See this file:
https://github.com/Whonix/Whonix/blob/master/build-steps.d/2600_create-vbox-vm
Highlights important to review:
## REVIEW
## ACPI speeds up the VM boot process. It has not been reviewed if this is good or bad for security.
sudo $SUDO_OPTS VBoxManage modifyvm "$VMNAME" --acpi on
## REVIEW
## It has not been reviewed if this is good or bad for security.
##
## VirtualBox documentation can be found on:
## https://www.virtualbox.org/manual/ch03.html
##
## Quote VirtualBox documentation:
## "[...] Enabling the I/O APIC is required for 64-bit guest operating
## systems, especially Windows Vista; it is also required if you want to use
## more than one virtual CPU in a virtual machine. [...]"
## Conclusion: it is better to leave it enabled to avoid support requests by
## users who wish to use more than one virtual CPU, who install an amd64
## kernel or create their own Custom-Whonix-Workstation.
##
## Quote VirtualBox documentation:
## "[...] Advanced Configuration and Power Interface (ACPI) which VirtualBox
## presents to the guest operating system by default. ACPI is the current
## industry standard to allow operating systems to recognize hardware,
## configure motherboards and other devices and manage power. As all modern
## PCs contain this feature and Windows and Linux have been supporting it
## for years, it is also enabled by default in VirtualBox. [...]"
## Conclusion: The linux kernel is better tested with I/O APIC enabled
## rather than I/O APIC disabled.
sudo $SUDO_OPTS VBoxManage modifyvm "$VMNAME" --ioapic on
Spectre/Meltdown defenses not enabled by default.
Possibly not worth it due to huge performance penalty and unclear security benefits. Despite:
- host microcode upgrade
- host kernel upgrade
- VM kernel upgrade
- spectre-meltdown-checker on the host showing “not vulnerable”
- latest VirtualBox version
- all spectre/meltdown related VirtualBox settings tuned for better security as documented below
VirtualBox is likely still vulnerable to spectre/meltdown. For reference see VirtualBox bug report / forum discussion.
- Spectre Meltdown - Whonix
- #17987 (VirtualBox 5.2.18 vulnerable to spectre/meltdown despite microcode being installed) – Oracle VM VirtualBox
- virtualbox.org • View topic - VirtualBox 5.2.18 vulnerable to spectre/meltdown despite microcode being installed (#17987)
- Whonix vulerable due to missing processor microcode packages? spectre / meltdown / retpoline / L1 Terminal Fault (L1TF) - #22 by Patrick
hardware_obfuscation() {
# This code is no longer in use!
# remove attempts to hide CPU information from VM in VirtualBox
# https://phabricator.whonix.org/T881
# It could be enabled through an optional build option if there is interest.
dns_specific() {
## https://serverfault.com/questions/453185/vagrant-virtualbox-dns-10-0-2-3-not-working
## Prevents leaking DNS info from the host into the guest.
## Also useful in other cases.
## https://www.virtualbox.org/manual/ch09.html#nat-adv-dns
##
## '--natdnsproxy1 on' might cause issues:
## https://forums.virtualbox.org/viewtopic.php?f=6&t=94671&p=457620#p457620
##
## Probably not both required 'natdnsproxy1 on' and 'natdnshostresolver1 on'.
##
## Both enabled at the same time causes an error in VirtualBox VM log:
## 00:00:00.933430 NAT: Host Resolver conflicts with DNS proxy, the last one was forcely ignored
sudo $SUDO_OPTS VBoxManage modifyvm "$VMNAME" --natdnsproxy1 off
## Prevents leaking DNS info from the host into the guest.
## Also useful in other cases.
## https://www.virtualbox.org/manual/ch09.html#nat_host_resolver_proxy
sudo $SUDO_OPTS VBoxManage modifyvm "$VMNAME" --natdnshostresolver1 on
## Do not pass the domain name for network name resolution to the VM.
sudo $SUDO_OPTS VBoxManage modifyvm "$VMNAME" --natdnspassdomain1 off
}
Check this:
vboxmanage showvminfo Whonix-Gateway-XFCE
vboxmanage getextradata Whonix-Gateway-XFCE
vboxmanage showvminfo Whonix-Workstation-XFCE
vboxmanage getextradata Whonix-Workstation-XFCE