Xeon Processor okay for Qubes OS?

Are Xeon Processor okay for Qubes OS?

According to one entry two entries in my survey, yes.

Has anyone tried an AMD Zen Threadripper yet?

While we’re on this topic, what’s the largest number of VMs that can be running concurrently while behaving somewhat normally?


xeon does not have internal graphic, as long as you bring your own graphics adapter you should be fine.

running 28 currently laptop breathes heavily but behaves normal (lnv-t480)

1 Like

Has anyone tried an AMD Zen Threadripper yet?

Zen 2 Threadripper works mostly fine, once the Kernel catches up. The only caveat is that Xen mistakes the second half of the CPU as SMT rather than NUMA. Turning off SMT turns off half the CPU.

1 Like

But isn’t SMT turned off in Qubes by default due to Spectre/Meltdown?

So this means that Threadrippers can only run at a quarter of its max threadcount? (Half reduction from disabled hyperthreading and a further half from the SMT-NUMA confusion)

I can only speak for mine, but yes, in the default configuration that is
the case, though it’s far more than a quarter of the performance.

This is Zen 2 Threadripper as well. I believe the later models don’t use
NUMA, so they may not be affected.

1 Like

So people should hold off on the new Zen3 Threadrippers until this can be confirmed–though I don’t think there are many people running Qubes on those.

Has anyone tried out the new Zen3 Cezanne APUs? Those would be nice for a Qubes mini PC but I remember people had to jump through a ton of hoops to get the newer AMD CPUs working (but that was before R4.0.4 with its newer kernels).

Hacker News: New x86 micro-op vulnerability breaks all known Spectre defenses

I’m not going to pretend to understand the article, but it looks like hyperthreading/speculative-execution will likely always be a security issue and will haunt us, as the name suggests. Therefore it will likely never be enabled on Qubes.

Posted here because we were just talking about Threadrippers suffering from massive performance hits due to disabled HT and more.

Interesting comment from user ‘akersten’ about how deep the security hole goes, which links nicely to a comment I made less than a day ago about absolute security being mathematically unachievable for sufficiently complex systems (which is why ‘reasonably secure’ is both an honest claim and a good target):

I’ve been saying this from the start: the well of issues is infinitely deep as soon as you decide that multiple tenants running on the same physical hardware inferring something about another is a vulnerability. I assert, but cannot rigorously prove, that it is not possible to design a CPU such that execution of arbitrary instructions has no observable side-effects, especially if the CPU is speculating.

I don’t know what that spells for cloud hosting providers - maybe they have to buy a lot more CPUs so every client can have their own, or commission a special “shared” SKU of CPU that doesn’t have any speculative execution - but I know for me, if I have untrusted code running on my CPU, I’ve already lost. I could then care less about information leakage between threads.

We’re going to wind up undoing the last 20 years of performance gains in the name of ‘security’, and it scares me.

@Jarrah Did you encounter these issues with Threadripper on R4.0 or R4.1?

@fiftyfourthparallel Your survey led me to the assumption that Threadripper could be much better suited than Epyc, because of better optimization for single threaded performance (→ booting up a VM) and typical Workstation tasks, while Epyc is more about persistent stable performance across all threads.

Looking at @Jarrah’s comments about Threadripper I tend more towards Epyc again because it should have more stable Xen support.

But of course regarding typical SP3-Motherboards you often pay a lot for server features that you don’t want or need (p.e. Remote Management) while lacking some Workstation features (p.e. decent amount of USB Ports, USB Type C, on-board-Audio) that the typical TR4/ sTRX4 would offer.

I’ve never owned a server-grade CPU before, so I have no idea about all of this. I’m just curious about how Qubes would run on a 64-core behemoth and what interesting things can be done with it (e.g. the Qubes Aquarium).

I hope that someone with a Zen 3 Threadripper will update this thread sometime in the far future to tell us whether the SMT-NUMA confusion is no longer halving the available cores.


P.S. Is there somewhere that documents how CPU cores are distributed among VMs and workloads? Can I tell Xen to reserve certain cores exclusively for certain VMs to further increase segregation and also to increase efficiency? (Something I’d love to do on a 64-core system).

Also, somewhat unrelated, but once sys-gui is ready, can I pipe GPU workloads to it and have it feed data back via the internal network?

You probably want to read more about Xen CPU Pools. I have done that on non-Qubes NUMA-machines, mostly for perfomance reasons.

I suspect not, but this sounds like an interesting idea.

If you are dead serious about the Qubes Aquarium, I would probably tend to Epyc rather than Threadripper. The reasoning behind this would be, that a server CPU would offer you a lot more consistent experience across a lot of threads.
If your goal would be to have a DispVM with a browser booting and opening up as fast as possible, I would bet on Threadripper, because of the much higher boost and Workstation-optimized design.

If you can absolutely not accept anything less than 64 cores/ 128 threads the 64-core variants of Epyc Rome (Zen 2) could be an interesting similarly-priced alternative to the Threadripper 3990X, because Xen should run fairly smoothly on them based on their higher significance for running Xen-based virtualization.

I’m looking through the forums for support for my hardware, which is:
DELL Poweredge R720XD

  • 2x Intel Xeon E5-2690 - 2.90GHz/3.80GHz 8 Core/16 thread “Sandy bridge”
  • 128GB - 8x16GB PC3-10600R DDR3 Registered
  • iDRAC 7 Express
  • TPM 1.1
  • Modular Dell PERC H710 RAID with 512MB Cache

My biggest concern is loading the OS with a SAS RAID controller as the only storage. Nowhere here do I see that, and I’ve tried reading some of the docs, with no suggestions specific to SAS RAID or DELL PERC. Is there a way to add drivers to the ISO prior to install?

My second biggest concern is IOMMU support on these CPUs. They are a bit old (2013-2014) Intel doesn’t say anything about that specific tech. Has anyone tried this generation Xeon yet?

  • Intel vPro® Platform Eligibility Yes
  • Intel® Virtualization Technology (VT-x) Yes
  • Intel® Virtualization Technology for Directed I/O (VT-d) Yes
  • Intel® VT-x with Extended Page Tables (EPT) Yes

Thanks for any suggestions.