From 7332c72a00e802f8362623b2705757126856e80e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 23 Nov 2019 12:25:41 +0000 Subject: [PATCH 1/5] improve Qubes VM kernel, Debian distribution kernel installation instructions --- .../managing-vm-kernel.md | 83 +++++++++++++------ 1 file changed, 57 insertions(+), 26 deletions(-) diff --git a/user/advanced-configuration/managing-vm-kernel.md b/user/advanced-configuration/managing-vm-kernel.md index 2df4598d..a5423d8c 100644 --- a/user/advanced-configuration/managing-vm-kernel.md +++ b/user/advanced-configuration/managing-vm-kernel.md @@ -278,12 +278,64 @@ If you require `PV` mode, install `grub2-xen` in dom0 and change the template's Booting to a kernel inside the template is not supported under `PVH`. ### Installing kernel in Debian VM +#### Distribution kernel +Apply the following instruction in a Debian TemplateVM or in a Debian StandaloneVM. -Install whatever kernel you want, making sure to include the headers. -If you are using a distribution kernel package (`linux-image-amd64` package), the initramfs and kernel modules should be handled automatically. -If not, or you are building the kernel manually, do this using `dkms` and `initramfs-tools`: +Using a distribution kernel package the initramfs and kernel modules should be handled automatically. - sudo dkms autoinstall -k # replace this with actual kernel version +Create folder `/boot/grub`. + +~~~ +sudo mkdir -p /boot/grub +~~~ + +Install distribution kernel image, kernel headers and the grub configuration generator. + +~~~ +sudo apt install --no-install-recommends linux-image-amd64 linux-headers-amd64 grub2-common +~~~ + +Generate the grub configuration file. + +~~~ +sudo update-grub +~~~ + +You can safely ignore this error message: + +~~~ +grub2-probe: error: cannot find a GRUB drive for /dev/mapper/dmroot. Check your device.map +~~~ + +You may want to adjust some settings in `/etc/default/grub` (or better `/etc/default/grub.d`). For example, lower `GRUB_TIMEOUT` to speed up VM startup. You need to re-run `sudo update-grub` after making grub confugration changes. + +Then shutdown the VM. + +Go to Qubes VM Manger -> right click on the VM -> Qube settings -> Advanced -> choose `pvgrub2-phv` -> OK + +Start the VM. + +The process of using Qubes VM kernel with distribution kernel is complete. + +**Note:** You may also use `PV` mode instead of `HVM` but this is not recommended for security purposes. +If you require `PV` mode, install `grub2-xen` in dom0 and change the template's kernel to `pvgrub2`. +Booting to a kernel inside the template is not supported under `PVH`. + +#### Custom kernel +Any kernel can be installed. Just make sure to install kernel headers as well. + +If you are building the kernel manually, do this using `dkms` and `initramfs-tools`. + +Run DKMS. Replace this with actual kernel version. + + sudo dkms autoinstall -k + +For example. + + sudo dkms autoinstall -k 4.19.0-6-amd64 + +Update initramfs. + sudo update-initramfs -u The output should look like this: @@ -303,28 +355,7 @@ The output should look like this: $ sudo update-initramfs -u update-initramfs: Generating /boot/initrd.img-3.16.0-4-amd64 -When the kernel is installed, you need to create a GRUB configuration. -You may want to adjust some settings in `/etc/default/grub`; for example, lower `GRUB_TIMEOUT` to speed up VM startup. -Then, you need to generate the actual configuration with the `update-grub2` tool: - -~~~ -sudo mkdir /boot/grub -sudo update-grub2 -~~~ - -You can safely ignore this error message: - -~~~ -grub2-probe: error: cannot find a GRUB drive for /dev/mapper/dmroot. Check your device.map -~~~ - -Then shutdown the VM. - -**Note:** You may also use `PV` mode instead of `HVM` but this is not recommended for security purposes. -If you require `PV` mode, install `grub2-xen` in dom0 and change the template's kernel to `pvgrub2`. -Booting to a kernel inside the template is not supported under `PVH`. - -### Troubleshooting +#### Troubleshooting In case of problems, you can access the VM console using `sudo xl console VMNAME` in dom0, then access the GRUB menu. You need to call it just after starting the VM (until `GRUB_TIMEOUT` expires); for example, in a separate dom0 terminal window. From 2b091918ac8e77aa817cf7b5a3095648fa8c5a7e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 23 Nov 2019 17:38:14 +0000 Subject: [PATCH 2/5] fix typo --- user/advanced-configuration/managing-vm-kernel.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user/advanced-configuration/managing-vm-kernel.md b/user/advanced-configuration/managing-vm-kernel.md index a5423d8c..f173c0dd 100644 --- a/user/advanced-configuration/managing-vm-kernel.md +++ b/user/advanced-configuration/managing-vm-kernel.md @@ -311,7 +311,7 @@ You may want to adjust some settings in `/etc/default/grub` (or better `/etc/def Then shutdown the VM. -Go to Qubes VM Manger -> right click on the VM -> Qube settings -> Advanced -> choose `pvgrub2-phv` -> OK +Go to Qubes VM Manger -> right click on the VM -> Qube settings -> Advanced -> choose `pvgrub2-pvh` -> OK Start the VM. From 216604b480f4e81b2447bd7c06ccc0972af2c97d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 24 Nov 2019 09:24:51 +0000 Subject: [PATCH 3/5] explain kernel and virtualization mode setting --- .../managing-vm-kernel.md | 25 ++++++++++++------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/user/advanced-configuration/managing-vm-kernel.md b/user/advanced-configuration/managing-vm-kernel.md index f173c0dd..a8494544 100644 --- a/user/advanced-configuration/managing-vm-kernel.md +++ b/user/advanced-configuration/managing-vm-kernel.md @@ -279,6 +279,7 @@ Booting to a kernel inside the template is not supported under `PVH`. ### Installing kernel in Debian VM #### Distribution kernel + Apply the following instruction in a Debian TemplateVM or in a Debian StandaloneVM. Using a distribution kernel package the initramfs and kernel modules should be handled automatically. @@ -302,25 +303,31 @@ sudo update-grub ~~~ You can safely ignore this error message: - -~~~ -grub2-probe: error: cannot find a GRUB drive for /dev/mapper/dmroot. Check your device.map -~~~ +`grub2-probe: error: cannot find a GRUB drive for /dev/mapper/dmroot. Check your device.map` You may want to adjust some settings in `/etc/default/grub` (or better `/etc/default/grub.d`). For example, lower `GRUB_TIMEOUT` to speed up VM startup. You need to re-run `sudo update-grub` after making grub confugration changes. Then shutdown the VM. -Go to Qubes VM Manger -> right click on the VM -> Qube settings -> Advanced -> choose `pvgrub2-pvh` -> OK +Go to dom0 -> Qubes VM Manger -> right click on the VM -> Qube settings -> Advanced + +Depends on `Virtualization` mode setting: + +* `Virtualization` mode `PV`: Use of `Virtualization` mode `PV` mode is discouraged for security purposes. + * If you require `Virtualization` mode `PV` mode, install `grub2-xen` in dom0. This can be done by running command `sudo qubes-dom0-update grub2-xen` in dom0. +* `Virtualization` mode `PVH`: Booting to a kernel inside a TemplateVM is unsupported. +* `Virtualization` mode `HVM`: Possible. + +The `Kernel` setting of the `Virtualization` mode setting: + +* If `Virtualization` is set to `PVH` -> `Kernel` -> choose `pvgrub2-pvh` -> OK +* If `Virtualization` is set to `PV` -> `Kernel` -> choose `pvgrub2` -> OK +* If `Virtualization` is set to `HVM` -> `Kernel` -> choose `none` -> OK Start the VM. The process of using Qubes VM kernel with distribution kernel is complete. -**Note:** You may also use `PV` mode instead of `HVM` but this is not recommended for security purposes. -If you require `PV` mode, install `grub2-xen` in dom0 and change the template's kernel to `pvgrub2`. -Booting to a kernel inside the template is not supported under `PVH`. - #### Custom kernel Any kernel can be installed. Just make sure to install kernel headers as well. From 373fc8cab71efbd84f5add9980678841bc2ac89b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Nov 2019 06:22:42 +0000 Subject: [PATCH 4/5] fix, Virtualization mode HVM does support VM kernel with TemplateVM boot --- user/advanced-configuration/managing-vm-kernel.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user/advanced-configuration/managing-vm-kernel.md b/user/advanced-configuration/managing-vm-kernel.md index a8494544..a9ff4fc6 100644 --- a/user/advanced-configuration/managing-vm-kernel.md +++ b/user/advanced-configuration/managing-vm-kernel.md @@ -313,9 +313,9 @@ Go to dom0 -> Qubes VM Manger -> right click on the VM -> Qube settings -> Advan Depends on `Virtualization` mode setting: -* `Virtualization` mode `PV`: Use of `Virtualization` mode `PV` mode is discouraged for security purposes. +* `Virtualization` mode `PV`: Possible, however use of `Virtualization` mode `PV` mode is discouraged for security purposes. * If you require `Virtualization` mode `PV` mode, install `grub2-xen` in dom0. This can be done by running command `sudo qubes-dom0-update grub2-xen` in dom0. -* `Virtualization` mode `PVH`: Booting to a kernel inside a TemplateVM is unsupported. +* `Virtualization` mode `PVH`: Possible. * `Virtualization` mode `HVM`: Possible. The `Kernel` setting of the `Virtualization` mode setting: From a0d40c6ea8980592d13452ded3065223063eb1f4 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Wed, 27 Nov 2019 01:55:32 -0600 Subject: [PATCH 5/5] Fix typo --- user/advanced-configuration/managing-vm-kernel.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user/advanced-configuration/managing-vm-kernel.md b/user/advanced-configuration/managing-vm-kernel.md index a9ff4fc6..9ec4ff1d 100644 --- a/user/advanced-configuration/managing-vm-kernel.md +++ b/user/advanced-configuration/managing-vm-kernel.md @@ -305,7 +305,7 @@ sudo update-grub You can safely ignore this error message: `grub2-probe: error: cannot find a GRUB drive for /dev/mapper/dmroot. Check your device.map` -You may want to adjust some settings in `/etc/default/grub` (or better `/etc/default/grub.d`). For example, lower `GRUB_TIMEOUT` to speed up VM startup. You need to re-run `sudo update-grub` after making grub confugration changes. +You may want to adjust some settings in `/etc/default/grub` (or better `/etc/default/grub.d`). For example, lower `GRUB_TIMEOUT` to speed up VM startup. You need to re-run `sudo update-grub` after making grub configuration changes. Then shutdown the VM.