VMs restored from backups need to be manually converted to PVH

[mossy-nw]

Qubes OS version:

R4.0_rc4

Affected TemplateVMs:

---

Steps to reproduce the behavior:

Restore qubes from R4.0_rc3 (containing VMs created previously under R3.2 and R4.0_rc3)

Expected behavior:

New users may expect R4.0_rc4 to address Meltdown (+ Spectre?) bugs by automatically converting VMs to PVH mode according to QSB-37. Moreover, there is disagreement between the GUI (Qube Settings -> Advanced Tab) where virtualization reads Mode: default (PVH), while qvm-prefs reads virt_mode ... hvm or virt_mode ... pv, possibly further misleading users.

Actual behavior:

Existing virtualization modes persist (PV for VMs created under R3.2, HVM for VMs created under R4.0_rc3). Novice users may mistakenly believe they are protected by PVH mode simply by running R4.0_rc4+

General notes:

It's not a problem to use qvm-prefs VM-name virt_mode pvh but maybe this should this be added to https://www.qubes-os.org/doc/releases/4.0/release-notes/ ?
Apologies if the script to do this automatically for users is already in the works and just not yet released--don't mean to be impatient 🥇

---

Related issues:

#3517
perhaps #3515

[andrewdavidwong]

I propose that we automatically change the virtualization mode of restored VMs to PVH, where possible. Of course, we should communicate to the user that we're doing this (both in the software and in the documentation). In the rare case that the user has some reason for wanting to use the old virtualization mode, they can use qvm-prefs to change it back. The migration process should be secure by default for the majority of users.

CC: @marmarek

[andrewdavidwong]

I propose that we automatically change the virtualization mode of restored VMs to PVH, where possible. Of course, we should communicate to the user that we're doing this (both in the software and in the documentation). In the rare case that the user has some reason for wanting to use the old virtualization mode, they can use qvm-prefs to change it back. The migration process should be secure by default for the majority of users.

CC: @marmarek

[mossy-nw]

In the meantime, would posting a dom0 script like the following to qubes-users be helpful for novices?

#!/bin/bash
qvm-ls --field NAME,CLASS,VIRT_MODE | grep pv$ > pv.domains
while read VM-name remainder
        do 
                qvm-prefs $VM-name virt_mode pvh
        done < pv.domains

HVM domains (e.g. created in R4.0_rc3, maybe also earlier) would still need to be done manually, to avoid converting sys-net, sys-usb etc...

[mossy-nw]

In the meantime, would posting a dom0 script like the following to qubes-users be helpful for novices?

#!/bin/bash
qvm-ls --field NAME,CLASS,VIRT_MODE | grep pv$ > pv.domains
while read VM-name remainder
        do 
                qvm-prefs $VM-name virt_mode pvh
        done < pv.domains

HVM domains (e.g. created in R4.0_rc3, maybe also earlier) would still need to be done manually, to avoid converting sys-net, sys-usb etc...

[marmarek]

This is already changed in 4.0rc4 - if you restore R3.2 backup there, VMs will be PVH by default.
It wasn't the case in 4.0rc3 - if you restored R3.2 backup there, VMs were set as PV. This property persist when you backup&restore on 4.0 (as it is no longer seen as migration from R3.2).
I'm not sure if we want anything more here, @andrewdavidwong ?

[marmarek]

This is already changed in 4.0rc4 - if you restore R3.2 backup there, VMs will be PVH by default.
It wasn't the case in 4.0rc3 - if you restored R3.2 backup there, VMs were set as PV. This property persist when you backup&restore on 4.0 (as it is no longer seen as migration from R3.2).
I'm not sure if we want anything more here, @andrewdavidwong ?

[andrewdavidwong]

I think it would be nice to do the switch automatically for users who followed the 3.2 -> 4.0-rc3 -> 4.0-rc4 migration path. Most of them probably want to use PVH by default and would be unpleasantly surprised to find that they weren't simply because they happened to follow this migration path instead of going directly from 3.2 to 4.0-rc4.

[andrewdavidwong]

I think it would be nice to do the switch automatically for users who followed the 3.2 -> 4.0-rc3 -> 4.0-rc4 migration path. Most of them probably want to use PVH by default and would be unpleasantly surprised to find that they weren't simply because they happened to follow this migration path instead of going directly from 3.2 to 4.0-rc4.

[marmarek]

But there is no easy way to distinguish VMs restored from R3.2 backup from those created on R4.0-rc3. Or even R4.0-rc4 (in case of user reinstalling R4.0-rc4 for whatever reason). And there are valid cases for PV usage - for example MirageOS do not support PVH yet.

[marmarek]

But there is no easy way to distinguish VMs restored from R3.2 backup from those created on R4.0-rc3. Or even R4.0-rc4 (in case of user reinstalling R4.0-rc4 for whatever reason). And there are valid cases for PV usage - for example MirageOS do not support PVH yet.

[andrewdavidwong]

Ok, then let's just document it and include it in the release notes.

[andrewdavidwong]

Ok, then let's just document it and include it in the release notes.

[andrewdavidwong]

Looks like @adubois has already submitted a PR to mention this in the release notes:
QubesOS/qubes-doc#574

[andrewdavidwong]

Looks like @adubois has already submitted a PR to mention this in the release notes:
QubesOS/qubes-doc#574

[andrewdavidwong]

This appears to be sufficiently documented now. If anyone believes that further action should be taken on this issue, please leave a comment, and we can reopen it.

[andrewdavidwong]

This appears to be sufficiently documented now. If anyone believes that further action should be taken on this issue, please leave a comment, and we can reopen it.