Generic CPUID Mask for AnonVMs
97 views
Skip to first unread message
WhonixQubes
Apr 24, 2015, 3:54:38 PM4/24/15
to qubes...@googlegroups.com
Generic CPUID Mask for AnonVMs
Is this to be added to issue tracker?
Implement Xen CPUID Generic Profile for Whonix-Workstation HVM AnonVMs.
> Xen has support for emulating CPUID for HVM guests -- take a look at
> the
> config examples in:
>
> xen-4.1.6.1/tools/examples/xmexample.hvm-stubdom
>
> I haven't played with it, but see no reasons it should not work. I can
> imagine we introduce a prefs for VMs (say "generic_cpuid" settable via
> qvm-prefs) that would be resulting in additional config for cpuid
> emulation inserted in the config file for such VMs. We would need to
> agree on good-enough-for-everybody CPUID config and stick to it then.
> Again, this would be use-able for anon VMs mostly.
Brought up and discussed with Joanna in this thread:
- https://groups.google.com/d/topic/qubes-devel/EXrWFgEp5Sg
Especially:
- https://groups.google.com/d/msg/qubes-devel/EXrWFgEp5Sg/w_j1XozM_sIJ
- https://groups.google.com/d/msg/qubes-devel/EXrWFgEp5Sg/nNay9cfQ6GwJ
- https://groups.google.com/d/msg/qubes-devel/EXrWFgEp5Sg/mLk6wmywl74J
- https://groups.google.com/d/msg/qubes-devel/EXrWFgEp5Sg/SR-KMw4ngVcJ
Thanks!
WhonixQubes
Is this to be added to issue tracker?
Implement Xen CPUID Generic Profile for Whonix-Workstation HVM AnonVMs.
> Xen has support for emulating CPUID for HVM guests -- take a look at
> the
> config examples in:
>
> xen-4.1.6.1/tools/examples/xmexample.hvm-stubdom
>
> I haven't played with it, but see no reasons it should not work. I can
> imagine we introduce a prefs for VMs (say "generic_cpuid" settable via
> qvm-prefs) that would be resulting in additional config for cpuid
> emulation inserted in the config file for such VMs. We would need to
> agree on good-enough-for-everybody CPUID config and stick to it then.
> Again, this would be use-able for anon VMs mostly.
Brought up and discussed with Joanna in this thread:
- https://groups.google.com/d/topic/qubes-devel/EXrWFgEp5Sg
Especially:
- https://groups.google.com/d/msg/qubes-devel/EXrWFgEp5Sg/w_j1XozM_sIJ
- https://groups.google.com/d/msg/qubes-devel/EXrWFgEp5Sg/nNay9cfQ6GwJ
- https://groups.google.com/d/msg/qubes-devel/EXrWFgEp5Sg/mLk6wmywl74J
- https://groups.google.com/d/msg/qubes-devel/EXrWFgEp5Sg/SR-KMw4ngVcJ
Thanks!
WhonixQubes
Marek Marczykowski-Górecki
Apr 24, 2015, 4:04:48 PM4/24/15
to WhonixQubes, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, Apr 24, 2015 at 12:54:36PM -0700, WhonixQubes wrote:
> Generic CPUID Mask for AnonVMs
>
> Is this to be added to issue tracker?
Yes, that's a good idea.
Anyway I don't think it will be possible to implement this anytime soon,
because of very limited support for HVM templates - especially you can't
start the template and VM based on it simultaneously, which is required
to update the whonix-gateway template.
Most likely required features for this will be available in Qubes 4.0
(see roadmap in Joanna's post).
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVOqHWAAoJENuP0xzK19csXCEH/ArqyUAEiCz1/Nz2v2MVdgO2
SPunf0Wjfr4TTij+CloMJQ95zoV/TznjRPqzHG+OvJyvouBgCrnf4iFnG+vMGW8J
aIp24BpI50iNWRCTxdfe3vX78o9RBsmHsC0w9qhsRcF55E4f71ioQalikbrSOTLj
e0AFpiV7h8V756nUntvhfChzaCf+bosnY0Zy2HAnEx2t4njIeDze5SERAyERW3kP
RYzMKLBWFOiBCG3S4W9FLmwCnC93XAIUpzbxPZdpiBFXaj0ly4JONKzr17XwCULW
7ck0/DU5HySnLxSF2hRRcD02VXVbE8ae7hEInalOSU+jObMrgfpWjJKyZ8dbwZY=
=Mds/
-----END PGP SIGNATURE-----
Hash: SHA1
On Fri, Apr 24, 2015 at 12:54:36PM -0700, WhonixQubes wrote:
> Generic CPUID Mask for AnonVMs
>
> Is this to be added to issue tracker?
Anyway I don't think it will be possible to implement this anytime soon,
because of very limited support for HVM templates - especially you can't
start the template and VM based on it simultaneously, which is required
to update the whonix-gateway template.
Most likely required features for this will be available in Qubes 4.0
(see roadmap in Joanna's post).
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVOqHWAAoJENuP0xzK19csXCEH/ArqyUAEiCz1/Nz2v2MVdgO2
SPunf0Wjfr4TTij+CloMJQ95zoV/TznjRPqzHG+OvJyvouBgCrnf4iFnG+vMGW8J
aIp24BpI50iNWRCTxdfe3vX78o9RBsmHsC0w9qhsRcF55E4f71ioQalikbrSOTLj
e0AFpiV7h8V756nUntvhfChzaCf+bosnY0Zy2HAnEx2t4njIeDze5SERAyERW3kP
RYzMKLBWFOiBCG3S4W9FLmwCnC93XAIUpzbxPZdpiBFXaj0ly4JONKzr17XwCULW
7ck0/DU5HySnLxSF2hRRcD02VXVbE8ae7hEInalOSU+jObMrgfpWjJKyZ8dbwZY=
=Mds/
-----END PGP SIGNATURE-----
WhonixQubes
Apr 24, 2015, 4:18:11 PM4/24/15
to marm...@invisiblethingslab.com, qubes...@googlegroups.com
On 2015-04-24 1:04 pm, Marek Marczykowski-Górecki wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Fri, Apr 24, 2015 at 12:54:36PM -0700, WhonixQubes wrote:
>> Generic CPUID Mask for AnonVMs
>>
>> Is this to be added to issue tracker?
>
> Yes, that's a good idea.
> Anyway I don't think it will be possible to implement this anytime
> soon,
> because of very limited support for HVM templates - especially you
> can't
> start the template and VM based on it simultaneously, which is required
> to update the whonix-gateway template.
> Most likely required features for this will be available in Qubes 4.0
> (see roadmap in Joanna's post).
>
Great! :)
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Fri, Apr 24, 2015 at 12:54:36PM -0700, WhonixQubes wrote:
>> Generic CPUID Mask for AnonVMs
>>
>> Is this to be added to issue tracker?
>
> Yes, that's a good idea.
> Anyway I don't think it will be possible to implement this anytime
> soon,
> because of very limited support for HVM templates - especially you
> can't
> start the template and VM based on it simultaneously, which is required
> to update the whonix-gateway template.
> Most likely required features for this will be available in Qubes 4.0
> (see roadmap in Joanna's post).
>
Actually, if this changes things...
I don't think(?) we need the Whonix-Gateway as HVM, rather only
Whonix-Workstation as HVM, and keep Whonix-Gateway as PVM since it is
isolated from AnonVM workspace.
So for template updates:
Whonix-Gateway PVM TemplateVM could be launched with Whonix-Gateway PVM
ProxyVM.
Whonix-Workstation HVM TemplateVM could be launched with Whonix-Gateway
PVM ProxyVM.
Joanna also said:
"Thus, perhaps we should consider distributing Whonix workstation
template as an HVM template instead of a PVM one? Fortunately we do have
templates support for HVMs, so this should be perfectly possible."
Marek Marczykowski-Górecki
Apr 24, 2015, 4:28:24 PM4/24/15
to WhonixQubes, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hash: SHA1
On Fri, Apr 24, 2015 at 01:18:10PM -0700, WhonixQubes wrote:
> On 2015-04-24 1:04 pm, Marek Marczykowski-Górecki wrote:
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >On Fri, Apr 24, 2015 at 12:54:36PM -0700, WhonixQubes wrote:
> >>Generic CPUID Mask for AnonVMs
> >>
> >>Is this to be added to issue tracker?
> >
> >Yes, that's a good idea.
> >Anyway I don't think it will be possible to implement this anytime soon,
> >because of very limited support for HVM templates - especially you can't
> >start the template and VM based on it simultaneously, which is required
> >to update the whonix-gateway template.
> >Most likely required features for this will be available in Qubes 4.0
> >(see roadmap in Joanna's post).
> >
>
>
>
> Great! :)
>
> Actually, if this changes things...
>
> I don't think(?) we need the Whonix-Gateway as HVM, rather only
> Whonix-Workstation as HVM, and keep Whonix-Gateway as PVM since it is
> isolated from AnonVM workspace.
>
> So for template updates:
>
> Whonix-Gateway PVM TemplateVM could be launched with Whonix-Gateway PVM
> ProxyVM.
>
> Whonix-Workstation HVM TemplateVM could be launched with Whonix-Gateway PVM
> ProxyVM.
Indeed, so this makes the things much easier. There are still some problems,
> On 2015-04-24 1:04 pm, Marek Marczykowski-Górecki wrote:
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >On Fri, Apr 24, 2015 at 12:54:36PM -0700, WhonixQubes wrote:
> >>Generic CPUID Mask for AnonVMs
> >>
> >>Is this to be added to issue tracker?
> >
> >Yes, that's a good idea.
> >Anyway I don't think it will be possible to implement this anytime soon,
> >because of very limited support for HVM templates - especially you can't
> >start the template and VM based on it simultaneously, which is required
> >to update the whonix-gateway template.
> >Most likely required features for this will be available in Qubes 4.0
> >(see roadmap in Joanna's post).
> >
>
>
>
> Great! :)
>
> Actually, if this changes things...
>
> I don't think(?) we need the Whonix-Gateway as HVM, rather only
> Whonix-Workstation as HVM, and keep Whonix-Gateway as PVM since it is
> isolated from AnonVM workspace.
>
> So for template updates:
>
> Whonix-Gateway PVM TemplateVM could be launched with Whonix-Gateway PVM
> ProxyVM.
>
> Whonix-Workstation HVM TemplateVM could be launched with Whonix-Gateway PVM
> ProxyVM.
but much easier to solve. For example our current libvirt does not allow
to pass kernel cmdline to HVM[1], but this is a minor problem.
[1] Discussion on this here, somehow stalled...
https://www.redhat.com/archives/libvir-list/2015-March/msg01127.html
> Joanna also said:
> "Thus, perhaps we should consider distributing Whonix workstation
> template as an HVM template instead of a PVM one? Fortunately we do have
> templates support for HVMs, so this should be perfectly possible."
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVOqdfAAoJENuP0xzK19csVjoH/0a3dNp1MQCF5gfJTBx6PbyL
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
zy3evBTIfTCizBJ7+C+ooUeSfnWkuFfWP3PqqYkwQ88PJHIwDhhNEO99XsGdh1ym
0YCRwYNNtqaC/J9SH8h/5GUOD9V6O+ldcF3LLCbIY7mYhVkhiQr77c8iUe0b3lJR
fy9MnYrQI3teuU/Oo49TVA14XcFMzAYv3krDBJk+ZxliODZrzjGU7CGCKAquBUTm
ziSzIdy96CfsfFrFetMN4ZBySs/DIeoh0vcnqgxft8snq+Bs3zy3ftrMcuLzxIch
zM+njmsWuscXfILRUUkjHTfZHMoQi25SPYjFhvNjyYtx1SMBporPE8Di9ytlda0=
=5cpi
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages