[Help Welcome] KVM Development - staying the course

1 Like


Mistake with video setting in GW, kicksecure and custom WS prevents them form starting.

Removed rombar off because having it enabled for more than 1 NIC caused the GW to freak out

Question: Are we already providing Kicksecure releases?

I’ll do another build once accepted since includes these problems. I don’t see the point of linking to that build now.

Life would be easier if users actually bothered testing these things and reported back…

A post was merged into an existing topic: AppArmor for Complete System - Including init, PID1, Systemd, Everything! - Full System MAC policy



3 posts were merged into an existing topic: use sudoedit in Whonix documentation and Whonix software



1 Like

@Patrick just noticed xpdf silently fails to run when trying to open a pdf in

can you reproduce that? Any logs needed?

Scratch that, the file is malformed

@Patrick git instruction on the dev page - git doesn’t seem to recognize the --recursive-submodules parameter but this worked:

git checkout --recurse-submodules

1 Like

Thanks, fixed.

1 Like


Does shared folder auto mounting still work for you in Whonix and Kicksecure? @Hulahoop

1 Like

Yes I’m using it as we speak :wink:

1 Like

Please review https://www.whonix.org/w/index.php?title=KVM/Installation_Screenshots&oldid=48253&diff=cur

1 Like

Could you please the following KVM parameters and check if we’re already using secure defaults? //cc @madaidan

source: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/admin-guide/kernel-parameters.txt#n2080

kvm.ignore_msrs=[KVM] Ignore guest accesses to unhandled MSRs.
Default is 0 (don’t ignore, but inject #GP)

kvm.enable_vmware_backdoor=[KVM] Support VMware backdoor PV interface.
Default is false (don’t support).

kvm.mmu_audit= [KVM] This is a R/W parameter which allows audit
KVM MMU at runtime.
Default is 0 (off)

[KVM] Controls the software workaround for the
force : Always deploy workaround.
off : Never deploy workaround.
auto : Deploy workaround based on the presence of

  	Default is 'auto'.

  	If the software workaround is enabled for the host,
  	guests do need not to enable it for nested guests.

[KVM] Controls how many 4KiB pages are periodically zapped
back to huge pages. 0 disables the recovery, otherwise if
the value is N KVM will zap 1/Nth of the 4KiB pages every
minute. The default is 60.

kvm-amd.nested= [KVM,AMD] Allow nested virtualization in KVM/SVM.
Default is 1 (enabled)

kvm-amd.npt= [KVM,AMD] Disable nested paging (virtualized MMU)
for all guests.
Default is 1 (enabled) if in 64-bit or 32-bit PAE mode.

[KVM,ARM] Trap guest accesses to GICv3 group-0
system registers

[KVM,ARM] Trap guest accesses to GICv3 group-1
system registers

[KVM,ARM] Trap guest accesses to GICv3 common
system registers

[KVM,ARM] Allow use of GICv4 for direct injection of

kvm-intel.ept= [KVM,Intel] Disable extended page tables
(virtualized MMU) support on capable Intel chips.
Default is 1 (enabled)

[KVM,Intel] Enable emulation of invalid guest states
Default is 0 (disabled)

[KVM,Intel] Disable FlexPriority feature (TPR shadow).
Default is 1 (enabled)

[KVM,Intel] Enable VMX nesting (nVMX).
Default is 0 (disabled)

[KVM,Intel] Disable unrestricted guest feature
(virtualized real and unpaged mode) on capable
Intel chips. Default is 1 (enabled)

kvm-intel.vmentry_l1d_flush=[KVM,Intel] Mitigation for L1 Terminal Fault

  	Valid arguments: never, cond, always

  	always: L1D cache flush on every VMENTER.
  	cond:	Flush L1D on VMENTER only when the code between
  		VMEXIT and VMENTER can leak host memory.
  	never:	Disables the mitigation

  	Default is cond (do L1 cache flush in specific instances)

kvm-intel.vpid= [KVM,Intel] Disable Virtual Processor Identification
feature (tagged TLBs) on capable Intel chips.
Default is 1 (enabled)

1 Like

Should all kernel patches for CPU bugs be unconditionally enabled? Vs Performance vs Applicability

Could you please experiment with kernel boot parameter


and make sure it doesn’t break KVM hosts or guests?

1 Like

I disable that

Irrelevant since hugepages are disabled for guests for security reasons:

Enabled for both AMD and Intel using hap tag

The rest apply to Intel which I don’t have.

(disabled = via libvirt)


Guest boot ok.

I don’t know how relevant my experience is on a non Intel system. The mitigation is for Intel CPUs only and therefore would only be active on that hardware.

Here;s some benchmarks done:



KVM related kernel parameters: it is one thing to disable these in VM XML settings but what about custom created VMs? Wouldn’t it still be better if we (also) set these options on the kernel boot parameter command line?

1 Like

Sure. If you are talking about kernels that see wider use outside Whonix like linux-hardened then this is a very sensible thing to do.

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]