Posted on

#StackBounty: #suspend #virtualization #20.10 #virt-manager Ubuntu 20.10 VM restarts sometimes after wake from sleep

Bounty: 50

I’m runing ubuntu 20.04 on the host and Ubuntu 20.10 on two VMs. I always let them open and running. Sometimes, after waking the laptop from sleep, one of them has the screen locked (they both are configured to never lock screen/sleep). Then I put the password and unlock it, the screen gets black and I have to force reset the VM for it to work again.

It’s annoying because I then have to reopen everything I was working on.

What can I do to solve this problem? It’s not always that it happens and not on both VMs at the same time.

I use virt-manager for the virtualization

Get this bounty!!!

Posted on

#StackBounty: #virtualization #confidentiality Can Google access data in their Confidential Computing VMs?

Bounty: 50

A cloud operator such as Google can take a snapshot of a normal VM. This includes CPU state, RAM and disk. This can then be copied to another physical and resumed there. Or it can be analyzed off-line, and any cryptokeys in memory or in the CPU state can be extracted.

This means that if you do not trust your cloud VM provider (maybe your cloud VM provider is owned by your worst competitor), you should not process confidential data on those VMs.

https://cloud.google.com/confidential-computing seems to use AMD’s Secure Encrypted Virtualization which includes hardware RAM encryption: https://developer.amd.com/sev/

If the RAM is encrypted, it will make it harder to use attacks like https://rambleed.com/

But will it also protect against Google?

It seems the RAM is encrypted with a key, that lives in the CPU. But is this key included when Google takes a snapshot of the CPU state of the VM?

In theory I could see it work like this: The CPU has a small web server with a TLS certificate signed by AMD. I access the web server, verify AMD’s certificate, and now I have a secure connection to the CPU that Google cannot access.

Then I give the CPU a secret key to encrypt RAM with. Then I give it a disk image encrypted with the same key. Then I boot the VM.

If the secret key physically cannot leave the CPU, then it should be impossible for Google to access my data: The RAM is encrypted, data to the disk and to the network is encrypted. So I do not need to trust neither the RAM, the storage, nor the network. It will, however, also mean Google cannot snapshot my VM and restore it on another CPU.

This would also mean that this answer is outdated: https://security.stackexchange.com/a/215927/84564

Currently I see no way to do something similar to
verifing the AMD certificate in Google’s current solution. And thus I see no way to securely set a key that Google does not have access to.

Can Google take a snapshot of a running confidential computing VM and restore it?

Using AMD’s SEV can CIA safely process their most secret data on North Korea’s Confidential cloud (assuming they have that) without North Korea being able to access the data – assuming that AMD is trustworthy, but all other hardware apart from the CPU is made in North Korea?

Get this bounty!!!

Posted on

#StackBounty: #windows #virtualization #snapshot #windows-server-2019 #smb-conf Network share with multiple users and snapshots

Bounty: 50

I want to make a network share with read/write and it will be accessed by multiple computers.

Every time a new computer connects to it, they should find it in an initial state.

Every change made on the files after should be stored separately as snapshots for each User accessing it.

For example: 
Initial state - A 
Computer 1 - State B
Computer 2 - State C
Computer 3 - State D  etc  
If Computer 1 for example deleted some files or made bad changes, I will reset the share to state A so everything is functional again. 
Computer 2 and Computer 3 will still have access to the network share in state C and D.

Is there any way to do it?

Get this bounty!!!

Posted on

#StackBounty: #graphics #virtualization #kvm #display-rotation #spice How to emulate a vertical screen in Xubuntu guest?

Bounty: 50

I am using an Xubuntu guest virtual machine with Virt-Manager, Spice, and QXL. I want to rotate the virtual display to be vertical so as to fit my monitor.

Stuff I tried:

  • Settings > Display in Xubuntu guest: There is a Rotation popup menu, but the only available option is None.
  • Rotating via xrandr doesnt work:
~$ xrandr -q
Screen 0: minimum 320 x 200, current 1024 x 768, maximum 8192 x 8192
Virtual-0 connected primary 1024x768+0+0 0mm x 0mm
   1024x768      59.95*+
   1920x1200     59.95  
   1920x1080     60.00  
   1600x1200     59.95  
   1680x1050     60.00  
   1400x1050     60.00  
   1280x1024     59.95  
   1440x900      59.99  
   1280x960      59.99  
   1280x854      59.95  
   1280x800      59.96  
   1280x720      59.97  
   1152x768      59.95  
   800x600       59.96  
   848x480       59.94  
   720x480       59.94  
   640x480       59.94  
Virtual-1 disconnected
Virtual-2 disconnected
Virtual-3 disconnected
~$ xrandr --output Virtual-0 --rotate right
xrandr: output Virtual-0 cannot use rotation "right" reflection "none"
  • echo 3 | sudo tee /sys/class/graphics/fbcon/rotate had no effect and gave no error.
  • As far as I can tell, I have the right drivers installed:
~$ apt list --installed | grep -i spice

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

spice-vdagent/bionic,now 0.17.0-1ubuntu2 amd64 [installed]
~$ apt list --installed | grep -i qxl

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

xserver-xorg-video-qxl/bionic,now 0.1.5-2build1 amd64 [installed]
  • My XML looks OK, right?
    <graphics type='spice' autoport='yes'>
      <listen type='address'/>
      <image compression='off'/>
    </graphics>
    <sound model='ich9'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x1b' function='0x0'/>
    </sound>
    <video>
      <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
    </video>

Is there a way to have a virtual vertical monitor with a Xubuntu guest?

Get this bounty!!!

Posted on

#StackBounty: #virtualization #hyper-v #network-protocols #bindings Unable to bind hyper-v virtual switch to ethernet adapter

Bounty: 50

I’m having trouble creating a virtual switch for a virtual machine I have in hyper-v. I had a virtual ethernet switch set up and connected to the machine before, after deleting this at some point, I now cannot create one again.

Within hyper-v the error is:

enter image description here

After researching the problem, this appears to be related to the ‘Hyper-V Virtual Extensible Switch’ item not being checked in the ethernet adapters properties.

enter image description here

Trying to enable this in the GUI isn’t possible, as after checking the item then clicking on OK the message is “Your current selection will also disable the following features:
Hyper-V Extensible Virtual Switch”, like here: https://www.tenforums.com/virtualization/31369-cant-enable-hyper-v-extensible-virtual-switch-networking.html

Within powershell when trying to enable this the error is

PS C:WindowsSystem32WindowsPowerShellv1.0> Set-VMSwitch Internet
-NetAdapterName “Ethernet”
Set-VMSwitch : Hyper-V was unable to find a virtual switch with name “Internet”. At line:1 char:1

Set-VMSwitch Internet -NetAdapterName “Ethernet” + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [Set-VMSwitch], VirtualizationException +
FullyQualifiedErrorId :
ObjectNotFound,Microsoft.HyperV.PowerShell.Commands.SetVMSwitch

Using the following command with a microsft uitilty called nvspbind:

nvspbind.exe” /b “Realtek PCIe GbE Family Controller”

the result is:

applying changes… cleaning up…releasing write lock…success
finished (0)

But inspection afterwards using the properties GUI, powershell and nsvpbind reveals that the virtual switch is in not binded (all list as not binded).

Any ideas?

Specs:
Windows 10 64 bit.

Get this bounty!!!

Posted on

#StackBounty: #drivers #wireless #virtualization #broadcom #qemu Broadcom Wireless card pass-through into Ubuntu VM

Bounty: 100

I’m trying to set up my wireless card to be passed-through to a QEMU VM(just to check out device-passthrough and how it works). I’m able to use the wifi on my host machine just fine.

An lspci on the host shows the following info related to the card:
enter image description here

The kernel driver in use is “wl”.

Now, I try to unbind the host driver and associate the vfio-pci driver with my wireless card as follows :

#!/bin/bash

# content of /etc/modprobe.d/local.conf is
# options vfio-pci ids=14e4:4331

# content of /etc/modprobe.d/vfio.conf is
# options vfio_iommu_type1 allow_unsafe_interrupts=1

set -e

BDF="03:00.0"
GRP=12

echo "[+] loading vfio-pci"
sudo modprobe vfio-pci

echo "[+] Finding iommu group"
readlink /sys/bus/pci/devices/0000:${BDF}/iommu_group

echo "[+] Devices in the group"
ls /sys/bus/pci/devices/0000:${BDF}/iommu_group/devices

echo "[+] Unbinding device driver"
echo 0000:${BDF} | sudo tee /sys/bus/pci/devices/0000:${BDF}/driver/unbind

echo "[+] Finding vendor, device ID"
lspci -n -s ${BDF}
val=$(lspci -n -s ${BDF} | cut -d' ' -f3)
vendor=$(echo $val|cut -d':' -f1)
deviceid=$(echo $val|cut -d':' -f2)
echo "-- vendor is ${vendor}"
echo "-- deviceid is ${deviceid}"

echo "[+] Binding to vfio-pci"
echo "${vendor} ${deviceid}" | sudo tee /sys/bus/pci/drivers/vfio-pci/new_id

echo "[+] Checking /dev/vfio"
ls /dev/vfio

echo "[+] checking dmesg for vfio logs"
dmesg | grep -i vfio

At this point, doing an lspci shows that the device is associated with the vfio-pci driver.

enter image description here

Now, I boot up Ubuntu in QEMU with the device passed-through as the following arguments:

-device vfio-pci,host=03:00.0,id=net0

However, when checking “lspci -v” inside the VM, I see that the driver associated with the device is bcma-pci-bridge.

enter image description here

My doubts/questions are :

  1. Am I passing the device to the VM in the right way? Based on the lspci output/dmesg output, this part seems to be correct.
  2. Is “bcma-pci-bridge” being used the expected behavior? Is there any way to get the VM to use the “wl” driver with the device? Once I set this up, I’d like to poke-and-prod the “wl” driver, so it’d be useful to be able to set it up this way.

Get this bounty!!!

Posted on

#StackBounty: #virtualization #mbr #gpt #fdisk #gdisk increased size of disk in a Virttual machine, but gdisk doesn't want to use t…

Bounty: 50

I have a VM with a virtual disk (visible as /dev/sdb) with a size of 10G

The admin increased the size of the virtualdisk to 60G.

I rebooted the machine and see now, that the disk is bigger.

root@DMZMHLX3:~# lsblk
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
...
sdb      8:16   0   60G  0 disk 
└─sdb1   8:17   0   10G  0 part /app
...

Now I’d like to add another partition:

gdisk tells me that the disk as a size of 60G, but that the last usable sector is a sector corresponding to the old 10G disk image size:

root@DMZMHLX3:~# gdisk -l /dev/sdb
GPT fdisk (gdisk) version 1.0.1

Partition table scan:
  MBR: protective
  BSD: not present
  APM: not present
  GPT: present

Found valid GPT with protective MBR; using GPT.
Disk /dev/sdb: 125829120 sectors, 60.0 GiB
Logical sector size: 512 bytes
Disk identifier (GUID): FCE659D1-3690-4C3C-93EC-79B51EE8556D
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 20971486
Partitions will be aligned on 2048-sector boundaries
Total free space is 4029 sectors (2.0 MiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048        20969471   10.0 GiB    8300

last usable sector should be something like 125829120 and not 20971486.

So though the disk image size has increased and the VM sees the change I don’t know how to use the newly available space.

fdisk shows me:

root@DMZMHLX3:~# fdisk -l /dev/sdb
GPT PMBR size mismatch (20971519 != 125829119) will be corrected by w(rite).
Disk /dev/sdb: 60 GiB, 64424509440 bytes, 125829120 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: FCE659D1-3690-4C3C-93EC-79B51EE8556D

Device     Start      End  Sectors Size Type
/dev/sdb1   2048 20969471 20967424  10G Linux filesystem

It recognizes a mismatch:

GPT PMBR size mismatch (20971519 != 125829119) will be corrected by
w(rite).
But when trying to write fdisk fails: 

Command (m for help): w
GPT PMBR size mismatch (20971519 != 125829119) will be corrected by w(rite).
fdisk: failed to write disklabel: Invalid argument
root@xxx:~#

How can I fix this issue?

The ultimate goal is to increase the size of the existing partition, but even if I can just add new partitions I would already be happy

Get this bounty!!!

Posted on

#StackBounty: #18.04 #permissions #virtualization #kvm #qemu group libvirt missing from /etc/group

Bounty: 50

I have installed qemu-kvm and virt-manager to Ubuntu 18.04 machine. While trying to add my user to libvirt group I got following error:

sudo groupadd libvirt
groupadd: group 'libvirt' already exists

sudo adduser $USER libvirt
Adding user `xxxxxx' to group `libvirt' ...
gpasswd: group 'libvirt' does not exist in /etc/group
adduser: `/usr/bin/gpasswd -a xxxxxx libvirt' returned error code 3. Exiting.

cat /etc/group | grep libvirt    
libvirt-qemu:x:64055:libvirt-qemu
libvirt-dnsmasq:x:134:

sudo cat /etc/gshadow | grep libvirt
kvm:!::libvirt-qemu
libvirt-dnsmasq:!::
libvirt-qemu:!::libvirt-qemu

Get this bounty!!!