall Heads to use verified Boot with my Nitrokey?

Is there any Way to configure the Virtualisation in Heads?
(Heads Project: https://github.com/osresearch/heads)

Hi no, there is no such way, and it is enabled by default. I answered your ticket.

Please Note to all: don’t send mails to support@nitrokey.com and at the same time post it here. This is confusing and for us the support crew, it often doubles the work. Also for others from the community who might answer here and put time in to help, while they are not aware that this is already solved.

No, it isn’t enabled as default. So if, there wont be the message “Missing features: IOMMU/VT-d/AMD-Vi, interrupt Remapping. Without these features, Qubes OS will nit fuction normally”. So i cant just ignore this message, that will make the Qubes insecure, especially the networking and usb aspects…

it is believe me, what you see is probably connected to a problem in the flash rom (we did not yet figured this out completely) but it’s not happening in our tests. In general it is enabled and there is no way other then flash a different coreboot to disable it (this is probably also the Fix for you, reflashing the Bios)

Hey, can you specify how to fix this? Im also being told at installation of qubes that these features are not enabled, after updating nitropad firmware. When you say that reflashing the bios is the fix, what do you mean?

Hey,

this means reflashing the bios with an external flasher. We can do that in the office just send a mail to support@nitrokey.com with your SO Number

1 Like