[Help Welcome] KVM Development - staying the course

Patrick · February 2, 2020, 9:26am

Please see KVM: Difference between revisions - Whonix

HulaHoop · February 3, 2020, 3:12pm

@Patrick where do I add the kvm kernel command?

Patrick · February 3, 2020, 3:30pm

security-misc/40_kernel_hardening.cfg at master · Kicksecure/security-misc · GitHub

HulaHoop · February 3, 2020, 4:07pm

Patrick · February 4, 2020, 5:24am

Merged.

HulaHoop · February 10, 2020, 3:37pm

Uploaded newer images to our server. How long before they appear on download.whonix.org?

Patrick · February 11, 2020, 5:51am

Symlink was missing. This is now fixed.

In future should be after 1-2 minutes.

madaidan · February 11, 2020, 8:00pm

We can probably disable hugepages entirely with the vm.nr_hugepages=0 sysctl rather than using the kvm.nx_huge_pages mitigation.

HulaHoop · February 11, 2020, 11:14pm

Alright go for it.

Patrick · February 12, 2020, 8:34am

What’s the rationale / advantage of this?

iTLB multihit — The Linux Kernel documentation mentions only kvm.nx_huge_pages but not vm.nr_hugepages=0. It should be the same in theory but I haven’t seen vm.nr_hugepages=0 mentioned in context of, search term:

"iTLB multihit" "vm.nr_hugepages"

madaidan · February 12, 2020, 5:21pm

Hugepages have more security issues (see Whonix for KVM). The kvm.nx_huge_pages mitigation only fixes a specific issue by marking certain memory pages as non-executable. vm.nr_hugepages=0 disables hugepages altogether, preventing all of its issues.

https://www.kernel.org/doc/Documentation/admin-guide/mm/hugetlbpage.rst

/proc/sys/vm/nr_hugepages indicates the current number of “persistent” huge pages in the kernel’s huge page pool. “Persistent” huge pages will be returned to the huge page pool when freed by a task. A user with root privileges can dynamically allocate more or free some persistent huge pages by increasing or decreasing the value of nr_hugepages.

The default should be 0 anyway but this isn’t guaranteed on other distros.

Patrick:

iTLB multihit — The Linux Kernel documentation mentions only kvm.nx_huge_pages but not vm.nr_hugepages=0 . It should be the same in theory but I haven’t seen vm.nr_hugepages=0 mentioned in context of, search term:
"iTLB multihit" "vm.nr_hugepages"

The sysctl isn’t specific to that issue but hugepages in general.

HulaHoop · February 12, 2020, 7:18pm

Speaking of KVM spectre mitigations, there’s more work planned ahead for safe HT use

madaidan · February 12, 2020, 7:23pm

That would lessen the risk but I don’t think HT should ever be enabled as it’s still going to be full of vulnerabilities.

HulaHoop · February 12, 2020, 7:24pm

Indeed. Good to know there is more active work in this space though. IIUC it can provide stronger guest-host separation than currently available.

Patrick · March 8, 2020, 1:19pm

Could you please check this commit won’t break KVM?

sudo apt install xserver-xorg-video-vmware

HulaHoop · March 8, 2020, 1:38pm

Apt tells me it is already installed and the newest version and nothing is broken.

Patrick · March 8, 2020, 1:39pm

Inside VM already installed?

HulaHoop · March 8, 2020, 1:42pm

Yep and I’m sure I didn’t manually put it there

Patrick · March 15, 2020, 1:36pm

Could you please check that Whonix ™ for KVM does use / does not use sudo whenever appropriate?

It uses sudo virsh start
but also non-sudo virsh -c qemu:///system net-autostart default
which is not obvious to me.

background: ⚓ T914 Whonix Host Live - enable KVM readonly mode - virt-xml vm-name --edit --disk readonly=on

HulaHoop · March 16, 2020, 2:08pm

There’s no way this command works without sudo while the latter does. Going by principle of least privilege in the guide, I only use sudo for commands that won’t work without it.