[Help Welcome] KVM Development - staying the course

Patrick · April 15, 2022, 4:20pm

Different diffs can be generated using using the history page.

https://www.whonix.org/w/index.php?title=KVM&action=history

Examples:

These show exactly the authorship.

Indeed. Not by you. No question about it.

Correct.

Someone wrote your name into the edit text area. Either by mistake or trolling. It makes no sense.

Correct.

No.

As seen in the diff it was an anonymous edit.

nurmagoz · April 19, 2022, 1:43pm

= First-time User? = Gavin Template:P@ssword-01

Template:P@ssword-01 i dont know what should be filled with, but its not showing the text

cc @HulaHoop

HulaHoop · April 19, 2022, 5:56pm

So you made the edit? What was this for?

Patrick · April 20, 2022, 6:04am

No.

It was a malicious / nonsense / trolling edit.

Patrick · April 20, 2022, 6:15am

This is important.

Could you please re-read from here, follow all links? [Help Welcome] KVM Development - staying the course - #468 by Patrick

There has been a malicious / nonsense / trolling edit. These two:

It’s a breach of wiki review security. The impact is tiny. That edit should have never gone public. You shouldn’t have confirmed that edit. Should have been rejected. If not completely understood, please either ask and/or reject.

Also that edit is yet to be reverted.

Makes no sense to ask who made what edit as it can be seen in the wiki history. Link to wiki history:
Permission error - Whonix

Patrick · April 20, 2022, 6:21am

In the wiki history link https://www.whonix.org/w/index.php?title=KVM&action=history…

There every wiki version can be compared with every wiki version and it will show exactly what was changed (added text, removed text, edited text) as well as show which wiki account made the edit if any. Otherwise

Example wiki diff (these are easily accessible from the wiki history):
https://www.whonix.org/w/index.php?title=KVM&type=revision&diff=83136&oldid=82487

On that link…

Take special note to:

Top left, base revision to compare:

Revision as of 22:04, 9 March 2022 (edit) 127.0.0.1

Edit by 127.0.0.1 - localhost (because the server doesn’t store IPs). = anonymous edit, no wiki account.

Top right, target revision to compare:

Revision as of 07:47, 19 April 2022 (edit) (undo) HulaHoop

Contains your user name.

As for the first malicious wiki edit:

https://www.whonix.org/w/index.php?title=KVM&type=revision&diff=82455&oldid=82310)

Left top side, previous version by 127.0.0.1 (no wiki account, anonymous). (That’s just the last edit that was accepted. Not necessarily an issue.)

Right top side, changed version also by 127.0.0.1.

So 100% confirmed it was a anonymous edit.

HulaHoop · April 20, 2022, 9:23am

Sometimes I make edits when I’m too lazy to sign in, that’s why I assumed that’s what happened here. Thought it was coming from a trusted source.There’s no excuse for this lapse though and it’s the first time I encounter this.

Keep or discard? Can this have security consequences?

Patrick · April 20, 2022, 3:57pm

Great that this is resolved now.

I guess the user who posted Initial setup Whonix-Gateway might have added this trying to be helpful.

Discard if not reproducible.

No security issue.

Patrick · June 15, 2022, 11:20am

Since the wiki has a chapter:
Why use KVM over VirtualBox?

It begs the question:
Why use KVM over Qubes?
Currently undocumented.

Other related new wiki chapters:

Patrick · June 17, 2022, 7:55am

Does Whonix KVM require VT-d?

HulaHoop · June 17, 2022, 7:29pm

No only VT-x. Only hardware passthrough like GPUs woudl need VT-d but this is unrecommneded for security reasons and virtio devices should be used whenever possible if high performance is needed.

nurmagoz · June 17, 2022, 9:29pm

I thought for a long time VT-d was a required feature…

In qubes saying:

“required for effective isolation of network VMs”

Maybe they are talking about Xen design but not the same case in KVM?

Patrick · June 18, 2022, 7:44am

Qubes network VM = sys-net, which has a physical device(s) attached (LAN card and/or WiFi).

Patrick · June 18, 2022, 7:52am

Added VT-x vs VT-d to wiki:
https://www.whonix.org/w/index.php?title=KVM&type=revision&diff=83732&oldid=83387

Patrick · June 18, 2022, 7:53am

invalid argument: could not find capabilities for domaintype=kvm is in the wiki to be documented under troubleshooting probably for ages but never had any content. Could you remove or document please?

Is above older / similar / same as the VT-X issue invalid argument: could not get preferred machine for /usr/bin/qemu-system-x86_64 type=kvm?

Patrick · June 18, 2022, 10:36am

For new KVM builds, temporarily, please note this Special Notice.

HulaHoop · June 18, 2022, 8:13pm

Not even Xen, this is a Qubes only hard requirement to enforce a design decision.

HulaHoop · June 18, 2022, 8:33pm

Yes seems like it. Both error messages should be merged under a common heading IMHO

Patrick · June 19, 2022, 10:14am

Not a hard requirement, not enforced. As correctly quoted…

…“required for effective isolation of network VMs”. Hardware without IOMMU are still reported to run Qubes on the same website but these then don’t have “effective isolation of network VMs”.

Well, then if not having IOMMU, then don’t use Qubes because it then doesn’t have “effective isolation of network VMs”? No, that would also be wrong. No operating system would provide “effective isolation of network VMs” without IOMMU. So no Qubes specific disadvantage here either.

So yeah. Computer security. Complicated. Even a short and correct statement actually describing a feature/advantage (“with IOMMU you get effective isolation of network VMs”) with “required for effective isolation of network VMs” can be misunderstood in two negative ways which are false.

Patrick · June 19, 2022, 10:15am

Please do as you see fit.
If the older one doesn’t come up anymore, it could even be completely removed.
If users using older systems still run into it, might be useful to keep the error message inside the text.