Note: Dev/Build Documentation/VM: Difference between revisions - Whonix
Fixed:
Mistake with video setting in GW, kicksecure and custom WS prevents them form starting.
Removed rombar off because having it enabled for more than 1 NIC caused the GW to freak out
Question: Are we already providing Kicksecure releases?
I’ll do another build once accepted since 15.0.0.6.8 includes these problems. I don’t see the point of linking to that build now.
Life would be easier if users actually bothered testing these things and reported back…
A post was merged into an existing topic: AppArmor for Complete System - Including init, PID1, Systemd, Everything! - Full System MAC policy
Merged.
Yes.
3 posts were merged into an existing topic: use sudoedit in Whonix documentation and Whonix software
@Patrick just noticed xpdf silently fails to run when trying to open a pdf in 15.0.0.6.6
can you reproduce that? Any logs needed?
Scratch that, the file is malformed
@Patrick git instruction on the dev page - git doesn’t seem to recognize the --recursive-submodules parameter but this worked:
git checkout --recurse-submodules 15.0.0.7.1-developers-only
Thanks, fixed.
Yes I’m using it as we speak
Could you please the following KVM parameters and check if we’re already using secure defaults? //cc @madaidan
kvm.ignore_msrs=[KVM] Ignore guest accesses to unhandled MSRs.
Default is 0 (don’t ignore, but inject #GP)kvm.enable_vmware_backdoor=[KVM] Support VMware backdoor PV interface.
Default is false (don’t support).kvm.mmu_audit= [KVM] This is a R/W parameter which allows audit
KVM MMU at runtime.
Default is 0 (off)kvm.nx_huge_pages=
[KVM] Controls the software workaround for the
X86_BUG_ITLB_MULTIHIT bug.
force : Always deploy workaround.
off : Never deploy workaround.
auto : Deploy workaround based on the presence of
X86_BUG_ITLB_MULTIHIT.Default is 'auto'. If the software workaround is enabled for the host, guests do need not to enable it for nested guests.
kvm.nx_huge_pages_recovery_ratio=
[KVM] Controls how many 4KiB pages are periodically zapped
back to huge pages. 0 disables the recovery, otherwise if
the value is N KVM will zap 1/Nth of the 4KiB pages every
minute. The default is 60.kvm-amd.nested= [KVM,AMD] Allow nested virtualization in KVM/SVM.
Default is 1 (enabled)kvm-amd.npt= [KVM,AMD] Disable nested paging (virtualized MMU)
for all guests.
Default is 1 (enabled) if in 64-bit or 32-bit PAE mode.kvm-arm.vgic_v3_group0_trap=
[KVM,ARM] Trap guest accesses to GICv3 group-0
system registerskvm-arm.vgic_v3_group1_trap=
[KVM,ARM] Trap guest accesses to GICv3 group-1
system registerskvm-arm.vgic_v3_common_trap=
[KVM,ARM] Trap guest accesses to GICv3 common
system registerskvm-arm.vgic_v4_enable=
[KVM,ARM] Allow use of GICv4 for direct injection of
LPIs.kvm-intel.ept= [KVM,Intel] Disable extended page tables
(virtualized MMU) support on capable Intel chips.
Default is 1 (enabled)kvm-intel.emulate_invalid_guest_state=
[KVM,Intel] Enable emulation of invalid guest states
Default is 0 (disabled)kvm-intel.flexpriority=
[KVM,Intel] Disable FlexPriority feature (TPR shadow).
Default is 1 (enabled)kvm-intel.nested=
[KVM,Intel] Enable VMX nesting (nVMX).
Default is 0 (disabled)kvm-intel.unrestricted_guest=
[KVM,Intel] Disable unrestricted guest feature
(virtualized real and unpaged mode) on capable
Intel chips. Default is 1 (enabled)kvm-intel.vmentry_l1d_flush=[KVM,Intel] Mitigation for L1 Terminal Fault
CVE-2018-3620.Valid arguments: never, cond, always always: L1D cache flush on every VMENTER. cond: Flush L1D on VMENTER only when the code between VMEXIT and VMENTER can leak host memory. never: Disables the mitigation Default is cond (do L1 cache flush in specific instances)
kvm-intel.vpid= [KVM,Intel] Disable Virtual Processor Identification
feature (tagged TLBs) on capable Intel chips.
Default is 1 (enabled)
Could you please experiment with kernel boot parameter
l1tf=full,force
and make sure it doesn’t break KVM hosts or guests?
I disable that
Irrelevant since hugepages are disabled for guests for security reasons:
Enabled for both AMD and Intel using hap tag
The rest apply to Intel which I don’t have.
(disabled = via libvirt)
Guest boot ok.
I don’t know how relevant my experience is on a non Intel system. The mitigation is for Intel CPUs only and therefore would only be active on that hardware.
Here;s some benchmarks done: