[Help Welcome] KVM Development - staying the course

sudo or not.
The usage of \n (which is included in that command) does not work.

Please look at the resulting configuration file and check if it looks as intended. It doesn’t.

1 Like

The forum software is formatting my quotes into the italic type that would indeed not give proper formatting but the ones I used on my end were the normal ones.

1 Like

Please use code tags for code, not quote. Like this:


1 Like

Note: Dev/Build Documentation/VM: Difference between revisions - Whonix

1 Like
1 Like


Mistake with video setting in GW, kicksecure and custom WS prevents them form starting.

Removed rombar off because having it enabled for more than 1 NIC caused the GW to freak out

Question: Are we already providing Kicksecure releases?

I’ll do another build once accepted since includes these problems. I don’t see the point of linking to that build now.

Life would be easier if users actually bothered testing these things and reported back…

A post was merged into an existing topic: AppArmor for Complete System - Including init, PID1, Systemd, Everything! - Full System MAC policy



3 posts were merged into an existing topic: use sudoedit in Whonix documentation and Whonix software

File:Kvmbanner-logo26.png - Whonix

KVM: Difference between revisions - Whonix

1 Like

@Patrick just noticed xpdf silently fails to run when trying to open a pdf in

can you reproduce that? Any logs needed?

Scratch that, the file is malformed

@Patrick git instruction on the dev page - git doesn’t seem to recognize the --recursive-submodules parameter but this worked:

git checkout --recurse-submodules

1 Like

Thanks, fixed.

1 Like


Does shared folder auto mounting still work for you in Whonix and Kicksecure? @Hulahoop

1 Like

Yes I’m using it as we speak :wink:

1 Like

Please review KVM/Minimalized Installation: Difference between revisions - Whonix

1 Like

Could you please the following KVM parameters and check if we’re already using secure defaults? //cc @madaidan

source: kernel-parameters.txt « admin-guide « Documentation - kernel/git/torvalds/linux.git - Linux kernel source tree

kvm.ignore_msrs=[KVM] Ignore guest accesses to unhandled MSRs.
Default is 0 (don’t ignore, but inject #GP)

kvm.enable_vmware_backdoor=[KVM] Support VMware backdoor PV interface.
Default is false (don’t support).

kvm.mmu_audit= [KVM] This is a R/W parameter which allows audit
KVM MMU at runtime.
Default is 0 (off)

[KVM] Controls the software workaround for the
force : Always deploy workaround.
off : Never deploy workaround.
auto : Deploy workaround based on the presence of

  	Default is 'auto'.

  	If the software workaround is enabled for the host,
  	guests do need not to enable it for nested guests.

[KVM] Controls how many 4KiB pages are periodically zapped
back to huge pages. 0 disables the recovery, otherwise if
the value is N KVM will zap 1/Nth of the 4KiB pages every
minute. The default is 60.

kvm-amd.nested= [KVM,AMD] Allow nested virtualization in KVM/SVM.
Default is 1 (enabled)

kvm-amd.npt= [KVM,AMD] Disable nested paging (virtualized MMU)
for all guests.
Default is 1 (enabled) if in 64-bit or 32-bit PAE mode.

[KVM,ARM] Trap guest accesses to GICv3 group-0
system registers

[KVM,ARM] Trap guest accesses to GICv3 group-1
system registers

[KVM,ARM] Trap guest accesses to GICv3 common
system registers

[KVM,ARM] Allow use of GICv4 for direct injection of

kvm-intel.ept= [KVM,Intel] Disable extended page tables
(virtualized MMU) support on capable Intel chips.
Default is 1 (enabled)

[KVM,Intel] Enable emulation of invalid guest states
Default is 0 (disabled)

[KVM,Intel] Disable FlexPriority feature (TPR shadow).
Default is 1 (enabled)

[KVM,Intel] Enable VMX nesting (nVMX).
Default is 0 (disabled)

[KVM,Intel] Disable unrestricted guest feature
(virtualized real and unpaged mode) on capable
Intel chips. Default is 1 (enabled)

kvm-intel.vmentry_l1d_flush=[KVM,Intel] Mitigation for L1 Terminal Fault

  	Valid arguments: never, cond, always

  	always: L1D cache flush on every VMENTER.
  	cond:	Flush L1D on VMENTER only when the code between
  		VMEXIT and VMENTER can leak host memory.
  	never:	Disables the mitigation

  	Default is cond (do L1 cache flush in specific instances)

kvm-intel.vpid= [KVM,Intel] Disable Virtual Processor Identification
feature (tagged TLBs) on capable Intel chips.
Default is 1 (enabled)

1 Like