Using Virtual Machines for Privacy and Security

This is a discussion of how a Virtual Machine installation can help with your privacy and security on a computer. I will also demonstrate an installation of a VM on Windows 10 with Ubuntu as the VM. Then the video compares the speed of watching a Youtube video on a VM vs a native OS. This will indicate if there's a significant overhead to running a VM.

I also discuss the different benefits of a VM with privacy and security and its limitations. Additionally I will introduce you to a specific secure Linux distro, intended for Virtual Box and that is WHONIX.

Source: https://www.youtube.com/watch?v=GzMuZlm99g8&t=0s

Activating the Intel VT Virtualization Feature https://www.thomas-krenn.com/en/wiki/Activating_the_Intel_VT_Virtualization_Feature
Jump to navigation
Jump to search
Main Page > Server Hardware > Motherboards > BIOS Settings

The Intel VT-x Virtualization Features (previously called VT) can be activated and deactivated from the BIOS for many systems.
Contents

1 Problem
2 Solution
2.1 Example: Intel SR2500 Server
2.2 Example: Supermicro Server with a X7DBE Mainboard
3 Testing the Configuration under Linux
3.1 Does the CPU support VT-x?
3.2 Do the BIOS Settings permit VT-x usage?
3.2.1 Example 1: Deactivating Intel VT-x in the BIOS
3.2.2 Example 2: Activating Intel VT-x in the BIOS
4 References

Problem

Even when the features have been activated, the virtualization features are not available in the operating system. This will generate an error message indicating that Hardware Virtualization Support is not available.
Solution

Changing this setting in the BIOS requires turning the server off and back on. Only afterwards will the new setting take effect.

Reason: When the computer is turned on, the BIOS must either activate or deactivate the VT-x features in the CPU. The selected setting will then be locked in order to prevent modification of the feature's setting while the computer is running.[1])
Example: Intel SR2500 Server

The BIOS setting can be changed from Advanced --> Processor Configuration --> Intel(R) Virtualization Technology.

The following helpful information will be displayed in the right column of this view:

Intel (R) Virtualization
Technology allows a platform to
run multiple operating systems
and applications in independent
partitions.
Note: A change to this option
requires the system to be
powered off and then back on
before the setting will take
effect.

A screenshot like the message on the screen will look like this:

SR2500-bios-intel-vt.png

After saving the configuration settings, the server must be turned off and back on again.
Example: Supermicro Server with a X7DBE Mainboard

The BIOS setting can be changed from Advanced --> Advanced Processor Options --> Intel(R) Virtualization Technology.

The following helpful information will be displayed in the right column of this view:

One power-cycle will
occur after changed
the setting.

A screenshot like the message on the screen will look like this:

X7DBE-bios-intel-vt.png

Manually turning the power off and back on is not required for this server. The server will do this automatically.
Testing the Configuration under Linux

The following instructions will explain how to test if the CPU supports VT-x and, if that is the case, how to test if the BIOS settings permit this feature to be used.
Does the CPU support VT-x?

On a Linux system, you can test if the CPUs will support VT-x with the help of the /proc/cpuinfo utility. If the vmx setting is listed among the flags, the CPU will support VT-x, in principle:[2]

root@grml~# cat /proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model 15 :
model name : Intel(R) Xeon(R) CPU 5110 @ 1.60GHz
stepping : 6
cpu MHz : 1595.896
cache size : 4096 KB
physical id : 0
siblings : 2
core id : 0
cpu cores : 2
apicid : 0
initial apicid : 0
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge
mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall
nx lm constant_tsc arch_perfmon pebs bts rep_good pni dtes64 monitor ds_cpl
vmx tm2 ssse3 cx16 xtpr pdcm dca lahf_lm tpr_shadow
bogomips : 3193.78
clflush size : 64
cache_alignment : 64
address sizes : 36 bits physical, 48 bits virtual
power management:
[...]

Do the BIOS Settings permit VT-x usage?

If the BIOS will permit the usage of VT-x can be determined with the help of the rdmsr (read msr) utility from the msr-tools tool package[3] MSR stands for machine-specific register, although sometimes model-specific register is used.[4] MSRs are used to set specific values for the hardware in use or to transfer values between the BIOS and the kernel.

The VT-x lock function is stored in the IA32_FEATURE_CONTROL machine-specific register (MSR address 0x3a).[5] This MSR contains the following three bits:[6]

Bit 0: lock bit
Bit 1: activate VMXON in SMX mode
Bit 2: activate VMXON outside of SMX mode

The BIOS must set Bits 1 and 2, or all three bits (including Bit 0) so that VT-x support will be enabled.

The Linux Live CD from grml 64 for May 2009 will be used in this example. The msr-tools will be installed by means of the apt-get update and subsequent apt-get install msr-tools commands. So that rdmsr can access the MSRs, the msr kernel module will have to be installed.
Example 1: Deactivating Intel VT-x in the BIOS

If Intel VT-x has been deactivated in the BIOS (or the server was not turned off and back on after the setting was activated), the rdmsr 0x3a command will return 1 (meaning that only Bit 0 has been set).

root@grml ~ # modinfo msr
filename: /lib/modules/2.6.28-grml64/kernel/arch/x86/kernel/msr.ko
license: GPL
description: x86 generic MSR driver
author: H. Peter Anvin
srcversion: 645F15590C9CD893B156AD6
depends:
vermagic: 2.6.28-grml64 SMP preempt mod_unload
root@grml ~ # modprobe msr
root@grml ~ # rdmsr 0x3a
1
root@grml ~ #

Example 2: Activating Intel VT-x in the BIOS

With the example server (an Intel SR2500), the rdmsr 0x3a command returns 5, if Intel VT-x has been activated in the BIOS (Bits 0 and 2 have therefore been set).

root@grml ~ # modinfo msr
filename: /lib/modules/2.6.28-grml64/kernel/arch/x86/kernel/msr.ko
license: GPL
description: x86 generic MSR driver
author: H. Peter Anvin
srcversion: 645F15590C9CD893B156AD6
depends:
vermagic: 2.6.28-grml64 SMP preempt mod_unload
root@grml ~ # modprobe msr
root@grml ~ # rdmsr 0x3a
5
root@grml ~ #