Make Qubes work in VirtualBox

[marmarek]

The problem you're addressing (if any)
Qubes installer (and probably installed system too) fails to run inside VirtualBox. Known problems:

• Xorg fails to start with (EE) VESA(0): V_BIOS address 0x0 out of range message
• a lot of disk I/O errors, especially on heavy I/O (like the installation itself)

Tried with Qubes 4.0.1.

Describe the solution you'd like
Fedora 25 runs fine with exactly the same VirtualBox configuration, so I guess it's either missing/misconfigured drivers shipped with Qubes, or Xen interfering with them.
The easiest thing for start would be to try with Qubes 4.1 (updated drivers), but I guess it will not be enough.

Where is the value to a user, and who might that user be?
Generally running Qubes OS in a virtual machine is discouraged, as it does not offer protection from the host system. But there are use cases where it makes sense:

• testing / playing / trying
• running Qubes OS as a component in Genode (Sculpt OS), as an intermediate step in using Genode as isolation-provider for Qubes OS

Note that VirtualBox only recently introduced nested virtualization and only for AMD CPUs. And AFAIK none of it include nested IOMMU. This means isolation within such Qubes instance is significantly weaker than bare metal one, as only PV is possible.

Describe alternatives you've considered

Alternative for Genode use case may be trying Seoul VMM, which works well with some Linux distributions. I don't know if it's able to run Xen (even with PV only).

Relevant documentation you've consulted
Setting up a VirtualBox VM in Sculpt OS: https://genodians.org/m-stein/2019-03-07-vm-with-sculpt-ce-preview

cc @nfeske

[andrewdavidwong]

Related issue with useful comments: #2249

[DemiMarie]

It would be nice if Xen supported nested virtualization. Qubes-in-Qubes would be very nice for development of Qubes itself.

[alex-ab]

I would suggest first to try to get the installation in Virtualbox on Linux or on Windows working. If this is known to work, we may look through our port of Virtualbox to Genode to understand what we do potentially different. I tried to install Qubes 4.0.1 iso on Ubuntu 18.04 with VBox 5.2, but couldn't succeed. I used inst.text because of the Xorg error and later on failed during disk preparation with a "Encryption requested for LUKS device sda2 but no encryption key specified" message.

[marmarek]

I would suggest first to try to get the installation in Virtualbox on Linux or on Windows working.

Yes, this is exactly what this issue is about. It is known to be broken (at least the Xorg issue) on "vanilla" Virtualbox right now.

BTW there are workarounds for text installation issue:

• provide kickstart file: LUKSerror: luks device has no key/passphrase #1161 (comment), or:
• modify anaconda to not encrypt disk:
  1. switch to tty2
  2. edit /usr/lib64/python3.5/site-packages/pyanaconda/kickstart.py - change kwargs['encrypted'] = True to kwargs['encrypted'] = False in AutoPart class
  3. remove /var/run/anaconda.pid
  4. start anaconda

[alex-ab]

Thanks for the information. I succeed to install Qubes on VBox5/Ubuntu and I did not got the disk I/O errors. So, the issue is probably in the Genode port of VBox5. If I have some time left, I will try to look into this.

[alex-ab]

I succeed with an installation on a test Genode branch (so not on Sculpt OS) by using an IDE disk model, but in principle it should also work on Sculpt OS. Just ex-change in the specific machine.vbox file of the Qubes VM the AHCI model with the IDE model:

@@ -47,11 +58,11 @@
      </SharedFolders>
     </Hardware>
     <StorageControllers>
-      <StorageController name="SATA" type="AHCI" PortCount="4" useHostIOCache="true" Bootable="true" IDE0MasterEmulationPort="0" IDE0SlaveEmulationPort="1" IDE1MasterEmulationPort="2" IDE1SlaveEmulationPort="3">
+      <StorageController name="IDE" type="PIIX4" PortCount="2" useHostIOCache="true" Bootable="true">
         <AttachedDevice type="HardDisk" port="0" device="0">
           <Image uuid="{a90a16bf-f724-4321-99df-5498d6e4b796}"/>
         </AttachedDevice>
-        <AttachedDevice passthrough="false" type="DVD" port="3" device="0">
+        <AttachedDevice passthrough="false" type="DVD" port="1" device="0">
           <Image uuid="{81763434-9a51-49e8-9444-528a5a28c4bc}"/>
         </AttachedDevice>
       </StorageController>

[marmarek]

Thanks! I'll give it a try.

[tasket]

Qubes 4.1 pre-release appears to install OK in vbox 6.1 (after trying and failing with Qubes 4.0).

But I have two runtime issues so far:

1. No networking. After switching sys-net to PV mode, it has no interfaces.

2. Guest programs don't start cleanly if the VM isn't already running. The target VM must be started first before qvm-run will work.

I would link to the qubes-users thread I started, but Google Groups no longer allows you to read groups without signing in. The thread title is "Running Qubes 4.1 under VirtualBox as migration strategy".

[marmarek]

The link: https://www.mail-archive.com/qubes-users@googlegroups.com/msg35135.html

Is the login requirement of Google Groups a bug? I didn't see any announcement about this change and also it didn't happened before. But indeed now when trying to use the web interface I get redirected to a login page most of the time (but not always).

[DemiMarie]

@marmarek are you using Tor?

[marmarek]

No, this try was over clearnet.

[DemiMarie]

I wonder if they are being mean and requiring anyone to login if they don’t have a browser that lets their tracking work.

[cheznewa]

In VirtualBox Testbuild (r148976) Is Added The IOMMU Support I Activated But The Boot Stop It With A Message The HAP Is No Detected.

HAP = Hardware Assistant Paging

How To Fix It For Continue The Boot, For I Waiting The Stable 6.2?