KVM, vcpu or cpu-passthrough

The Tor process on Whonix-Gateway machine is using a lot of CPU under load and its slow, the reason seems to be that there is no AES passed to the KVM guest.

I changed from vcpu to a cpu host-passthrough like this in the Whonix-Gateway xml file

Checking /proc/cpuinfo now shows AES and alot of other features and Tor uses around 2-3% at max.

Are there any reasons that it uses vcpu as default? Is it bad to pass AES to the guest?
Now that the hosts cpu is directly passed to the guest there are a lot more cpu features added, could one of these be exploited if a guest would be hacked? Maybe find serial number of the CPU and identify who bought it ?

Are there any reasons that it uses vcpu as default? Is it bad to pass AES to the guest?

The vpcu masks out a lot of details about the host cpu that could leak information to an adversary that manages to take over your vm. No its not bad to pass through the AES instruction its one of the changes I added some time ago and will be available with Whonix 13.

Ok, sounds good. What changes did you make to add AES to the guest? Maybe i can change it manually on my guests instead of giving them the whole CPU? Or is there a beta download of Whonix 13 i can check out?

Add the cpumode chunk to your guest’s xml file from:


Thank you! I followed your instructions but was getting this error when creating the machine from the new xml:

error: unsupported configuration: guest and host CPU are not compatible: Host CPU does not provide required features: svm

SVM seems to be a AMD only feature, so i disabled it with this line:
< feature policy=‘disable’ name=‘svm’/ >

Did some tests and it seems its a bug where the virtualization instruction is included in the cpumask. In newer versions of qemu the virtual cpu does not touch virtualization instructions fo either architecture and enables them by default and so resolves this.


Thanks for the bug report. The line will be added for compatibility until qemu for stable is updated.