Windows 10 Vm Kernel security check failure


Recommended Posts

7 hours ago, david279 said:

Can't hurt to try. But I really think you need to pass that bios with the GPU. Also try a Linux VM to see if your windows VM could be the issue. 

are you on about the edited rom vbios cause i used space invader ones tutorial to change header in the past i usually do pass the edited rom bios with the g card but it doesn't do anything different i get the same thing unfortunately....

Edited by Dava2k7
Link to comment
10 minutes ago, Dava2k7 said:

are you on about the edited rom vbios cause i used space invader ones tutorial to change header in the past i usually do pass the edited rom bios with the g card but it doesn't do anything different i get the same thing unfortunately....

this is my log after making changes ect

 

-display none \
-no-user-config \
-nodefaults \
-chardev socket,id=charmonitor,fd=31,server,nowait \
-mon chardev=charmonitor,id=monitor,mode=control \
-rtc base=localtime \
-no-hpet \
-no-shutdown \
-boot strict=on \
-device qemu-xhci,p2=15,p3=15,id=usb,bus=pci.0,addr=0x7 \
-device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x3 \
-blockdev '{"driver":"file","filename":"/mnt/user/domains/Gaming Vm/vdisk1.img","node-name":"libvirt-3-storage","cache":{"direct":false,"no-flush":false},"auto-read-only":true,"discard":"unmap"}' \
-blockdev '{"node-name":"libvirt-3-format","read-only":false,"cache":{"direct":false,"no-flush":false},"driver":"raw","file":"libvirt-3-storage"}' \
-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=libvirt-3-format,id=virtio-disk2,bootindex=1,write-cache=on \
-blockdev '{"driver":"file","filename":"/mnt/user/isos/Win10_1909_English_x64.iso","node-name":"libvirt-2-storage","auto-read-only":true,"discard":"unmap"}' \
-blockdev '{"node-name":"libvirt-2-format","read-only":true,"driver":"raw","file":"libvirt-2-storage"}' \
-device ide-cd,bus=ide.0,unit=0,drive=libvirt-2-format,id=ide0-0-0,bootindex=2 \
-blockdev '{"driver":"file","filename":"/mnt/user/isos/virtio-win-0.1.173-2.iso","node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}' \
-blockdev '{"node-name":"libvirt-1-format","read-only":true,"driver":"raw","file":"libvirt-1-storage"}' \
-device ide-cd,bus=ide.0,unit=1,drive=libvirt-1-format,id=ide0-0-1 \
-netdev tap,fd=33,id=hostnet0 \
-device virtio-net,netdev=hostnet0,id=net0,mac=52:54:00:fa:9e:8d,bus=pci.0,addr=0x2 \
-chardev pty,id=charserial0 \
-device isa-serial,chardev=charserial0,id=serial0 \
-chardev socket,id=charchannel0,fd=34,server,nowait \
-device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=org.qemu.guest_agent.0 \
-device usb-tablet,id=input0,bus=usb.0,port=5 \
-device 'vfio-pci,host=0000:09:00.0,id=hostdev0,bus=pci.0,multifunction=on,addr=0x5,romfile=/mnt/cache/domains/Gigabyte.GTX1050Ti hacked.rom' \
-device vfio-pci,host=0000:09:00.1,id=hostdev1,bus=pci.0,addr=0x5.0x1 \
-device usb-host,hostbus=5,hostaddr=56,id=hostdev2,bus=usb.0,port=1 \
-device usb-host,hostbus=5,hostaddr=57,id=hostdev3,bus=usb.0,port=2 \
-device usb-host,hostbus=5,hostaddr=5,id=hostdev4,bus=usb.0,port=3 \
-device usb-host,hostbus=5,hostaddr=7,id=hostdev5,bus=usb.0,port=4 \
-cpu host,topoext=on,invtsc=on,hv-time,hv-relaxed,hv-vapic,hv-spinlocks=0x1fff,hv-vpindex,hv-synic,hv-stimer,hv-reset,hv-frequencies,host-cache-info=on,l3-cache=off,-amd-stibp \
-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
-msg timestamp=on
2020-06-20 09:24:38.815+0000: Domain id=9 is tainted: high-privileges
2020-06-20 09:24:38.815+0000: Domain id=9 is tainted: custom-argv
2020-06-20 09:24:38.815+0000: Domain id=9 is tainted: host-cpu
char device redirected to /dev/pts/0 (label charserial0)

 

 

id=9 seems to change number 7 8 ect no idea heres the new xml

 

<?xml version='1.0' encoding='UTF-8'?>
<domain type='kvm' id='9' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
  <name>Gaming Vm</name>
  <uuid>eb4747a6-bb10-6ce9-2d0d-a704560b5992</uuid>
  <metadata>
    <vmtemplate xmlns="unraid" name="Windows 10" icon="windows.png" os="windows10"/>
  </metadata>
  <memory unit='KiB'>17301504</memory>
  <currentMemory unit='KiB'>17301504</currentMemory>
  <memoryBacking>
    <nosharepages/>
  </memoryBacking>
  <vcpu placement='static'>12</vcpu>
  <cputune>
    <vcpupin vcpu='0' cpuset='6'/>
    <vcpupin vcpu='1' cpuset='18'/>
    <vcpupin vcpu='2' cpuset='7'/>
    <vcpupin vcpu='3' cpuset='19'/>
    <vcpupin vcpu='4' cpuset='8'/>
    <vcpupin vcpu='5' cpuset='20'/>
    <vcpupin vcpu='6' cpuset='9'/>
    <vcpupin vcpu='7' cpuset='21'/>
    <vcpupin vcpu='8' cpuset='10'/>
    <vcpupin vcpu='9' cpuset='22'/>
    <vcpupin vcpu='10' cpuset='11'/>
    <vcpupin vcpu='11' cpuset='23'/>
  </cputune>
  <resource>
    <partition>/machine</partition>
  </resource>
  <os>
    <type arch='x86_64' machine='pc-i440fx-5.0'>hvm</type>
    <loader readonly='yes' type='pflash'>/usr/share/qemu/ovmf-x64/OVMF_CODE-pure-efi.fd</loader>
    <nvram>/etc/libvirt/qemu/nvram/eb4747a6-bb10-6ce9-2d0d-a704560b5992_VARS-pure-efi.fd</nvram>
  </os>
  <features>
    <acpi/>
    <apic/>
    <hyperv>
      <relaxed state='on'/>
      <vapic state='on'/>
      <spinlocks state='on' retries='8191'/>
      <vendor_id state='on' value='none'/>
    </hyperv>
  </features>
  <cpu mode='host-passthrough' check='none'>
    <topology sockets='1' dies='1' cores='6' threads='2'/>
    <cache mode='passthrough'/>
    <feature policy='require' name='topoext'/>
  </cpu>
  <clock offset='localtime'>
    <timer name='hypervclock' present='yes'/>
    <timer name='hpet' present='no'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/local/sbin/qemu</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='raw' cache='writeback'/>
      <source file='/mnt/user/domains/Gaming Vm/vdisk1.img' index='3'/>
      <backingStore/>
      <target dev='hdc' bus='virtio'/>
      <boot order='1'/>
      <alias name='virtio-disk2'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
    </disk>
    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <source file='/mnt/user/isos/Win10_1909_English_x64.iso' index='2'/>
      <backingStore/>
      <target dev='hda' bus='ide'/>
      <readonly/>
      <boot order='2'/>
      <alias name='ide0-0-0'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <source file='/mnt/user/isos/virtio-win-0.1.173-2.iso' index='1'/>
      <backingStore/>
      <target dev='hdb' bus='ide'/>
      <readonly/>
      <alias name='ide0-0-1'/>
      <address type='drive' controller='0' bus='0' target='0' unit='1'/>
    </disk>
    <controller type='usb' index='0' model='qemu-xhci' ports='15'>
      <alias name='usb'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
    </controller>
    <controller type='pci' index='0' model='pci-root'>
      <alias name='pci.0'/>
    </controller>
    <controller type='ide' index='0'>
      <alias name='ide'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
    <controller type='virtio-serial' index='0'>
      <alias name='virtio-serial0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </controller>
    <interface type='bridge'>
      <mac address='52:54:00:fa:9e:8d'/>
      <source bridge='virbr0'/>
      <target dev='vnet0'/>
      <model type='virtio-net'/>
      <alias name='net0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </interface>
    <serial type='pty'>
      <source path='/dev/pts/0'/>
      <target type='isa-serial' port='0'>
        <model name='isa-serial'/>
      </target>
      <alias name='serial0'/>
    </serial>
    <console type='pty' tty='/dev/pts/0'>
      <source path='/dev/pts/0'/>
      <target type='serial' port='0'/>
      <alias name='serial0'/>
    </console>
    <channel type='unix'>
      <source mode='bind' path='/var/lib/libvirt/qemu/channel/target/domain-9-Gaming Vm/org.qemu.guest_agent.0'/>
      <target type='virtio' name='org.qemu.guest_agent.0' state='connected'/>
      <alias name='channel0'/>
      <address type='virtio-serial' controller='0' bus='0' port='1'/>
    </channel>
    <input type='tablet' bus='usb'>
      <alias name='input0'/>
      <address type='usb' bus='0' port='5'/>
    </input>
    <input type='mouse' bus='ps2'>
      <alias name='input1'/>
    </input>
    <input type='keyboard' bus='ps2'>
      <alias name='input2'/>
    </input>
    <hostdev mode='subsystem' type='pci' managed='yes'>
      <driver name='vfio'/>
      <source>
        <address domain='0x0000' bus='0x09' slot='0x00' function='0x0'/>
      </source>
      <alias name='hostdev0'/>
      <rom file='/mnt/cache/domains/Gigabyte.GTX1050Ti hacked.rom'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0' multifunction='on'/>
    </hostdev>
    <hostdev mode='subsystem' type='pci' managed='yes'>
      <driver name='vfio'/>
      <source>
        <address domain='0x0000' bus='0x09' slot='0x00' function='0x1'/>
      </source>
      <alias name='hostdev1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x1'/>
    </hostdev>
    <hostdev mode='subsystem' type='usb' managed='no'>
      <source>
        <vendor id='0x046d'/>
        <product id='0xc08b'/>
        <address bus='5' device='56'/>
      </source>
      <alias name='hostdev2'/>
      <address type='usb' bus='0' port='1'/>
    </hostdev>
    <hostdev mode='subsystem' type='usb' managed='no'>
      <source>
        <vendor id='0x046d'/>
        <product id='0xc21c'/>
        <address bus='5' device='57'/>
      </source>
      <alias name='hostdev3'/>
      <address type='usb' bus='0' port='2'/>
    </hostdev>
    <hostdev mode='subsystem' type='usb' managed='no'>
      <source>
        <vendor id='0x046d'/>
        <product id='0xc534'/>
        <address bus='5' device='5'/>
      </source>
      <alias name='hostdev4'/>
      <address type='usb' bus='0' port='3'/>
    </hostdev>
    <hostdev mode='subsystem' type='usb' managed='no'>
      <source>
        <vendor id='0x0a12'/>
        <product id='0x0001'/>
        <address bus='5' device='7'/>
      </source>
      <alias name='hostdev5'/>
      <address type='usb' bus='0' port='4'/>
    </hostdev>
    <memballoon model='none'/>
  </devices>
  <seclabel type='dynamic' model='dac' relabel='yes'>
    <label>+0:+100</label>
    <imagelabel>+0:+100</imagelabel>
  </seclabel>
  <qemu:commandline>
    <qemu:arg value='-cpu'/>
    <qemu:arg value='host,topoext=on,invtsc=on,hv-time,hv-relaxed,hv-vapic,hv-spinlocks=0x1fff,hv-vpindex,hv-synic,hv-stimer,hv-reset,hv-frequencies,host-cache-info=on,l3-cache=off,-amd-stibp'/>
  </qemu:commandline>
</domain>
 

Edited by Dava2k7
Link to comment
  • 2 weeks later...

Same issue. See my signature for specs. The <cpu> mode did it for me. Couldn't get qemu commands to work.

 

Really regret going AMD on my new build. Multiple VM issues:

1) Can't pass USB hub (function level reset issue).

2) Can't pass Matisse/Startship audio (function level reset issue).

3) Now Win10 VM needs cpu xml mod for kernel security risk 

 

 

Link to comment
19 hours ago, bigbangus said:

Same issue. See my signature for specs. The <cpu> mode did it for me. Couldn't get qemu commands to work.

 

Really regret going AMD on my new build. Multiple VM issues:

1) Can't pass USB hub (function level reset issue).

2) Can't pass Matisse/Startship audio (function level reset issue).

3) Now Win10 VM needs cpu xml mod for kernel security risk 

 

 

if you want i build a custom kernel for beta22 with usb and audio patch to passthrough to the VM.

Link to comment
4 minutes ago, bigbangus said:

You're the man! But what about unraid nvidia? Is that too much to ask?

Unraid nvidia is only if you want to install nvidia driver they do not include patch for ryzen 3 for usb and audio.

I have a custom kernel with nvidia and patch for usb and audio Matisse if you want.

Link to comment
21 minutes ago, rachid596 said:

Unraid nvidia is only if you want to install nvidia driver they do not include patch for ryzen 3 for usb and audio.

I have a custom kernel with nvidia and patch for usb and audio Matisse if you want.

The whole enchilada. I'll take it! I can't believe it's not standard yet. Got to believe AMD + Nvidia makes up a large % of market share of Unraid users...

 

Questions:

1) Any risks involved?

2) How hard is it to apply a custom kernel? I believe I've seen a post with step by step instructions, but not sure if these are universally applied in all cases.

3) I've seen on reddit that linux kernel 5.8 addresses these issues. Should most people just wait this out for unraid 6.9.x

Edited by bigbangus
Link to comment
1 minute ago, bigbangus said:

The whole enchilada. I'll take it! I can't believe it's not standard yet. Got to believe AMD + Nvidia makes up a large % of market share of Unraid users...

 

2 Questions:

1) Any risks involved?

2) How hard is it to apply a custom kernel? I believe I've seen a post with step by step instructions, but not sure if these are universally applied in all cases.

No risk just save a backup of your unraid flash drive.

It's very easy you just extract the zip and replace bzimage, bzroot, bzmodules, bzfirmware in the falsh drive by your download.

 

Link custom kernel with Nvidia driver:  https://mega.nz/file/98RGhICA#PQYqC5zJFLz2JcTxh7aPPSC7LjF21WUyA4jz7XfHUkE

 

Try and tell me :)

 

  • Thanks 1
Link to comment

Works 100%. Here is what I'm passing through in the xml. The first <hostdev> is the audio and the second <hostdev> is the usb hub.

    <hostdev mode='subsystem' type='pci' managed='yes'>
      <driver name='vfio'/>
      <source>
        <address domain='0x0000' bus='0x0b' slot='0x00' function='0x4'/>
      </source>
      <alias name='hostdev2'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
    </hostdev>
    <hostdev mode='subsystem' type='pci' managed='yes'>
      <driver name='vfio'/>
      <source>
        <address domain='0x0000' bus='0x0b' slot='0x00' function='0x3'/>
      </source>
      <alias name='hostdev3'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x09' function='0x0'/>
    </hostdev>

I do get these warnings in the vm log, but not issues in Win10

2020-06-30T17:55:34.413306Z qemu-system-x86_64: vfio: Cannot reset device 0000:0b:00.4, depends on group 29 which is not owned.
2020-06-30T17:55:35.518456Z qemu-system-x86_64: vfio: Cannot reset device 0000:0b:00.4, depends on group 29 which is not owned.

And here is the devices I am passing with this fix.

image.thumb.png.e21e8b5b4a187bdb8e57cf5f8a31312f.png

  • Like 1
Link to comment

Thanks for making the kernel @rachid596 nice of you to make one so quick aswell but for me i don’t like the sound of messing around with the kernel I’ve got so much data and I just don’t wanna lose it how long do you think it’ll be before unraid release the fix?

Link to comment
  • 2 weeks later...
On 6/19/2020 at 10:59 PM, xommit said:

Not OK for me:

 


<qemu:commandline>
    <qemu:arg value='-cpu'/>
    <qemu:arg value='-amd-stibp'/>
 </qemu:commandline>

Execution error:

internal error: qemu unexpectedly closed the monitor: 2020-06-19T12:55:42.118694Z qemu-system-x86_64: unable to find CPU model '-amd-stibp'

 

OK for me:

 

Before


<cpu mode='host-passthrough' check='none'>
    <topology sockets='1' dies='1' cores='4' threads='2'/>
    <cache mode='passthrough'/>
    <feature policy='require' name='topoext'/>
</cpu>

After


<cpu mode='host-model' check='none'>
    <topology sockets='1' dies='1' cores='4' threads='2'/>
    <feature policy='require' name='topoext'/>
</cpu>

Asus Strix X570-E Gaming + AMD Ryzen 3600

 

 

Thanks, this worked a treat for my existing windows VMs after I moved from my Xeon setup to Ryzen 3900x / X570 Pro board. 

Link to comment
  • 1 month later...
On 6/19/2020 at 2:59 PM, xommit said:

Not OK for me:

 


<qemu:commandline>
    <qemu:arg value='-cpu'/>
    <qemu:arg value='-amd-stibp'/>
 </qemu:commandline>

Execution error:

internal error: qemu unexpectedly closed the monitor: 2020-06-19T12:55:42.118694Z qemu-system-x86_64: unable to find CPU model '-amd-stibp'

 

OK for me:

 

Before


<cpu mode='host-passthrough' check='none'>
    <topology sockets='1' dies='1' cores='4' threads='2'/>
    <cache mode='passthrough'/>
    <feature policy='require' name='topoext'/>
</cpu>

After


<cpu mode='host-model' check='none'>
    <topology sockets='1' dies='1' cores='4' threads='2'/>
    <feature policy='require' name='topoext'/>
</cpu>

Asus Strix X570-E Gaming + AMD Ryzen 3600

 

 

 

Seems like it fixed my issue, Thanks!

( After creation of New VM and wanted to install Windows 10 , i was getting Blue screen "Kernel...." )

 

Asus Crosshair Hero VI + Ryzen 3700x

 

Seems like after each change in UI, it goes back to default host-passthrough' value

 

@limetech Please is not possible to give some selection into UI for this Fix? probably everyone on new releases will be facing it.

Thanks

Edited by killeriq
Link to comment
  • 2 weeks later...
On 6/19/2020 at 3:53 PM, david279 said:

Just tested on my system but these line will work with host-passthrough if you want to keep using that.

 


 <qemu:commandline>
    <qemu:arg value='-cpu'/>
    <qemu:arg value='host,topoext=on,invtsc=on,hv-time,hv-relaxed,hv-vapic,hv-spinlocks=0x1fff,hv-vpindex,hv-synic,hv-stimer,hv-reset,hv-frequencies,host-cache-info=on,l3-cache=off,-amd-stibp'/>
  </qemu:commandline>

 

I try this and work but now i cant install any nvidia drivers and get error 43

Link to comment
On 6/19/2020 at 2:59 PM, xommit said:

Not OK for me:

 


<qemu:commandline>
    <qemu:arg value='-cpu'/>
    <qemu:arg value='-amd-stibp'/>
 </qemu:commandline>

Execution error:

internal error: qemu unexpectedly closed the monitor: 2020-06-19T12:55:42.118694Z qemu-system-x86_64: unable to find CPU model '-amd-stibp'

 

OK for me:

 

Before


<cpu mode='host-passthrough' check='none'>
    <topology sockets='1' dies='1' cores='4' threads='2'/>
    <cache mode='passthrough'/>
    <feature policy='require' name='topoext'/>
</cpu>

After


<cpu mode='host-model' check='none'>
    <topology sockets='1' dies='1' cores='4' threads='2'/>
    <feature policy='require' name='topoext'/>
</cpu>

Asus Strix X570-E Gaming + AMD Ryzen 3600

 

 

Thx this worked for me. Asus ROG Strix X570-E Gaming

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.