Whonix VirtualBox Paravirtualization – Which Acceleration Mode is Optimal? Help Wanted!

What will be the optimal paravirtualization setting for Whonix?

  • none explicitly turns off exposing any paravirtualization interface sounds good security wise but could be really slow. Please test and leave feedback.
  • minimal sounds like a worthwhile alternative if `none` is too slow. But what technology is `minimal` actually using? VirtualBox legacy or kvm? However, documentation says, it lets the VM read the APIC frequency. To be researched how bad this would be.
  • legacy is good enough for now. That’s like VirtualBox 4.x. But since they now call it legacy, that code will rot, and probably should be avoided in long run.
  • kvm (VirtualBox) is problematic, since it provides unwanted pvclock kvm-clock. (Which allows a clock correlation attacks once VM is compromised.
  • default is problematic, since in some cases, it does autodetection, then used VirtualBox KVM.
  • hyperv The microsoft thingy. No idea about that one. May or may not be great for Linux guests (Whonix).

Each virtualization platform should be reviewed for performance, security, pvclock interfaces and hardware identifiers readable by the vm.

Please try various settings. Most interesting for now are none and minimal. Post the following in the forum discussion thread on this topic.

  1. Host OS name: Debian, Windows 10, Gentoo, etc.
  2. Host OS architecture: 64 or 32 Bit
  3. Whonix Version – only 11, or better.
  4. VirtualBox Version used – only VirtualBox, or better
  5. VirtualBox Acceleration Mode Used
  6. Notable Observations – errors, warnings. slowness, failures, etc.
  7. Does watching online videos such as youtube still work?
  8. Does watching videos in VLC still work?
  9. Open a console window. Post the output of. cat /sys/devices/system/clocksource/clocksource0/current_clocksource
  10. And the output of. cat /sys/devices/system/clocksource/clocksource0/available_clocksource
  11. Any other ‘things’ you deem important.

This is related to:

 

Patrick started developing Whonix, the Anonymous Operating System in 2012, when quickly others joined efforts. He collected experiences working pseudonymous on Whonix for two years, enjoys collaboratively working on privacy preserving software.

Notable Replies

  1. Hi Patrick,

    Additional Paravirtualization Interface multimedia testing to drive this issue to a conclusion.

    64-Bit Linux Host running VBox 5.0.10 and running a fully updated Whonix Gateway 11 with
    128 Mb allocated DRAM as one of the Guest operating systems

    Test 1: Running these two Guests concurrently:

    Gateway 11 Paravirtualization Interface = None
    Whonix Workstation 11 Paravirtualization Interface = None

    Notable Results:

    In the Gateway: Notable Observations: whonixcheck works, and the Gateway operates
    correctly. I suspect the hrtimer interrupt issue is an anomaly, as I have now seen it reported when whonixcheck is not running. Does not appear to impact anything.

    In the Workstation: whonixcheck works, YouTube works, and VLC works - and everything works correctly at 'normal' speeds.

    +++++++++++++++++++++++++++++++++++++++++++++++++++

    Test 2: Running these two Guests concurrently:

    Gateway 11 Paravirtualization Interface = None
    A 64-Bit Linux Guest OS pointed at the Gateway with Paravirtualization Interface = None

    Notable Results:

    In the Gateway: Notable Observations: whonixcheck works, and the Gateway operates
    correctly.

    In the 64-Bit Linux Guest OS: YouTube works, and VLC works - and everything works correctly at 'normal' speeds.

    +++++++++++++++++++++++++++++++++++++++++++++++++++

    These results show, at least on my system, that even with both the Gateway and the other Guest OS using Paravirtualization Interface = None, the overall Whonix user 'experience' remains within an acceptable range.

    Perhaps this configuration is not optimal, but it is indeed, acceptable. :triumph:

    CCP

  2. Multimedia. Does watching online videos (youtube) still work? Does watching videos in VLC still work?

  3. Hi Patrick,

    I do not have time at the moment to go back and test multimedia support under: None. Perhaps later.

    Here is what I do know:

    My Paravirtualization Interface test results:

    All tests were run on a fully updated RPM-based, 64-Bit, Host running VBox 5.0.10 and running a fully updated Whonix Gateway 11 with 128 Mb allocated DRAM as one of the Guest operating systems.

    1. Paravirtualization Interface = Default
      Notable Observations: PVClock warning as reported above. whonixcheck works, and the Gateway operates correctly.

    2. Paravirtualization Interface = KVM
      Notable Observations: Exact same results as #1 above as KVM acceleration is the VBox default for Linux guests.

    3. Paravirtualization Interface = None
      Notable Observations: whonixcheck works, and the Gateway operates correctly. I noted the 'hrtimer: interrupt took xxx ns' issue previously when using this mode.

    4. Paravirtualization Interface = Minimal
      Notable Observations: whonixcheck works, and the Gateway operates correctly.

    5. Paravirtualization Interface = Legacy
      Notable Observations: whonixcheck works, and the Gateway operates correctly.

    6. Paravirtualization Interface = Hyper-V (which is aimed at Windows guests)
      Notable Observations: whonixcheck works, and the Gateway operates correctly.

    My take on this data is that the Gateway utilizes almost trivial Host resources, and that is the reason almost no differences are evident irrespective of the Paravirtualization Interface chosen.

    I would not be surprised if much larger differences were observed when testing different Paravirtualization Interfaces running full blown operating systems with KDE or Gnome or Cortana running behind the Gateway, such as the Whonix Workstation, Win 10, or Arch Linux.

    However, even if that were true, I suspect you would need to have several, if not many, different Host systems, in your test database to draw any valid conclusions concerning which VBox Paravirtualization Interface is the best overall choice for Workstation OS guests.

    Keep in mind, the correct answer may be: it depends, and therefore, it is up to the user to experiment and decide for themselves.

    CCP

  4. From my search I concluded, "if everything is working, then everything is fine". I also think it's unrelated. This message has been posted in the forums earlier.

Continue the discussion forums.whonix.org

1 more reply

Participants