[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

VirtualBox VM Settings Security Review

See this file:

Highlights important to review:


   ## REVIEW
   ## ACPI speeds up the VM boot process. It has not been reviewed if this is good or bad for security.
   sudo $SUDO_OPTS VBoxManage modifyvm "$VMNAME" --acpi on

   ## REVIEW
   ## It has not been reviewed if this is good or bad for security.
   ##
   ## VirtualBox documentation can be found on:
   ## https://www.virtualbox.org/manual/ch03.html
   ##
   ## Quote VirtualBox documentation:
   ## "[...] Enabling the I/O APIC is required for 64-bit guest operating
   ## systems, especially Windows Vista; it is also required if you want to use
   ## more than one virtual CPU in a virtual machine. [...]"
   ## Conclusion: it is better to leave it enabled to avoid support requests by
   ## users who wish to use more than one virtual CPU, who install an amd64
   ## kernel or create their own Custom-Whonix-Workstation.
   ##
   ## Quote VirtualBox documentation:
   ## "[...] Advanced Configuration and Power Interface (ACPI) which VirtualBox
   ## presents to the guest operating system by default. ACPI is the current
   ## industry standard to allow operating systems to recognize hardware,
   ## configure motherboards and other devices and manage power. As all modern
   ## PCs contain this feature and Windows and Linux have been supporting it
   ## for years, it is also enabled by default in VirtualBox. [...]"
   ## Conclusion: The linux kernel is better tested with I/O APIC enabled
   ## rather than I/O APIC disabled.
   sudo $SUDO_OPTS VBoxManage modifyvm "$VMNAME" --ioapic on

Spectre/Meltdown defenses not enabled by default.

Possibly not worth it due to huge performance penalty and unclear security benefits. Despite:

  • host microcode upgrade
  • host kernel upgrade
  • VM kernel upgrade
  • spectre-meltdown-checker on the host showing “not vulnerable”
  • latest VirtualBox version
  • all spectre/meltdown related VirtualBox settings tuned for better security as documented below

VirtualBox is likely still vulnerable to spectre/meltdown. For reference see VirtualBox bug report / forum discussion.


hardware_obfuscation() {
   # This code is no longer in use!
   # remove attempts to hide CPU information from VM in VirtualBox
   # https://phabricator.whonix.org/T881
   # It could be enabled through an optional build option if there is interest.

dns_specific() {
   ## https://serverfault.com/questions/453185/vagrant-virtualbox-dns-10-0-2-3-not-working

   ## Prevents leaking DNS info from the host into the guest.
   ## Also useful in other cases.
   ## https://www.virtualbox.org/manual/ch09.html#nat-adv-dns
   ##
   ## '--natdnsproxy1 on' might cause issues:
   ## https://forums.virtualbox.org/viewtopic.php?f=6&t=94671&p=457620#p457620
   ##
   ## Probably not both required 'natdnsproxy1 on' and 'natdnshostresolver1 on'.
   ##
   ## Both enabled at the same time causes an error in VirtualBox VM log:
   ## 00:00:00.933430 NAT: Host Resolver conflicts with DNS proxy, the last one was forcely ignored
   sudo $SUDO_OPTS VBoxManage modifyvm "$VMNAME" --natdnsproxy1 off

   ## Prevents leaking DNS info from the host into the guest.
   ## Also useful in other cases.
   ## https://www.virtualbox.org/manual/ch09.html#nat_host_resolver_proxy
   sudo $SUDO_OPTS VBoxManage modifyvm "$VMNAME" --natdnshostresolver1 on

   ## Do not pass the domain name for network name resolution to the VM.
   sudo $SUDO_OPTS VBoxManage modifyvm "$VMNAME" --natdnspassdomain1 off
}
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]