Feature #5606

Add VirtualBox host software

Added by Tails 2013-07-18 07:43:27 . Updated 2018-08-19 10:09:09 .

Status:
Rejected
Priority:
Low
Assignee:
Category:
Virtualization
Target version:
Start date:
Due date:
% Done:

0%

Feature Branch:
feature/virtualbox-host
Type of work:
Code
Blueprint:

Starter:
0
Affected tool:
Deliverable for:

Description

Rationale: running a proprietary OS in a virtual machine inside Tails would be useful by folks who cannot afford doing without their preferred Windows-only piece of software but still want to work in a relatively secure environment.

Next steps

  1. Install VirtualBox packages from our APT repository instead of from config/chroot_local-includes/usr/share/amnesia/packages/.
  2. Rewrite history of feature/virtualbox-host to not include the host binary packages.
  3. Try just deleting the VirtualBox networking drivers files (vboxnetadp and vboxnetflt) to disable network support altogether, see if it breaks anything else, (proposed in January 2013 in the "Tails 0.14 rc1 virtualization testing & howto install virtualbox and vmplayer" thread)

Later / maybe

  1. Research how to disable VirtualBox network modes that bypass the Tails firewall: see discussion on tails-dev (2012Q4, "Tails 0.14 rc1 virtualization testing & howto install virtualbox and vmplayer" and "VirtualBox host software vs. networking" threads).

Resources

  • How To Set Up A TOR Middlebox Routing All VirtualBox Virtual Machine Traffic Over The TOR Network (Using an adaptation of this we could instruct users to set up each guest with Bridged Adapter on vnet0 and then it should magically rout all traffic from the VM through Tor. Identity correlation could be dealt with by using a dedicated TransPort with the IsolateDestAddr option set.)
  • Whonix (back in times where it still was called TorBOX) implemented something very similar: https://sourceforge.net/p/whonix/wiki/OneVM/
    • Tor was running on the host = Tails in this case.
    • Some operating system was running inside the Virtual Machine.
    • iptables / bridging was used to route all VM traffic through Tor.
    • It was probable affected by identity correlation through circuit sharing.

Subtasks

Related issues

Related to Tails - Feature #5748: Two-layered virtualized system Confirmed
Related to Tails - Feature #5456: amd64 kernel Resolved
Related to Tails - Feature #8183: Ship a 64-bit (x86_64) instead of 32-bit userspace Resolved 2016-10-11
Related to Tails - Bug #12048: Check what to do with VirtualBox on Stretch Resolved 2016-12-20
Related to Tails - Feature #15835: install virtualbox in tails Rejected 2018-08-24
Has duplicate Tails - Feature #7454: Add virtualbox support Duplicate 2014-06-23

History

#1 Updated by intrigeri 2013-09-03 09:24:02

  • Subject changed from add virtualbox host software to add VirtualBox host software
  • Starter set to No

#2 Updated by BitingBird 2014-06-09 10:57:32

  • Subject changed from add VirtualBox host software to Add VirtualBox host software

#3 Updated by intrigeri 2014-06-21 14:47:06

  • Feature Branch set to feature/virtualbox-host

#4 Updated by intrigeri 2014-06-23 13:46:35

#5 Updated by sajolida 2014-11-16 11:22:05

  • Category set to Virtualization

#6 Updated by hybridwipe 2015-09-10 22:44:15

  • Assignee set to hybridwipe

So I took an initial look at this, my plan was to install Debian wheey’z virtualbox-qt/dkms packages, build/install the modules with dkms (like we currently do for guest-utils), use dpkg-divert to disable the VBoxNet*.so files, then purge the dkms packages.

I’ve gotten the modules to build and install, and when I boot up the modified tails, the vboxsvc and other modules are loaded. /dev/vboxdrv exists, and looking in /lib/modules shows the virtualbox modules are under the running kernel. Making a new vm and trying to start it, however, fails, saying that the modules aren’t loaded (possible version mismatch). I don’t get any extra logging on stdout/stderr to tell me what is missing / what it’s looking for.

Code is at:
https://github.com/austin987/tails/tree/bugfix/5606-add-Virtualbox

Specifically, this patch:
https://github.com/austin987/tails/commit/05a454543c1be95c8a5e563cbb8acc4f95829559

#7 Updated by adrelanos 2015-10-18 15:25:57

What about licensing? In Debian jessie, VirtualBox unfortunately moved from main to contrib.

https://packages.debian.org/jessie/virtualbox

Do you have a policy at Tails about including non-free packages?

#8 Updated by intrigeri 2015-10-23 08:31:05

> Do you have a policy at Tails about including non-free packages?

Yes: https://tails.boum.org/doc/about/license/

#9 Updated by hybridwipe 2015-10-23 10:25:56

FYI, the reason VirtualBox was moved was because the compiler used to build the BIOS for VirtualBox is non-free.

Essentially, VirtualBox is in a similar position as Firefox on Windows. The underlying code and libraries are Free Software, but a non-free compiler/tool is needed to make it usable. Does that make Firefox on Windows non-free software? That depends on who you ask :).

However, as intrigeri referenced in Tails’ license statement, Tails uses free software (and some non-free firmware to improve hardware compatibility). I’d say that VirtualBox’s non-free BIOS would be analogous to non-free firmware.

#10 Updated by intrigeri 2015-10-23 11:32:43

> However, as intrigeri referenced in Tails’ license statement, Tails uses free software (and some non-free firmware to improve hardware compatibility). I’d say that VirtualBox’s non-free BIOS would be analogous to non-free firmware.

The hardware compatibility argument works for stuff that improves running Tails inside VirtualBox: in some situations that’s the only way one can use Tails. But IMO it doesn’t work that well for a BIOS that allows running arbitrary OS’es inside Tails.

This being said, even though I disagree with this specific argument, I’m undecided on the broader license policy issue.

#11 Updated by hybridwipe 2015-10-29 01:59:39

  • Assignee deleted (hybridwipe)
  • QA Check set to Dev Needed

#12 Updated by hybridwipe 2016-02-16 01:25:49

So I played with this a bit more today on 2.0.1. Potential license issues aside, there’s a larger technical problem:
https://www.virtualbox.org/ticket/8336

to demonstrate:
boot tails on recent (i.e. 64-bit capable) hardware, and enable a root password
$ sudo su -

  1. apt-get update && apt-get -y install linux-headers-amd64 virtualbox-qt
  2. Virtualbox

the GUI will start, configure a vm named foo and accept all defaults. Try to start it, which will fail, saying the kernel modules aren’t loaded or don’t match.

If, however, you force a 32-bit kernel to load (see Bug #11129) by hitting ESC in the tails boot menu, then typing ‘menu_486’, and booting, then follow those instructions (use linux-headers-586 instead), the VM will start.

As it currently stands, for Virtualbox to work on Tails, either we could only support 32-bit kernels (easiest), we’d need two userlands (64-bit and 32-bit) (more work, but arguably the most complete solution, at the cost of increased disk space/complexity), or switch completely to 64-bit (less compatibility for some users, but do we know how many?)…or get Virtualbox to fix their 32/64-bit mismatches. There’s a patch we could test there, but I don’t think we want to fork Virtualbox or use that incomplete/unaudited patch.

#13 Updated by sajolida 2016-02-17 12:35:17

  • related to Feature #8183: Ship a 64-bit (x86_64) instead of 32-bit userspace added

#14 Updated by sajolida 2016-02-17 12:39:09

See Feature #8183 for plans to drop 32-bit: we’re not there yet but almost :)

#15 Updated by hybridwipe 2016-02-17 15:14:03

sajolida wrote:
> See Feature #8183 for plans to drop 32-bit: we’re not there yet but almost :)

Ah, cool, thanks for the link.

#16 Updated by intrigeri 2017-01-30 14:46:53

  • related to Bug #12048: Check what to do with VirtualBox on Stretch added

#17 Updated by intrigeri 2017-01-30 14:48:18

  • Priority changed from Normal to Low

Given next Debian stable won’t include VirtualBox (Bug #12048), and I don’t see this changing in the next two years, I doubt we should spend time on new features that rely on it => downgrading priority for now.

#18 Updated by intrigeri 2018-05-26 09:45:37

Besides, given how hard it is to maintain VirtualBox guest support (see Bug #12048 and the related tickets) I’m not eager to commit to maintain host support as well.

Also, AFAIK basically no user ever requests this feature.

Dear ticket triager, if you agree let’s reject this ticket during your next triaging session.

#19 Updated by Anonymous 2018-08-19 10:09:09

  • Status changed from Confirmed to Rejected

intrigeri wrote:
> Besides, given how hard it is to maintain VirtualBox guest support (see Bug #12048 and the related tickets) I’m not eager to commit to maintain host support as well.
>
> Also, AFAIK basically no user ever requests this feature.
>
> Dear ticket triager, if you agree let’s reject this ticket during your next triaging session.

Ack.

#20 Updated by Anonymous 2018-09-03 08:10:51