[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [CONTRIBUTE] [DONATE]

[Help Welcome] KVM Development - staying the course

Please see https://www.whonix.org/w/index.php?title=KVM&oldid=54248&diff=cur

1 Like

@Patrick where do I add the kvm kernel command?

1 Like

https://github.com/Whonix/security-misc/blob/master/etc/default/grub.d/40_kernel_hardening.cfg

1 Like
1 Like

Merged.

1 Like

Uploaded newer images to our server. How long before they appear on download.whonix.org?

Symlink was missing. This is now fixed.

In future should be after 1-2 minutes.

1 Like

We can probably disable hugepages entirely with the vm.nr_hugepages=0 sysctl rather than using the kvm.nx_huge_pages mitigation.

2 Likes

Alright go for it.

1 Like

What’s the rationale / advantage of this?

https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html mentions only kvm.nx_huge_pages but not vm.nr_hugepages=0. It should be the same in theory but I haven’t seen vm.nr_hugepages=0 mentioned in context of, search term:

"iTLB multihit" "vm.nr_hugepages"
1 Like

Hugepages have more security issues (see https://www.whonix.org/wiki/KVM#HugePages). The kvm.nx_huge_pages mitigation only fixes a specific issue by marking certain memory pages as non-executable. vm.nr_hugepages=0 disables hugepages altogether, preventing all of its issues.

https://www.kernel.org/doc/Documentation/admin-guide/mm/hugetlbpage.rst

/proc/sys/vm/nr_hugepages indicates the current number of “persistent” huge pages in the kernel’s huge page pool. “Persistent” huge pages will be returned to the huge page pool when freed by a task. A user with root privileges can dynamically allocate more or free some persistent huge pages by increasing or decreasing the value of nr_hugepages.

The default should be 0 anyway but this isn’t guaranteed on other distros.

The sysctl isn’t specific to that issue but hugepages in general.

1 Like

Speaking of KVM spectre mitigations, there’s more work planned ahead for safe HT use

https://www.phoronix.com/scan.php?page=news_item&px=Kernel-Address-Space-2020

1 Like

That would lessen the risk but I don’t think HT should ever be enabled as it’s still going to be full of vulnerabilities.

1 Like

Indeed. Good to know there is more active work in this space though. IIUC it can provide stronger guest-host separation than currently available.

1 Like

Could you please check this commit won’t break KVM?

sudo apt install xserver-xorg-video-vmware

Apt tells me it is already installed and the newest version and nothing is broken.

1 Like

Inside VM already installed?

Yep and I’m sure I didn’t manually put it there :slight_smile:

1 Like

Could you please check that https://www.whonix.org/wiki/KVM does use / does not use sudo whenever appropriate?

It uses sudo virsh start
but also non-sudo virsh -c qemu:///system net-autostart default
which is not obvious to me.

background: https://phabricator.whonix.org/T914#19530

There’s no way this command works without sudo while the latter does. Going by principle of least privilege in the guide, I only use sudo for commands that won’t work without it.

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]