[Help Welcome] KVM Development - staying the course

Patrick · June 19, 2022, 10:15am

Please do as you see fit.
If the older one doesn’t come up anymore, it could even be completely removed.
If users using older systems still run into it, might be useful to keep the error message inside the text.

HulaHoop · June 20, 2022, 8:10am

I stand corrected though in my defense, the last time I checked years ago when 4.X debuted, they implied that they won’t make exceptions for Vt-d-less hardware and reading the hardware reqs seems to imply this by listing this feature as a min req.

Patrick · June 20, 2022, 11:47am

Please kindly subscribe here:

Patrick · June 20, 2022, 11:59am

Yes, the minimum system requirements implies this is a hard requirement. Created a Qubes documentation bug report for it just now:

github.com/QubesOS/qubes-issues

Qubes system requirements shows IOMMU as minimum requirement but Qubes HCL contradicts it and shows that Qubes can run without IOMMU

opened 11:59AM - 20 Jun 22 UTC

closed 01:07PM - 20 Jun 22 UTC

adrelanos

T: bug P: default

https://www.qubes-os.org/doc/system-requirements/ expresses under `Minimum` that… `Intel VT-d or AMD-Vi (also known as AMD IOMMU)` is an absolute hard requirement and without it Qubes won't run. On the other hand https://www.qubes-os.org/hcl/ shows a large table of computers that say `IOMMU: no` while at the same time some of them express `HVM: yes` as well as one saying `Qubes: R4.0`. This strongly implies that `IOMMU` is not an absolute hard requirement and Qubes can run without IOMMU. It's a contradiction. Furthermore, on https://www.qubes-os.org/hcl it's states `IOMMU` `Intel VT-d or AMD IOMMU technology (required for effective isolation of network VMs and PCI passthrough).` Ok, so `IOMMU` is required for `required for effective isolation of ...`. That implies, without `IOMMU` there is simply no `required for effective isolation of ...`. That might still be acceptable for some users. In absence of any other operating systems providing `required for effective isolation of ...` on hardware without `IOMMU` that seems OK. Suggested fix: Move `Intel VT-d or AMD-Vi (also known as AMD IOMMU)` from `Minimum` to `Recommended`. (But that's already the case. So just remove IOMMU from `Minimum`.)

Patrick · June 20, 2022, 2:33pm

IOMMU (VT-d) was a soft requirement until Qubes R4.0 but is a hard requirement since Qubes R4.1 as per:
https://github.com/QubesOS/qubes-issues/issues/7581#issuecomment-1160426503

Another ticket to clear up confusion created just now:

github.com/QubesOS/qubes-issues

Qubes system requirements page shows same CPU requirements for `minimum` and `recommended` system requirements

opened 02:31PM - 20 Jun 22 UTC

adrelanos

T: bug C: doc P: default

https://www.qubes-os.org/doc/system-requirements/ shows exactly the same under `…minimum` and `recommended` system requirements for CPU. > CPU: 64-bit Intel or AMD processor (also known as x86_64, x64, and AMD64) > > * Intel VT-x with EPT or AMD-V with RVI > * Intel VT-d or AMD-Vi (also known as AMD IOMMU) This is confusing. I haven't seen this on any other system requirements page yet for any other project. This might be a legacy from Qubes making IOMMU mandatory from Qubes R4.1. (https://github.com/QubesOS/qubes-issues/issues/7581) Asked another way: when you would write that page from scratch, would you still write it in the same way? Suggested fix, either: * **A)** Remove the repeated information under `recommended` system requirements since the very same is already listed under `minimum` system requirements. Or, * **B)** Replace the repeated information under `recommended` system requirements with faster/newer CPU recommended models. (Such as CPU generation, recommended minimum frequency, amount of CPU cores.)

Patrick · November 11, 2022, 6:37am

Patrick · November 17, 2022, 11:45am

HulaHoop · November 19, 2022, 7:28pm

I think we can go ahead and rip out the qxl dependency in whonix and KS as it is now obsolete and we no longer use the graphics device in question. @Patrick

Patrick · November 20, 2022, 8:03am

For reference only:

Patrick · November 20, 2022, 3:01pm

Patrick · November 24, 2022, 12:24pm

Patrick · November 24, 2022, 12:32pm

Patrick · November 24, 2022, 12:34pm

This change is now in the testers repository.

Patrick · November 24, 2022, 12:35pm

Discussing this in 2 forums at the same time makes it a bit weird to keep everything updated. Best to keep discussions in the original, specialized forum thread only and only post a link here for reference.

grass · December 8, 2022, 9:18pm

@HulaHoop
I see you’ve been doing Whonix KVM for a long time, but I also see that the builds have stopped.

what is the state of the KVM development?
- do you plan to continue development? If so, any ETA?
how much time do you take per month to maintain KVM?
- what takes most of your time during maintenance?
- what are repetitive but necessary tasks that have to be done and takes a long time?
anything I didn’t ask you’d like to add?

I don’t know if I can maintain, my experience with KVM is not as broad and my time might also be short, but I like that there is a KVM option alternative for Virtualbox, while Qubes is not an alternative for everybody.

HulaHoop · December 9, 2022, 7:42pm

Didn’t drop the ball yet, just quite busy for now. If I abdicate my post it will be announced beforehand.

Absolutely.

Stable these days. I look at new features under design and make a list of the changes/features I want to add when the new libvirt version included in stable next comes out.

Troubleshooting support topics takes the most time nowadays. Any help with this is always welcome from other KVM power users.

Builds are the necessary and time intensive task you mention, but they are straight forward. Researching improved options in encryption and security software is also something that benefits Whonix in general and not just KVM which I have done. Looking out for security CVEs in Tor, openssl, apt or KVM are very important as those warrant emergency builds.

Patrick · December 15, 2022, 4:43pm

Patrick · December 15, 2022, 4:52pm

Some issues such as the following I don’t see to ever get resolved unless contributed. Quote Dev/VirtualBox - Whonix chapter Why use VirtualBox over KVM? in Whonix wiki

KVM disadvantages:

Virtual network interfaces by KVM: Are visible on the host using tools such as “sudo ifconfig”.

KVM: This complicates leak tests because tshark / wireshark on the host can see connections between Whonix-Workstation ™ and Whonix-Gateway ™.

KVM: Therefore also leak-testing using corridor on the host failed .

KVM: A useful host firewall and/or VPN fail closed mechanism (even if Freedom Software) can break Whonix-Workstation KVM network connectivity. References:

KVM: host software such as for example NordVPN client kill-switch can break Whonix-Workstation KVM network connectivity.

https://forums.whonix.org/t/failure-to-connect-when-vpn-on-host/3133[![](https://www.whonix.org/w/images/7/73/Internet_Archive_logo.png)](https://web.archive.org/web/https://forums.whonix.org/t/failure-to-connect-when-vpn-on-host/3133)

KVM: Undocumented how to use a host VPN (and therefore failing ).

HulaHoop · December 15, 2022, 6:31pm

KVM disadvantages:

Virtual network interfaces by KVM: Are visible on the host using tools such as “sudo ifconfig”.

KVM: This complicates leak tests because tshark / wireshark on the host can see connections between Whonix-Workstation ™ and Whonix-Gateway ™.

This can be taken into consideration and has been accounted for in leak tests in the past therefore this conclusion does not follow and sounds FUDish:

Therefore Whonix VirtualBox has a higher leak-proofness then Whonix KVM.

The rest of the complaints on that page about corridor and host VPN killswitch incompatibility are not inherent limitations but need someone knowledgeable and able to troubleshoot them to work. They are also unrelated to KVM’s leaktest security

Patrick · December 18, 2022, 12:48pm

[A] Leak test complication:

How do you exclude Whonix-Workstation to Whonix-Gateway internal traffic from tcpdump, tshark, wireshark? That should be documented.

[B] Why host firewall / VPN killswitch matters:

If a host firewall or host VPN can break Whonix-Gateway connectivity that would not necessarily be a leak risk indicator. But Whonix-Workstation should be conceptually encapsulated by Whonix-Gateway. A host firewall or host VPNs shouldn’t break Whonix-Workstation connectivity only while Whonix-Gateway still has connectivity.

Whonix-Workstation and Whonix-Gateway KVM are connected by virtual network interfaces (and iptables?). A virtual LAN cable. If a host firewall or host VPN can disrupt that virtual LAN cable, unplug it or worse connect the Whonix-Workstation virtual LAN cable to the VPNs virtual network adapter, then that would result in a leak.

So it would be much better if internal network interface wouldn’t be visible on the host operating system but I don’t know if that is possible with KVM.

[C] corridor:

corridor is an alternative leak test based on a really cool idea to say connections to Tor relays (or bridges) are permitted but everything else is considered a potential leak. Having any port of Whonix leak tested with corridor is an advantage. Not having done this is a disadvantage.

Most of these Whonix KVM apply only happen when running the leak test on the same computer as Whonix is currently running. A different setup:

The computer that runs Whonix. Does not have its own network connection. (Whonix)
Is connected to a physically isolated other computer through a LAN cable. (Proxy)
Leak tests are run on the proxy.

[A] Would be less of an issue. But there’s a new issue. Then the traffic generated by the host operating system needs to be fully disabled for everything except the running Whonix VMs (NTP, updates, DHCP). Otherwise the leak tests would show false-positives.

[B] Would still be an issue but at least the leak tests are easier.

[C] Corridor should run fine here. (But also host traffic for all but Whonix VMs needs to be disabled.)