Implications of switching to Hardware Memory Virtualization for all AppVMs

[Nicklaus McClendon]

Consequently, we have decided to move to hardware memory
virtualization for the upcoming Qubes 4.0 release [4]. We believe this
is the best _generic_ solution we can afford to implement in the near
future (in addition to patching this very bug, of course)." -
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-024-2016.txt

As Virtualbox and Vagrant currently run within HVMs, does this mean that Virtualbox (and other visualization tools) will likely work in AppVMs in Qubes 4?

-- 
---
kulinacs <nick...@kulinacs.com>

[Andrew Clausen]

Hi all,

I teach journalism students how to use Qubes at the University of
Melbourne. One of the biggest obstacles is getting Qubes up and
running in the classroom. Currently, we have a small class set of
laptops that students share. It would be much better if students
could run Qubes inside Virtual Box on their own laptops (which are 90%
Mac). So if it's not too much effort to accommodate Qubes inside
Virtual Box, I think it could have a big impact.

Just to be clear: of course there are only minimal security benefits
from using Qubes inside Virtual Box compared to using vanilla OS X.
The benefit is in reducing the cost of education. It's a big ask to
get students to blindly buy a Qubes-capable laptop. Moreover, secure
laptop purchases need to be conducted carefully (to avoid interdiction
attacks), and secure laptops need to be stored carefully. It's better
for journalists to spend their money on secure laptops after they have
been properly educated.

Kind regards,
Andrew

> --
> You received this message because you are subscribed to the Google Groups
> "qubes-devel" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-devel...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-devel/07adaf82-2320-b449-6c01-40396f39be8c%40kulinacs.com.
> For more options, visit https://groups.google.com/d/optout.

[J.M. Porup]

On Thu, Jul 28, 2016 at 03:56:57PM +0100, Andrew Clausen wrote:
> Hi all,
>
> I teach journalism students how to use Qubes at the University of
> Melbourne. One of the biggest obstacles is getting Qubes up and
> running in the classroom. Currently, we have a small class set of
> laptops that students share. It would be much better if students
> could run Qubes inside Virtual Box on their own laptops (which are 90%
> Mac). So if it's not too much effort to accommodate Qubes inside
> Virtual Box, I think it could have a big impact.

Wow, that's very cool. And at UniMelb!

Couldn't you achieve the same results by booting Qubes on a USB stick?

jmp

[Andrew Clausen]

Hi jmp,

On 28 July 2016 at 16:13, J.M. Porup <j...@porup.com> wrote:
> Wow, that's very cool. And at UniMelb!
>
> Couldn't you achieve the same results by booting Qubes on a USB stick?

Maybe. The main problem is that Qubes isn't very compatible with most
laptops. Last year, Qubes was incompatible with UEFI firmware, which
ruled out all of the students' laptops. This year, we need to
experiment to see how compatible it is.

I did try a bit: I tried installing Qubes on a friend's Mac PowerBook,
but Grub didn't install correctly. (I think it installed the 32-bit
rather than the 64-bit version of Grub, and I didn't have time to fix
it.)

The big picture is: I think Qubes will have lots of compatibility
problems for the forseeable future, so Virtual Box compatibility would
be a big help.

Kind regards,
Andrew

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Have you tried this? AFAIR some time ago it worked. Horribly slow, but
still. Also all installer screenshots on our website are done by
booting it inside virtualbox ;)

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJXmjiCAAoJENuP0xzK19csZmQH/A7Sel920k5zdRPtuy4auLfO
tE/OzT/OdKpM4NyKeEEqUizsjbtg2KgYiO8FGvVF/5HtzvX2ZqTg42bX6+duwsoQ
JUFIdftcUoT12w/sfu4c4IRy/IB/Cmr9w1B3urPAFRdPLC1uwS84Z1Q4K9jjLEKV
cDWny9WQ2pvFZcp0+3qj+hZDSopdwisLgWOTPOpMwJ0MENoxeEGBf88BckAxV4Be
D4ymUiAS5nge29g+D15uXPYsEplmRKZhUi7vALWiI/E0zTUBb6zAk4hq07y4+V66
1EmEg3CBYaQNg1L5Dmx/ifbzI7PLYmCvXBLfTpi4S2D9Ci7meTUS47BJO+SKXxA=
=Saql
-----END PGP SIGNATURE-----

[pixel fairy]

On Thursday, July 28, 2016 at 7:57:01 AM UTC-7, Andrew Clausen wrote:

Hi all,

I teach journalism students how to use Qubes at the University of
Melbourne.  One of the biggest obstacles is getting Qubes up and
running in the classroom.  Currently, we have a small class set of
laptops that students share.  It would be much better if students
could run Qubes inside Virtual Box on their own laptops (which are 90%
Mac).  So if it's not too much effort to accommodate Qubes inside
Virtual Box, I think it could have a big impact.

virtualbox doesnt support nested virtualization.

vmware-fusion does, so qubes runs fine in that. the only issue is the low resolution. vmwares drivers complain if you run them on a xen kernel, so your stuck with low res.

[pixel fairy]

On Tuesday, July 26, 2016 at 10:18:13 PM UTC-7, Nicklaus McClendon wrote:

...

As Virtualbox and Vagrant currently run within HVMs, does this mean that Virtualbox (and other visualization tools) will likely work in AppVMs in Qubes 4?

from https://wiki.xen.org/wiki/Nested_Virtualization_in_Xen

"2. Virtual Box fails to boot on top of Xen (L1 panic while booting L2)"

you better use a different back end. the libvirt one is nice. i used to vagrant-mutate virtualbox boxes that worked for most of the virtualbox vagrant files. sometimes you have to tweak the vagrantfile.

"4. Using populate-on-demand (memory!=maxmem) or guest paging in an L1 hypervisor for an L2 guest may deadlock the L0 hypervisor.

This means an L1 admin can DOS the L0 hypervisor. This is a potential security issue; for this reason, we do not recommend running nested virtualization in production yet"

leads me to believe the isolation for nested guests isnt quite there yet.

Vagrant is both really important, almost critical to some peoples work, but also potentially dangerous for qubes. the idea of a qr-exec back end has been brought up, but i dont think anyone wrote one. even if you did, vagrant boxes would have to be somehow convereted. vagrant-mutate could possibly be adapted.

another solution: remote "vagrant server" to ssh to. on the plus side, it frees up resources on your laptop. the big negative is you have to have a connection. another negative is not being able to use existing "utility" vagrant boxes that would need to run from your laptop. if your sharing this box, might be able to use lxc as an easy way to get separate network namespaces so you can run the same vagrant files without cross interference. havent tried virtualbox inside lxc yet.

[pixel fairy]

just looked up qrexec, theres nothing for creating networks or forwarding ports to an appvm, which would be needed for most vagrant boxes. i think it would add a lot of attack surface to qubes to do so.

[Andrew Clausen]

Hi Pixel,

On 9 August 2016 at 13:59, pixel fairy <pixel...@gmail.com> wrote:
> virtualbox doesnt support nested virtualization.
>
> vmware-fusion does, so qubes runs fine in that. the only issue is the low
> resolution. vmwares drivers complain if you run them on a xen kernel, so
> your stuck with low res.

Yes, I finally confirmed that this works. I will be recommending this
to my students.

Perhaps this advice ought to be somewhere on the Qubes website.
Specifically, most people will want to try Qubes out before making a
big investment in finding a well-supported laptop. So perhaps the
"Getting Started" page [1] could have a "Try Qubes inside a virtual
machine" button next to the live usb option under "Try Qubes".

Kind regards,
Andrew

[1] https://www.qubes-os.org/getting-started/

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Thanks for the suggestion! Tracking it here:

https://github.com/QubesOS/qubes-issues/issues/2249

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXsm6YAAoJENtN07w5UDAwsrYQAMbju+MOW28+Db9u+xtcedTK
G++TZJ2B1NLuHDMk6eqeGnP0uz6lNan4Hm0+Lw/klw/movjY1VnKIPD97tFjIIj1
MFFe9CciaEQ1K/p6fs4ycUH4a0X6/4L1SjOE47ViWRJwc5srGGuEmrwTO+7mapoC
9Itqj0z6rKnroAfi8bhSBHuLjkAOw5PI2Etw7luGgof3X0Ndi9XQdgP1Unq448rx
HkAFogHrkTnRVEjHPtoiF8DSCMhDQMVbvdHIIzxIWc2slaffry3XsHI80Wxk5oD6
gKlAxPSSgv7TeRULao8FWLK5JfeLW5NlAKlC0IPtR9DvX3mBIxGenukYvOEoD3FH
sZy4ov86BKg5fmDsrhFdz98+vsz/JEiH4io10x/yWEm/sNs7oZcvuANxrpwDLS0C
eTFl5llgqHK+ycMFIypf7CM/8qx/iNd3kWDqWLQarWB7dbuOm6R8QOhuAGYcF0bB
O7VevQoWWniUayORlQi27giPg5bmvUz2eHIMCUqMs5QZ507704Z4AfZrIK92JPlR
NT1Vr5Y7jB5Ju4hAsdHKZQlbXYhl0R0AHEv581WlJ9B01Ke5ZePq6SQy2mcGgC/6
RN6qGUT59objjal7V0jk7tVEeKo3mUOm0G0ByZwV5UsvfhGE54aQqFcMJ1D011VE
bx4QBR8X/zr2o92Smhx5
=YYVS
-----END PGP SIGNATURE-----

[pixel fairy]

Just confirmed 3.2rc2 does not work in vmware-fusion.

theres something ironic about a compartmentalization platform built on virtualization being so hard to run in virtualization.