@Patrick where do I add the kvm kernel command?
Uploaded newer images to our server. How long before they appear on download.whonix.org?
Symlink was missing. This is now fixed.
In future should be after 1-2 minutes.
We can probably disable hugepages entirely with the
vm.nr_hugepages=0 sysctl rather than using the
Alright go for it.
What’s the rationale / advantage of this?
https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html mentions only
kvm.nx_huge_pages but not
vm.nr_hugepages=0. It should be the same in theory but I haven’t seen
vm.nr_hugepages=0 mentioned in context of, search term:
"iTLB multihit" "vm.nr_hugepages"
Hugepages have more security issues (see https://www.whonix.org/wiki/KVM#HugePages). The
kvm.nx_huge_pages mitigation only fixes a specific issue by marking certain memory pages as non-executable.
vm.nr_hugepages=0 disables hugepages altogether, preventing all of its issues.
/proc/sys/vm/nr_hugepagesindicates the current number of “persistent” huge pages in the kernel’s huge page pool. “Persistent” huge pages will be returned to the huge page pool when freed by a task. A user with root privileges can dynamically allocate more or free some persistent huge pages by increasing or decreasing the value of
The default should be
0 anyway but this isn’t guaranteed on other distros.
The sysctl isn’t specific to that issue but hugepages in general.
Speaking of KVM spectre mitigations, there’s more work planned ahead for safe HT use
That would lessen the risk but I don’t think HT should ever be enabled as it’s still going to be full of vulnerabilities.
Indeed. Good to know there is more active work in this space though. IIUC it can provide stronger guest-host separation than currently available.
Could you please check this commit won’t break KVM?
sudo apt install xserver-xorg-video-vmware
Apt tells me it is already installed and the newest version and nothing is broken.
Inside VM already installed?
Yep and I’m sure I didn’t manually put it there
Could you please check that https://www.whonix.org/wiki/KVM does use / does not use
sudo whenever appropriate?
sudo virsh start
but also non-sudo
virsh -c qemu:///system net-autostart default
which is not obvious to me.
There’s no way this command works without sudo while the latter does. Going by principle of least privilege in the guide, I only use sudo for commands that won’t work without it.