related edit:
KVM: Difference between revisions - Whonix
Please review.
@HulaHoop is this still true? meaning if LVM used we can rely on it without spice? does this as well improve other hypervisors like Virtualbox?
How is LVM related to spice?
LVM is a disk partitioning tool, while spice is a graphics/media transfer protocol. There is a RAW disk mode in KVM where underlying disk storage is accessed directly without isolation, but the security consequences and data confidentiality violations are pretty evident.
Malware could recover deleted files from the host disk or inject malicious IO commands to the hardware.
Current KVM page looks like this.
Fixed it by removing thumb description:
<code>Unofficial logo re-creation for the [https://www.linux-kvm.org KVM] virtualizer</code>
No idea how to reback it while keeping the page looks nice.
Well i thought the vt-x is the issue, but i checked the BIOS and the vt-x is actually enabled, i also thought my PC is old and the vt-x is just not working anymore, but i tried another VMs in KVM and so as Virtualbox = working?!
So i think investigation need to be done, im happy to provide any further logs (my ticket is the first one).
Try a Debian VM.
VirtualBox used to work without hardware virtualization support with good speed too. This feature might not be deprecated.
KVM cannot do that. QEMU maybe but dunno speed.
You cannot have VirtualBox and KVM installed at the same time. This might cause the same error message.
First time i hear this, since when?
Dunno when. I think old feature before hardware virtualization was invented? The when isn’t important.
https://docs.oracle.com/en/virtualization/virtualbox/6.0/user/features-overview.html
No hardware virtualization required. For many scenarios, Oracle VM VirtualBox does not require the processor features built into current hardware, such as Intel VT-x or AMD-V. As opposed to many other virtualization solutions, you can therefore use Oracle VM VirtualBox even on older hardware where these features are not present. See Hardware vs. Software Virtualization.
Compare the xml files of VMs that you can use versus not use.
QEMU would probably work but unsupported.
related:
Not sure how that works.
https://docs.oracle.com/en/virtualization/virtualbox/6.0/admin/hwvirt.html
Oracle VM VirtualBox’s 64-bit guest and multiprocessing (SMP) support both require hardware virtualization to be enabled. This is not much of a limitation since the vast majority of 64-bit and multicore CPUs ship with hardware virtualization. The exceptions to this rule are some legacy Intel and AMD CPUs.
Since Whonix downloadable images are for 64-bit (32-bit or 64-bit?), this shouldn’t work. But since @nurmagoz confirmed VirtualBox works, seems VirtualBox has somewhat better out of the box legacy hardware support.
Figured out this issue, this is seems to be Debian (or Kernel) VS my PC issue:
If TPM activated from the BIOS:
It will appear at the beginning of the OS booting (quickly disappear):
kernel: x86/cpu: VMX (outside TXT) disabled by BIOS
To solve it one need to disable TPM feature:
Dunno if this is reported upstream or not.
Can you test some KVM with EFI please? @HulaHoop
KVM EFI support might have considerably improved meanwhile. For example, Debian nowadays can be easily installed on EFI and even SecureBoot enabled systems.
Therefore would be good to test both, EFI and SecureBoot.
Then making any changes to the Whonix libvirt KVM config files to support EFI, SecureBoot.
Yet to be decided if EFI (and maybe later SecureBoot) will become the new default for Whonix VMs as per:
If there is anything that needs help with or requires testing please do let me know
Btw please Follow Whonix Developments for news. If there are major testers wanted announcements, these will be posted in the news forums.
Could vagrant be a solution to the missing .ova
appliance feature for libvirt / KVM? Vagrant supports .box
files.
vagrant is available in Debian.
https://wiki.debian.org/Vagrant
Supports libvirt. Package in Debian:
Contains:
/usr/share/doc/vagrant-libvirt/examples/create_box.sh
/usr/share/doc/vagrant-libvirt/examples/create_box.sh IMAGE [BOX] [Vagrantfile.add]
Package a qcow2 image into a vagrant-libvirt reusable box
Needs…?
metadata.json
Vagrantfile
I am not sure Vagrant can be feed existing libvirt XML files or needs its own format?
But there could be limitations.
Long standing KVM issue:
VM internal traffic is visible on the host for network sniffers such as wireshark, tshark as well as iptables (and therefore by extension also corridor)
This is an issue because of this corridor (or something similar if invented such as perhaps Whonix-Host KVM Firewall) cannot be used as an additional leak test or Tor whitelisting gateway.
Quote myself from Whonix on Mac M1 (ARM) - Development Discussion - #35 by Patrick
As hubport
option might be much more secure similar and also apply to Whonix KVM.
This is very important, needs most attention to get right to avoid IP leaks.
From the UTM config files. Relevant options:
Whonix-Gateway
-device virtio-net-pci,netdev=external -device virtio-net-pci,netdev=internal -netdev user,id=external,ipv6=off,net=10.0.2.0/24 -netdev socket,id=internal,listen=:8010
Whonix-Workstation
-device virtio-net-pci,netdev=internal -netdev socket,id=internal,connect=127.0.0.1:8010
Doesn’t look crazy. Related documentation:
Documentation/Networking - QEMUBut it has the same issue that KVM has. VM internal traffic is visible on the host for network sniffers such as wireshark, tshark.
This has lead in the past to a failure of configuring corridor on a Debian host with Whonix KVM.
references:
GitHub - rustybird/corridor: Tor traffic whitelisting gateway
testing on Debian host · Issue #28 · rustybird/corridor · GitHub
related:
Using corridor, a Tor traffic whitelisting gateway with Whonix ™So it would be much better if KVM / QEMU (UTM) would hide this from the host operating system. I.e. encapsulate the internal networking better. ChatGPT says this is possible using the
hubport
option but ChatGPT unfortunately sometimes talkes nonsense. Could you look into it please?