The Tor process on Whonix-Gateway machine is using a lot of CPU under load and its slow, the reason seems to be that there is no AES passed to the KVM guest.
I changed from vcpu to a cpu host-passthrough like this in the Whonix-Gateway xml file
Checking /proc/cpuinfo now shows AES and alot of other features and Tor uses around 2-3% at max.
Are there any reasons that it uses vcpu as default? Is it bad to pass AES to the guest?
Now that the hosts cpu is directly passed to the guest there are a lot more cpu features added, could one of these be exploited if a guest would be hacked? Maybe find serial number of the CPU and identify who bought it ?
Are there any reasons that it uses vcpu as default? Is it bad to pass AES to the guest?
The vpcu masks out a lot of details about the host cpu that could leak information to an adversary that manages to take over your vm. No its not bad to pass through the AES instruction its one of the changes I added some time ago and will be available with Whonix 13.
Ok, sounds good. What changes did you make to add AES to the guest? Maybe i can change it manually on my guests instead of giving them the whole CPU? Or is there a beta download of Whonix 13 i can check out?
Did some tests and it seems its a bug where the virtualization instruction is included in the cpumask. In newer versions of qemu the virtual cpu does not touch virtualization instructions fo either architecture and enables them by default and so resolves this.