Actions

Dev/VirtualBox

From Whonix

< Dev



Is VirtualBox an Insecure Choice?[edit]

Update:

Although VirtualBox is not an ideal choice, fortunately other platforms are supported:

For greater security, users with suitable hardware and sufficient skill are recommended to prefer Qubes-Whonix ™ (a bare-metal hypervisor) over Type 2 hypervisors like VirtualBox.

The primary reason Whonix ™ supports VirtualBox is because it is a familiar, cross-platform virtualizer which can attract more users to open source (free/Libre) software, Tor and Linux in general. By remaining highly accessible, Whonix:

  • Increases the scope of potential growth in the user base.
  • Attracts greater attention as a suitable anonymity-focused operation system.
  • Increases the likelihood of additional human resources and monetary contributions.
  • Allows novice users to easily test Whonix ™ and learn more about security and anonymity practices.
  • Improves the relative security and anonymity of Tor / Tor Browser users by offering a virtualized solution.
  • See also Arguments for keeping VirtualBox Support.

Old statement:

If you would like to see the old statement, please press on expand on the right.

Whonix ™ in VirtualBox vs Tor / Tor Browser / Torified Applications on the Host[edit]

It is recognized that VirtualBox is not an ideal choice; see Dev/Virtualization Platform. However, there are different goals to bear in mind - Whonix ™ is primarily focused on protecting a user's IP address / location.

A common refrain of critics is that VirtualBox is "too weak". This is a theoretical concern and does not have any practical implications at present, since Whonix ™ in VirtualBox is actually more secure than running Tor, Tor Browser or torified applications on the host in many cases; see Whonix ™ Security in the Real World.

It must be remembered that there are no alternatives for a large segment of the population who do not have sufficiently powerful hardware to run Qubes-Whonix ™, or who are technically incapable of running KVM. In this case, it is safer for them to run Whonix ™ in VirtualBox, rather than continuing to utilize Tor on the host. For example, Whonix ™ helps to protect against future proxy bypass bugs [archive] or software which does not honor proxy settings [archive].

The strength of Whonix ™ and virtualization in general is adherence to the security by isolation principle. VirtualBox critics need to objectively consider how many exploits currently exist for VirtualBox and the track record of exploits. Admittedly, virtual machine exploits may become far more problematic in the future, but at present Whonix ™ is considered to provide more security out of the box running in VirtualBox, than not.

Platforms with Improved Security[edit]

Anybody seriously considering Whonix ™ for improved security should refer to the Documentation, particularly the Security Guide and Advanced Security Guide entries, as well as supported platforms other than VirtualBox. Whonix ™ is a poster child for the Isolating Proxy Concept [archive] and Security by Isolation [archive].

Many users still default to running Tor on their Windows or Linux host. Whonix ™ is immediately available to this cohort to substantially improve their real world security. Indeed, Whonix ™ is the only up-to-date OS designed to be run inside a VM and paired with Tor, which is actively maintained and developed. Other similar projects like JanusVM [archive] are seriously outdated and no longer actively maintained. [1]

Whonix ™ cannot serve all target audiences. Users seeking a higher security solution will prefer other supported platforms, like Qubes-Whonix ™. "Hardcore" users may prefer to build their own custom hardened solutions, while still profiting from Whonix ™ research and source code. Hardened solutions like the Hardened Gentoo Whonix-Gateway ™ are more difficult to use and therefore cannot be set as the default installation for Whonix ™.

VirtualBox missing features[edit]

VirtualBox Unavailable in Debian stable and backports due to Debian Stable Security Maintenance Issues[edit]

Quote https://people.debian.org/~lucas/virtualbox-buster/ [archive]

Virtualbox is not available in Debian 10 (nor in backports). The reasons are discussed at length in https://bugs.debian.org/794466 [archive] and various other mailing list threads, but can be summarized as:

  • Virtualbox is not suitable for Debian stable releases because of the lack of cooperation of Oracle on security support (that’s the Debian security team decision).
  • Since it is not suitable for stable releases, it cannot be included in the testing suite (that’s the Debian release team decision).
  • It also cannot be included in official backports, as packages must be in testing before they get backported (that’s the Debian backports team’s decision).

There is hope this will improve in future: please add VirtualBox to fasttrack [archive]

VirtualBox Unavailable in Debian main due to Licensing Issues[edit]

Quote Whonix KVM:

The VirtualBox developer team have recently taken the decision to switch out the BIOS in their hypervisor. However, it now comes with one that requires compilation by a toolchain that does not meet the definition of Free Software as per the guidelines of the Free Software Foundation. This move is considered problematic for free and open source software projects like Debian, on which Whonix ™ is based.

The issues of the Open Watcom License are explained in this thread [archive] on the Debian Mailinglist. In summary, there are issues surrounding the contradictory language of the license, the assertion of patents against software that rely upon it, and the placing of certain restrictions on software uses. For these reasons, those who care about running FOSS and appreciate its ethical views are recommended to avoid running VirtualBox; also see avoid non-freedom software.

References:

  • VirtualBox Guest Additions and VirtualBox Oracle VM VirtualBox Extension Pack are different things.
  • This is unrelated to VirtualBox Oracle VM VirtualBox Extension Pack, which is proprietary, and which was never in Debian.

VirtualBox Guest Additions ISO Freedom vs Non-Freedom[edit]

A part of Guest Additions source code is the part of OSE repository and licensed under GPLv2. Guest Additions build also includes big list of 3rd party files under various permissive licenses

At the same time VirtualBox binary packages which are distributed freely includes Guest Additions ISO, and Licensing FAQ (https://www.virtualbox.org/wiki/Licensing_FAQ [archive]) clearly states: Yes. The GPLv2 allows you to distribute the VirtualBox Guest Additions, in modified or unmodified form, as long as you adhere to the terms and conditions of the GPLv2.

I hope that answers your question.

VirtualBox Installation Challenges[edit]

Time of writing 23 July 2020.

Goal: Upgrading the VirtualBox host software to its recent release 6.1.12 with functional VirtualBox guest additions.

Other supported platforms such as Qubes-Whonix or Whonix ™ KVM are unaffected.

This is currently very difficult due to many issues of which none is caused by Whonix ™. The purpose of this chapter is to document the upcoming implementation for those wondering why it has been implemented this way and perhaps hearing if there are any better alternatives. Here is a summary of these issues:

VirtualBox is unavailable in Debian stable and backports due to Debian stable security maintenance Issues.

Custom Debian backport building failing due to dependency issues [archive]. Very difficult [archive]. Even if that was solved, there would still be the broken compilation from source code issue [archive].

The Lucas Nussbaum Debian buster backport repository [archive] is not an option either. [3] In 23 July 2020 VirtualBox latest version in Lucas Nussbaum repository was
virtualbox_6.1.4-dfsg-1~~bpo10+1_amd64.deb 2020-02-22 07:52 while upstream virtualbox.org was at
virtualbox-6.1_6.1.12-139181~Debian~buster_amd64.deb.

VirtualBox is not available from Debian fasttrack yet [archive].

VirtualBox Guest Additions Debian Packages are unavailable from upstream virtualbox.org Debian repository [archive].

Call for help:

What is the importance VirtualBox on Debian buster matter? It is the base distribution which Whonix ™ is based on and the distribution used to build Whonix ™ for VirtualBox for Linux, Windows and macOS from source code.

To be able to continue providing Whonix ™ for VirtualBox, from Whonix ™ 15.0.1.4.8 and above the following changes will be made:

  • VirtualBox Guest Additions
    • Whonix ™ build script will download package virtualbox-guest-additions-iso [archive] from Debian sid (unstable) and upload to Whonix ™ APT repository. That package provides file /usr/share/virtualbox/VBoxGuestAdditions.iso.
    • At time of writing contained VirtualBox guest additions ISO version 6.1.12-1. In short, 6.1.12. Ignore the -1 which is a Debian package revision number and not the upstream (virtualbox.org) version number.
    • virtualbox.org homepage also advertised version 6.1.12.
    • Package virtualbox-guest-additions-iso will be installed by default in new Whonix ™ VirtualBox builds.
    • Related: VirtualBox Guest Additions ISO Freedom vs Non-Freedom
    • (Update) documented here: VirtualBox/Guest_Additions#VirtualBox_Guest_Additions
  • This is
    • to allow Whonix ™ developers test newer versions of VirtualBox host software before these are installed on user's computer and,
    • to allow updating VirtualBox host software and VirtualBox guest additions at the same time, using compatible versions.
  • It is yet to be researched/developed how/if existing Whonix ™ VirtualBox builds can be upgraded and whether that would be an automated (by Whonix ™ a package) or manual (user has to do) process. When that happens, this will be mentioned in Whonix ™ news, Stay Tuned.
  • Package vm-config-dist [archive] will run vbox-guest-installer [archive] (by Whonix developers) during upgrade (vm-config-dist.postinst [archive]) and therefore also during the Whonix VirtualBox ova build process.
  • (Update) Package vm-config-dist [archive] has a dpkg trigger since Whonix 15.0.1.5.1 vm-config-dist.triggers [archive] which results in running vbox-guest-installer when package virtualbox-guest-additions-iso is upgraded.
  1. vbox-guest-installer (by Whonix developers) will check if any of the packages virtualbox-guest-x11, virtualbox-guest-utils or virtualbox-guest-dkms are still installed and recommend to uninstall those if still installed.
  2. And also check if package virtualbox-guest-additions-iso is installed and recommend to install it if not yet installed.
  3. If these two conditions are met it will continue.
  4. Next is deletion of folder /var/cache/vm-config-dist/vbox-guest-additions-extracted-iso and /var/cache/vm-config-dist/vbox-guest-additions-extracted-makeself if these are already existing from a previous run.
  5. It then follows extraction of /usr/share/virtualbox/VBoxGuestAdditions.iso to folder /var/cache/vm-config-dist/vbox-guest-additions-extracted-iso.
  6. Making /var/cache/vm-config-dist/vbox-guest-additions-extracted-iso/VBoxLinuxAdditions.run executable.
  7. Change directory into /var/cache/vm-config-dist/vbox-guest-additions-extracted-iso.
  8. Executing ./VBoxLinuxAdditions.run --check.
  9. Extracting ./VBoxLinuxAdditions.run to folder /var/cache/vm-config-dist/vbox-guest-additions-extracted-makeself.
  10. Change directory into folder /var/cache/vm-config-dist/vbox-guest-additions-extracted-makeself.
  11. Executing ./install.sh force force.
  12. Installation of VirtualBox guest additions from package virtualbox-guest-additions-iso should now be completed.
  13. Installation using this method also ships required hooks in /etc/kernel to rebuild VirtualBox guest additions during kernel upgrade thanks to VBoxGuestAdditions.iso.

Credits: Gratitude is expressed to VirtualBox developers for providing VBoxGuestAdditions.iso and to Debian Developers for providing package virtualbox-guest-additions-iso. The script to improve usability of this named vbox-guest-installer was created by the Whonix project.

Forum discussion: https://forums.whonix.org/t/challenges-upgrading-virtualbox-to-6-1-12-on-debian-buster-installation-from-upstream-virtualbox-org-apt-repository/9984 [archive]

Arguments for keeping VirtualBox Support[edit]

  • KVM is not available to Windows users.
  • Simplicity, as in: VirtualBox has a VM import GUI feature.
  • Available to users not owning computer providing hardware virtualization. (KVM requires that. QEMU may or may not but is unsupported.)
  • Due to Windows users and simplicity it leads to greater popularity, which in theory attracts more users, developers, auditors, payments, etc and is therefore good for the overall health of the project.
  • Some Windows/VirtualBox users experimenting with their first Linux (Whonix ™) will one day become users who mainly use Linux as their host operating system.
  • We have a Whonix ™ Windows Installer which installs VirtualBox Whonix ™ VirtualBox VMs because of these reasons.

Bugs[edit]

[drm:vmw_host_log [vmwgfx]] ERROR Failed to send log[edit]

Confusing message but no bad effects.

https://www.virtualbox.org/ticket/19168 [archive]

[sda] Incomplete mode parameter data / Assuming drive cache: write through[edit]

Confusing error message due to our use of a SAS virtual hard drive controller no bad effects. Error message doesn't happen with SATA controller but we can't use that one

VirtualBox Bug Reports[edit]

VirtualBox (Guest Additions) have various issues. Often copy/paste from host to VM does not work or VMs are not automatically reized to optional size.

The internet is full of discussions that lead to no solution. Hard to find good information. It is unhelpful to ask in arbitrary places about it as this only leads to more discussions which go nowhere. The only option is to find out what information VirtualBox developers are asking for, to write a good bug report and to report to virtualbox.org developers.

  • Step 1) Research what information VirtualBox developers would be asking for.
  • Step 2) Write a good bug report.

What Should Be Included In Bug Report[edit]

Include as many information as possible.

Resize Issues[edit]

Notes[edit]

Non-Issues[edit]

Bug Report Draft[edit]

user@host:~$ dpkg -l | grep x11
ii  libqt5x11extras5:amd64                        5.11.3-2                     amd64        Qt 5 X11 extras
ii  libva-x11-2:amd64                             2.4.0-1                      amd64        Video Acceleration (VA) API for Linux -- X11 runtime
ii  libx11-6:amd64                                2:1.6.7-1                    amd64        X11 client-side library
ii  libx11-data                                   2:1.6.7-1                    all          X11 client-side library
ii  libx11-xcb1:amd64                             2:1.6.7-1                    amd64        Xlib/XCB interface library
ii  libxkbcommon-x11-0:amd64                      0.8.2-1                      amd64        library to create keymaps with the XKB X11 protocol
ii  virtualbox-guest-x11                          6.1.4-dfsg-2                 amd64        x86 virtualization solution - X11 guest utilities
ii  x11-common                                    1:7.7+19                     all          X Window System (X.Org) infrastructure
ii  x11-utils                                     7.7+4                        amd64        X11 utilities
ii  x11-xkb-utils                                 7.7+4                        amd64        X11 XKB utilities
ii  x11-xserver-utils                             7.7+8                        amd64        X server utilities
ii  xserver-xorg                                  1:7.7+19                     amd64        X.Org X server
ii  xserver-xorg-core                             2:1.20.4-1                   amd64        Xorg X server - core server
ii  xserver-xorg-input-all                        1:7.7+19                     amd64        X.Org X server -- input driver metapackage
ii  xserver-xorg-input-libinput                   0.28.2-2                     amd64        X.Org X server -- libinput input driver
ii  xserver-xorg-video-fbdev                      1:0.5.0-1                    amd64        X.Org X server -- fbdev display driver
ii  xserver-xorg-video-qxl                        0.1.5-2+b1                   amd64        X.Org X server -- QXL display driver
ii  xserver-xorg-video-vesa                       1:2.4.0-1                    amd64        X.Org X server -- VESA display driver

Bug descriptions:

Broken:

1) Power off the VM. 2) Restart the VM. 3) Maximize the VM window after start of the VM as soon as possible. 4) VirtualBox VM Window → View → Virtual Screen 1 → Choose any, resize to another resolution 5) VirtualBox VM Window → View → Auto-resize Guest Display / Adjust Window Size

Also broken:

XFCE Start Menu → Settings → Display → Resolution: → Choose a higher resolution resolution → Apply

TODO: manual resize functional using xrandr

References[edit]

  1. In response to whether JanusVM was safe to use, Roger Dingledine of The Tor Project stated in 2011 [archive]: "No, not safe. Probably has been unsafe to use for years."
  2. VirtualBox bug report: clarify license of VBoxGuestAdditions ISO OSE or PUEL (free vs nonfree) [archive] VirtualBox forums question: Is VBoxGuestAdditions_6.1.10.iso OSE or PUEL? [archive]
  3. manual instructions


text=Jobs in USA
Jobs in USA


Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki


Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Iconfinder news 18421.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg Reddit.jpg Diaspora.png Gnusocial.png Mewe.png 500px-Tumblr Wordmark.svg.png Iconfinder youtube 317714.png 200px-Minds logo.svg.png 200px-Mastodon Logotype (Simple).svg.png 200px-LinkedIn Logo 2013.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png United Federation of Planets 1000px.png

Share: Twitter | Facebook

Have you contributed [archive] to Whonix ™? If so, feel free to add your name and highlight what you did on the Whonix authorship [archive] page.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.