Dec 7 2018
Dec 3 2018
There's been research showing that trying to hide CPU information in a virtualizer is futile.
Nov 28 2018
This will be undone. Ticket:
Nov 22 2018
Oct 1 2018
Sep 20 2018
Sep 3 2018
Aug 27 2018
Regarding the spectre vulnerability and its effect on VirtualBox your input is desired. @dumbmouse
"Hiding CPU model is futile." Any reference for that? @HulaHoop
Jun 30 2018
Apr 30 2018
virt-sparsify solution dropped because needs booting the image with qemu-system (not clean, to much unknown consequences, see attached ouptut).
Apr 26 2018
Apr 6 2018
Mar 11 2018
Mar 1 2018
NB for the record: with qemu-ga a guest can still shut itself off via crafted input to the agent. So besides removing timer access to the guest, there was no other advantage to removing ACPI.
Actually we don't have to suspend the guest. Execution of any command on the host after resume is enough to create a uniqu event in the qemu-ga's log file.
The proper and direct way to use virsh to communicate with guest agent:
The YAJL parser used in libvirt is tiny, modern (written in2007) and has no CVEs. It is an SAX type event-driven parser unlike the vulnerable, top-down recursive descent type that was used in QEMU.
Feb 28 2018
It turns out the QEMU guest agent warning was not relevant to those who use libvirt. With libvirt a safe parser is used. Breakouts can only happen if a process on the host is designed to parse guest input because there is no way to control that otherwise it should be safe for our uses. This potentially simplifies the design in many respects but a host package will still be needed. I will update the task list.
[libvirt-users] QEMU guest-agent safety in hostile VM?
Feb 23 2018
Feb 14 2018
Yes there are less moving parts especially when multiple WSs share a GW. Some way to exempt timesync traffic from the WS would be needed though.
Feb 12 2018
HulaHoop added a comment.
With qemu-ga code the whole clock drift detection code becomes redundant. If a
suspend event is triggered the GW should assume clocks are out of sync and
With qemu-ga code the hwclock drift detection code becomes redundant. If a suspend event is triggered the GW should assume clocks are out of sync and trigger lockdown.
Oops didn't realize ntpdate requires query of remote servers. ntpdate is obsolete anyhow but the newer clockdiff still talks to online servers instead of comparing local values. hwclock can give us that:
It's a very good rehash!
Feb 11 2018
@Patrick I wrote a rehash. If you think is too complicated, let me know. It was the simplest and most reliable way I could think of:
Feb 4 2018
Didn't rehash. What's next here? Looks like we learned a lot, but then things stalled. Could you please rehash, and then create a follow-up ticket with the way forward? @HulaHoop
Jun 5 2017
Apr 13 2017
Mar 10 2017
Added. Not yet tested by me but will test in the next build.
Jan 22 2017
Works for me, hid my cpu name
Jan 21 2017
Here is a more limited version, but better for general distribution:
Jan 18 2017
Actually I need to test this more. I will fine tune it and add another comment here in couple of days.
Thanks! Without your research, this almost certainly would not have had a chance to make it into Whonix 14. Can you commit your changes to git please? (And/or create a github pull request?)