KVM inside AppVM?
483 views
Skip to first unread message
wyory
May 24, 2015, 11:19:57 PM5/24/15
to qubes...@googlegroups.com
Is it possible to use KVM inside of an AppVM? I'd like to use Android
Studio on Qubes, and it needs KVM to run the x86 android emulation.
I found this page suggesting that "nested virtualization" was functional
in Xen 4.4 and newer. Does KVM inside a AppVM work on Qubes R3?
http://wiki.xenproject.org/wiki/Nested_Virtualization_in_Xen
Thanks.
Studio on Qubes, and it needs KVM to run the x86 android emulation.
I found this page suggesting that "nested virtualization" was functional
in Xen 4.4 and newer. Does KVM inside a AppVM work on Qubes R3?
http://wiki.xenproject.org/wiki/Nested_Virtualization_in_Xen
Thanks.
Marek Marczykowski-Górecki
May 25, 2015, 7:42:33 AM5/25/15
to wyory, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yes, theoretically it is possible, but in practice not that simple.
First of all it is supported only for HVMs, but most AppVMs in Qubes are
PV. You can of course create Linux HVM, then install qubes tool there
(to have seamless GUI for example).
Then you need to enable "hested_hvm" option, which apparently isn't
supported by libvirt - so need some patch here.
Finally nested virtualization is quite complex piece of code and it
would significantly increase attack surface.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVYwqgAAoJENuP0xzK19csKOYH/2ujGePhRwZbDWVtw5+Z4eHe
ioFbjp9PDAJTQdHg6cY3sITTzRv9B/oQCrpgI+77Yc4bjHSzOzlwbzvW6CgAc7dJ
xIqtUKrggPuSPJKXIzwDXnLCV0H/DA0yUlAUZF5mcSoCMQVaPINcHUmPBKaW5/Ph
p59UgzZhepEqaabpr8pbuI0LGJNBLVt56uEt9VR0zUAM/cm94X+KqfEtfcLSNKsv
FXtReKAAp+wo9X7Joz/ZzbLTuq4G6Yr/+YWkoJmRv+oREaW/KOAh4MN7yM+P95uH
5wHMjCcI5+n3EBnNl+bo9tm0PKkinZfInmEObQKEBSofrcIsm5TIW/YOS8sKiDk=
=hU38
-----END PGP SIGNATURE-----
Hash: SHA1
First of all it is supported only for HVMs, but most AppVMs in Qubes are
PV. You can of course create Linux HVM, then install qubes tool there
(to have seamless GUI for example).
Then you need to enable "hested_hvm" option, which apparently isn't
supported by libvirt - so need some patch here.
Finally nested virtualization is quite complex piece of code and it
would significantly increase attack surface.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVYwqgAAoJENuP0xzK19csKOYH/2ujGePhRwZbDWVtw5+Z4eHe
ioFbjp9PDAJTQdHg6cY3sITTzRv9B/oQCrpgI+77Yc4bjHSzOzlwbzvW6CgAc7dJ
xIqtUKrggPuSPJKXIzwDXnLCV0H/DA0yUlAUZF5mcSoCMQVaPINcHUmPBKaW5/Ph
p59UgzZhepEqaabpr8pbuI0LGJNBLVt56uEt9VR0zUAM/cm94X+KqfEtfcLSNKsv
FXtReKAAp+wo9X7Joz/ZzbLTuq4G6Yr/+YWkoJmRv+oREaW/KOAh4MN7yM+P95uH
5wHMjCcI5+n3EBnNl+bo9tm0PKkinZfInmEObQKEBSofrcIsm5TIW/YOS8sKiDk=
=hU38
-----END PGP SIGNATURE-----
Vít Šesták
May 25, 2015, 12:56:30 PM5/25/15
to qubes...@googlegroups.com, wy...@riseup.net
As far as I know, there are several other ways.
First, Android SDK supports Qemu emulation. (And so hopefully does Android Studio.) It allows even running ARM Android on x86. This is does not have optimal performance, but it should be easy to get working.
Second, as far as I remember, there are implementations of x86 32b virtualization that do not require VT-x or AMD-V. Running 32bit x86 Android should theoretically work with good performance (i.e. better than Qemu), but I haven't tried it. Theoretically, there probably could have been developed some similar technology for x86_64, but most x86_64 CPUs provide VT-x or AMD-V, so likely nobody bothered with implementing it for CPUs without VT-x/AMD-V support. Since VT-x/AMD-V instructions are not enabled by default on VMs in Qubes, it is hard to virtualize x86_64.
Third, you probably can install Android to a HVM in Qubes. (I don't recommend trying PVM, as Android uses a custom kernel fork, so you would need a patched kernel specific for Android.) It might be, however, in some ways complicated, most importantly I am not sure how to get ADB working. The easiest way would probably be to use network debugging, which might some negative security implications for the AndroidVM, but I am not sure.
Regards,
Vít Šesták 'v6ak'
First, Android SDK supports Qemu emulation. (And so hopefully does Android Studio.) It allows even running ARM Android on x86. This is does not have optimal performance, but it should be easy to get working.
Second, as far as I remember, there are implementations of x86 32b virtualization that do not require VT-x or AMD-V. Running 32bit x86 Android should theoretically work with good performance (i.e. better than Qemu), but I haven't tried it. Theoretically, there probably could have been developed some similar technology for x86_64, but most x86_64 CPUs provide VT-x or AMD-V, so likely nobody bothered with implementing it for CPUs without VT-x/AMD-V support. Since VT-x/AMD-V instructions are not enabled by default on VMs in Qubes, it is hard to virtualize x86_64.
Third, you probably can install Android to a HVM in Qubes. (I don't recommend trying PVM, as Android uses a custom kernel fork, so you would need a patched kernel specific for Android.) It might be, however, in some ways complicated, most importantly I am not sure how to get ADB working. The easiest way would probably be to use network debugging, which might some negative security implications for the AndroidVM, but I am not sure.
Regards,
Vít Šesták 'v6ak'
wyory
May 27, 2015, 2:38:06 PM5/27/15
to Vít Šesták, qubes...@googlegroups.com
Vít Šesták:
(though it seems to lock up after a while). This will be fine for
testing purposes.
> As far as I know, there are several other ways.
>
> First, Android SDK supports Qemu emulation. (And so hopefully does Android
> Studio.) It allows even running ARM Android on x86. This is does not have
> optimal performance, but it should be easy to get working.
>
> Second, as far as I remember, there are implementations of x86 32b
> virtualization that do not require VT-x or AMD-V. Running 32bit x86 Android
> should theoretically work with good performance (i.e. better than Qemu),
> but I haven't tried it. Theoretically, there probably could have been
> developed some similar technology for x86_64, but most x86_64 CPUs provide
> VT-x or AMD-V, so likely nobody bothered with implementing it for CPUs
> without VT-x/AMD-V support. Since VT-x/AMD-V instructions are not enabled
> by default on VMs in Qubes, it is hard to virtualize x86*_64*.
>
> First, Android SDK supports Qemu emulation. (And so hopefully does Android
> Studio.) It allows even running ARM Android on x86. This is does not have
> optimal performance, but it should be easy to get working.
>
> Second, as far as I remember, there are implementations of x86 32b
> virtualization that do not require VT-x or AMD-V. Running 32bit x86 Android
> should theoretically work with good performance (i.e. better than Qemu),
> but I haven't tried it. Theoretically, there probably could have been
> developed some similar technology for x86_64, but most x86_64 CPUs provide
> VT-x or AMD-V, so likely nobody bothered with implementing it for CPUs
> without VT-x/AMD-V support. Since VT-x/AMD-V instructions are not enabled
>
> Third, you probably can install Android to a HVM in Qubes. (I don't
> recommend trying PVM, as Android uses a custom kernel fork, so you would
> need a patched kernel specific for Android.) It might be, however, in some
> ways complicated, most importantly I am not sure how to get ADB working.
> The easiest way would probably be to use network debugging, which might
> some negative security implications for the AndroidVM, but I am not sure.
>
> Regards,
> Vít Šesták 'v6ak'
Thanks - I found http://www.android-x86.org/ - and it runs pretty well
> Third, you probably can install Android to a HVM in Qubes. (I don't
> recommend trying PVM, as Android uses a custom kernel fork, so you would
> need a patched kernel specific for Android.) It might be, however, in some
> ways complicated, most importantly I am not sure how to get ADB working.
> The easiest way would probably be to use network debugging, which might
> some negative security implications for the AndroidVM, but I am not sure.
>
> Regards,
> Vít Šesták 'v6ak'
(though it seems to lock up after a while). This will be fine for
testing purposes.
Vít Šesták
Jun 1, 2015, 5:17:58 AM6/1/15
to qubes...@googlegroups.com, groups-no-private-mail--con...@v6ak.com, wy...@riseup.net
I've also tried to run it:
First, I'll correct myself about not needing VT-x or AMD-V for KVM when using x86_32: This is AFAIK true for VirtualBox and VMware, but not for KVM. You definitely can't use x86 image in a VM with KVM without nested HVM.
You can, however, use an ARM image, as it uses emulation. This comes with some performance penalty, but it is the easiest way (it just works without any hack) and might be OK for some purposes.
As you made Android x86 working in an AppVM, I'd like to ask you if you solved access to ADB. Via virtual network? Have you handled security issues? (I am not sure if/how is the ADB over network secured itself.)
Regards,
Vít Šesták 'v6ak'
First, I'll correct myself about not needing VT-x or AMD-V for KVM when using x86_32: This is AFAIK true for VirtualBox and VMware, but not for KVM. You definitely can't use x86 image in a VM with KVM without nested HVM.
You can, however, use an ARM image, as it uses emulation. This comes with some performance penalty, but it is the easiest way (it just works without any hack) and might be OK for some purposes.
As you made Android x86 working in an AppVM, I'd like to ask you if you solved access to ADB. Via virtual network? Have you handled security issues? (I am not sure if/how is the ADB over network secured itself.)
Regards,
Vít Šesták 'v6ak'
Reply all
Reply to author
Forward
0 new messages