From Kicksecure
< Dev
Jump to navigation Jump to search
VirtualBox Logo

VirtualBox Licensing Issues, unavailable in Debian main and Debian backports, missing features. Is VirtualBox an Insecure Choice? Arguments for keeping VirtualBox Support.

Why use VirtualBox over KVM?[edit]

TODO: document

Why use VirtualBox over Qubes?[edit]

TODO: document

VirtualBox versus Other Virtualizers[edit]

TODO: expand

Not fully applicable to Kicksecure but Whonix® has a chapter on this:

VirtualBox missing features[edit]


VirtualBox Unavailable in Debian stable and backports due to Debian Stable Security Maintenance Issues[edit]


Virtualbox is not available in Debian 10 (nor in backports). The reasons are discussed at length in and various other mailing list threads, but can be summarized as:

  • Virtualbox is not suitable for Debian stable releases because of the lack of cooperation of Oracle on security support (that’s the Debian security team decision).
  • Since it is not suitable for stable releases, it cannot be included in the testing suite (that’s the Debian release team decision).
  • It also cannot be included in official backports, as packages must be in testing before they get backported (that’s the Debian backports team’s decision).

There is hope this will improve in future: please add VirtualBox to

VirtualBox Unavailable in Debian main due to Licensing Issues[edit]

compilation toolchain software freedom issue

There's a compilation toolchain software freedom issue. This is not a security issue.

Quote Debian mailing

Virtualbox ships a BIOS that requires Watcom to compile from real sources, precompiled copy they ship as well is free but is not the preferred form for modification.

Sybase Open Watcom Public License

The Sybase Open Watcom Public license is:

  • OSI (Open Source Initiative) approved: Yes.
  • FSF (Free Software Foundation) approved: No.
  • Debian FSG No.

Does Debian build VirtualBox using Open Watcom?

No. Quote debian/copyright from Debian VirtualBox

This package is not part of the Debian operating system. It is in the "contrib" area of the Debian archive because it requires a non-free compiler (Open Watcom) to build the BIOS. Upstream provides pre-built BIOS images which is used instead.

Debian is already using VBoxBiosAlternative:

Quote /

<oracle> LocutusOfBorg: btw, there are no BIOS binaries in the vbox source tree. only the VBoxBiosAlternative.* files, which are used if you don't have OpenWatcom.

Licensing Issue or Security Issues?

It is a licensing issue only.

Quote VirtualBox developer Frank Mehnert <>

In my opinion this depends on the definition of the term "source code".

The VirtualBox source code tarball ships two alternative variants of the BIOS source code: The first variant is C code mixed with Assembler code (in src/VBox/Devices/PC/BIOS/* and src/VBox/Devices/Graphics/BIOS/*). The second variant is pure Assembler code which can be found in

src/VBox/Devices/PC/BIOS/VBoxBiosAlternative.asm and src/VBox/Devices/Graphics/BIOS/VBoxVgaBiosAlternative.asm

Both variants are part of the source code tarball, and the second variant allows it to build VirtualBox even if Open Watcom is not available. It should not matter that the second variant is generated from the first variant because that generation is done by the VirtualBox team and we ensure that the 2nd variant will produce the same object code as the 1st variant.

Software Freedom Issues with the Sybase License

Quote Whonix KVM:

The VirtualBox developer team have recently taken the decision to switch out the BIOS in their hypervisor. However, it now comes with one that requires compilation by a toolchain that does not meet the definition of Free Software as per the guidelines of the Free Software Foundation. This move is considered problematic for free and open source software projects like Debian, on which Kicksecure is based. The issues of the Open Watcom License are explained in this on the Debian Mailinglist. In summary, there are issues surrounding the contradictory language of the license, the assertion of patents against software that rely upon it, and the placing of certain restrictions on software uses. For these reasons, those who care about running FOSS and appreciate its ethical views are recommended to avoid running VirtualBox; also see avoid non-freedom software.

Copyright Holder of the Open Watcom Compiler

The company which was the original developer of Open Watcom,, does no longer exist. It was been purchased by SAP.

SAP Plans for the Open Watcom Compiler

Sebastian Wolf (SAP Open Source Program Office) expressed that SAP expressed on github starting from this in 2021 that SAP is in process of re-licensing Open Watcom to resolve the licensing issues.

Does SAP support or attack Freedom Software?

SAP according to the knowledge of the author of this wiki chapter has no history of attacking Freedom Software or patent trolling. On the contrary, SAP is a community of the Open Invention, which quote

Open Invention Network (OIN) is a company that acquires patents and licenses them royalty-free to its community members who, in turn, agree not to assert their own patents against Linux and Linux-related systems and applications.


Debian does not use the Open Watcom compiler which is under a problematic license to build VirtualBox.

Since the current copyright holder of Open Watcom, SAP does not have a history of attacking Freedom Software, is a member of OIN and is intending to change the license of the Open Watcom.

Therefore the risk from patent trolling in this case seems to be minuscule.

The Freedom Software community pointing out software freedom issues is commendable. However, there is no security issue in this case because of this software freedom issue.


  • VirtualBox Guest Additions and VirtualBox Oracle VM VirtualBox Extension Pack are different things.
  • This is unrelated to VirtualBox Oracle VM VirtualBox Extension Pack, which is proprietary, and which was never in Debian.


Future research:

VirtualBox Guest Additions ISO Freedom vs Non-Freedom[edit]

A part of Guest Additions source code is the part of OSE repository and licensed under GPLv2. Guest Additions build also includes big list of 3rd party files under various permissive licenses

At the same time VirtualBox binary packages which are distributed freely includes Guest Additions ISO, and Licensing FAQ ( clearly states: Yes. The GPLv2 allows you to distribute the VirtualBox Guest Additions, in modified or unmodified form, as long as you adhere to the terms and conditions of the GPLv2.

I hope that answers your question.

VirtualBox Open Source vs Closed Source[edit]

  • VirtualBox is Open Source.
  • VirtualBox Guest Additions are Open Source.
  • VirtualBox Oracle VM VirtualBox Extension Pack is proprietary.
    • Not installed by default in Kicksecure VirtualBox.
    • Neither used nor required by most users.

Open Source here means, the full corresponding source code is released under Free Software Foundation (FSF), Open Source Initiative (OSI) and The Debian Free Software Guidelines (DFSG) approved licenses.

However the is a build toolchain issue elaborated in chapter VirtualBox Unavailable in Debian main due to Licensing Issues.

VirtualBox Integration[edit]

  • version 16: VirtualBox and guest additions in Kicksecure 16 and above are acquired from This heavily simplifies the Previous VirtualBox Integration.
  • version 17: TODO: document


Arguments for keeping VirtualBox Support[edit]

  • KVM is not available to Windows users.
  • Simplicity, as in: VirtualBox has a VM import GUI feature.
  • Available to users not owning computer providing hardware virtualization. (KVM requires that. QEMU may or may not but it is unsupported.)
  • Due to Windows users and simplicity it leads to greater popularity, which in theory attracts more users, developers, auditors, payments, etc and is therefore good for the overall health of the project.
  • Some Windows/VirtualBox users experimenting with their first Linux (Kicksecure) will one day become users who mainly use Linux as their host operating system.

VirtualBox Oracle VM VirtualBox Extension Pack[edit]

  • VirtualBox Guest Additions and VirtualBox Oracle VM VirtualBox Extension Pack are different things.
  • VirtualBox Oracle VM VirtualBox Extension Pack:
    • Is proprietary, nonfreedom software.
    • Was never in


Free for personal, educational or evaluation use under the terms of the VirtualBox Personal Use and Evaluation on Windows, Mac OS X, Linux and Solaris x-86 platforms:


Support for USB 2.0 and USB 3.0 devices, VirtualBox RDP, disk encryption, NVMe and PXE boot for Intel cards. See this chapter from the User for an introduction to this Extension Pack. The Extension Pack binaries are released under the VirtualBox Personal Use and Evaluation License (PUEL)


The extension pack provides the following added functionality:

Storage Controller Setting[edit]

Since Kicksecure version AHCI


Reason why Kicksecure previously used a different setting LsiLogic SAS was avoidance of VirtualBox host software bug, High I/O causing filesystem See also old Whonix® issue tracker discussion, VirtualBox

The current default setting AHCI might lead to the issue High Disk Usage Causing Filesystem Corruption on some (slower) hardware configurations due to VirtualBox host software bug, High I/O causing filesystem It's speculation and unavoidable. There is no other solution at the moment. Wiki chapter High Disk Usage Causing Filesystem Corruption already contains approaches which might fix this issue in case it manifests.)


[drm:vmw_host_log [vmwgfx]] ERROR Failed to send log[edit]

Confusing message but no bad effects.

[sda] Incomplete mode parameter data / Assuming drive cache: write through[edit]

Confusing error message due to our use of a SAS virtual hard drive controller no bad effects. Error message doesn't happen with SATA controller but we can't use that one

Core Dump[edit]


VirtualBox core dump:

Note that this core dump can contain a memory dump of your guest which can include sensitive information.

Kernel core dump:

Privacy information: Also be aware that the above kernel dumps could contain unrelated sensitive and private information about you and your system, e.g. stored passwords in memory. Unfortunately this is unavoidable in those situations, as a kernel dump essentially is an unmodified and unfiltered part of your computer's RAM (main memory).

VirtualBox Bug Reports[edit]

VirtualBox (Guest Additions) have various issues. Often copy/paste from host to VM does not work or VMs are not automatically reized to optional size.

The internet is full of discussions that lead to no solution. Hard to find good information. It is unhelpful to ask in arbitrary places about it as this only leads to more discussions which go nowhere. The only option is to find out what information VirtualBox developers are asking for, to write a good bug report and to report to developers.

  • Step 1) Research what information VirtualBox developers would be asking for.
  • Step 2) Write a good bug report.

What Should Be Included In Bug Report[edit]

Include as many information as possible.

Resize Issues[edit]



    • (EE) Failed to load module "vboxvideo" (module does not exist, 0)

    • As of X.Org server 1.19 we use a kernel driver and the X.Org modesetting driver. See the log section you attached.

Bug Report Draft[edit]

user@host:~$ dpkg -l | grep x11
ii  libqt5x11extras5:amd64                        5.11.3-2                     amd64        Qt 5 X11 extras
ii  libva-x11-2:amd64                             2.4.0-1                      amd64        Video Acceleration (VA) API for Linux -- X11 runtime
ii  libx11-6:amd64                                2:1.6.7-1                    amd64        X11 client-side library
ii  libx11-data                                   2:1.6.7-1                    all          X11 client-side library
ii  libx11-xcb1:amd64                             2:1.6.7-1                    amd64        Xlib/XCB interface library
ii  libxkbcommon-x11-0:amd64                      0.8.2-1                      amd64        library to create keymaps with the XKB X11 protocol
ii  virtualbox-guest-x11                          6.1.4-dfsg-2                 amd64        x86 virtualization solution - X11 guest utilities
ii  x11-common                                    1:7.7+19                     all          X Window System (X.Org) infrastructure
ii  x11-utils                                     7.7+4                        amd64        X11 utilities
ii  x11-xkb-utils                                 7.7+4                        amd64        X11 XKB utilities
ii  x11-xserver-utils                             7.7+8                        amd64        X server utilities
ii  xserver-xorg                                  1:7.7+19                     amd64        X.Org X server
ii  xserver-xorg-core                             2:1.20.4-1                   amd64        Xorg X server - core server
ii  xserver-xorg-input-all                        1:7.7+19                     amd64        X.Org X server -- input driver metapackage
ii  xserver-xorg-input-libinput                   0.28.2-2                     amd64        X.Org X server -- libinput input driver
ii  xserver-xorg-video-fbdev                      1:0.5.0-1                    amd64        X.Org X server -- fbdev display driver
ii  xserver-xorg-video-qxl                        0.1.5-2+b1                   amd64        X.Org X server -- QXL display driver
ii  xserver-xorg-video-vesa                       1:2.4.0-1                    amd64        X.Org X server -- VESA display driver

Bug descriptions:


1) Power off the VM. 2) Restart the VM. 3) Maximize the VM window after start of the VM as soon as possible. 4) VirtualBox VM Window → View → Virtual Screen 1 → Choose any, resize to another resolution 5) VirtualBox VM Window → View → Auto-resize Guest Display / Adjust Window Size

Also broken:

Xfce Start Menu → Settings → Display → Resolution: → Choose a higher resolution resolution → Apply

TODO: manual resize functional using xrandr

Previous VirtualBox Integration[edit]

Archived. For current implementation, see chapter VirtualBox Integration.


Goal: Installation of the VirtualBox host software with functional VirtualBox guest additions.

This was previously very difficult due to many issues of which none is caused by Kicksecure. The purpose of this chapter is to document the current implementation for those wondering why it has been implemented this way and perhaps hearing if there are any better alternatives. Here is a summary of these issues:

VirtualBox is unavailable in Debian stable and backports due to Debian stable security maintenance Issues.

Custom Debian backport building failing due to dependency Very Even if that was solved, there would still be the broken compilation from source code

The Lucas Nussbaum Debian buster backport was not an option either at time of initial implementation. [2] In 23 July 2020 VirtualBox latest version in Lucas Nussbaum repository was
virtualbox_6.1.4-dfsg-1~~bpo10+1_amd64.deb 2020-02-22 07:52 while upstream was at

VirtualBox was not available from Debian at time of initial implementation during Kicksecure 15. VirtualBox from Debian fasttrack is used since Kicksecure 16.

VirtualBox Guest Additions Debian Packages are unavailable from upstream Debian

Previous call for help:

What was the importance VirtualBox in Debian buster? It was the base distribution which Kicksecure 15 was based on and the distribution used to build Kicksecure for VirtualBox for Linux, Windows and macOS from source code.



TODO: update for Kicksecure which uses Debian fasttrack repository to acquire VirtualBox.

To be able to continue providing Kicksecure for VirtualBox, from Kicksecure and above the following implementation is in use:

  • VirtualBox Guest Additions
    • Kicksecure build script will download package from Debian sid (unstable) and upload to Kicksecure APT repository. That package provides file /usr/share/virtualbox/VBoxGuestAdditions.iso.
    • At time of initial implementation contained VirtualBox guest additions ISO version 6.1.12-1. In short, 6.1.12. Ignore the -1 which is a Debian package revision number and not the upstream ( version number.
    • homepage also advertised version 6.1.12.
    • Package virtualbox-guest-additions-iso will be installed by default in new Kicksecure VirtualBox builds.
    • Related: VirtualBox Guest Additions ISO Freedom vs Non-Freedom
    • Documented here: VirtualBox/Guest_Additions#VirtualBox_Guest_Additions
  • This is
    • to allow Kicksecure developers test newer versions of VirtualBox host software before these are installed on user's computer and,
    • to allow updating VirtualBox host software and VirtualBox guest additions at the same time, using compatible versions.
  • Package will run (by Kicksecure developers) during upgrade ( and therefore also during the Kicksecure VirtualBox ova build process.
  • Package has a dpkg trigger since Kicksecure which results in running vbox-guest-installer when package virtualbox-guest-additions-iso is upgraded.
  1. vbox-guest-installer (by Kicksecure developers) will check if any of the packages virtualbox-guest-x11, virtualbox-guest-utils or virtualbox-guest-dkms are still installed and recommend to uninstall those if still installed.
  2. And also check if package virtualbox-guest-additions-iso is installed and recommend to install it if not yet installed.
  3. If these two conditions are met it will continue.
  4. Next is deletion of folder /var/cache/vm-config-dist/vbox-guest-additions-extracted-iso and /var/cache/vm-config-dist/vbox-guest-additions-extracted-makeself if these are already existing from a previous run.
  5. It then follows extraction of /usr/share/virtualbox/VBoxGuestAdditions.iso to folder /var/cache/vm-config-dist/vbox-guest-additions-extracted-iso.
  6. Making /var/cache/vm-config-dist/vbox-guest-additions-extracted-iso/ executable.
  7. Change directory into /var/cache/vm-config-dist/vbox-guest-additions-extracted-iso.
  8. Executing ./ --check.
  9. Extracting ./ to folder /var/cache/vm-config-dist/vbox-guest-additions-extracted-makeself.
  10. Change directory into folder /var/cache/vm-config-dist/vbox-guest-additions-extracted-makeself.
  11. Executing ./ force force.
  12. Installation of VirtualBox guest additions from package virtualbox-guest-additions-iso should now be completed.
  13. Installation using this method also ships required hooks in folder /etc/kernel to rebuild VirtualBox guest additions during kernel upgrade thanks to VBoxGuestAdditions.iso.

Credits: Gratitude is expressed to VirtualBox developers for providing VBoxGuestAdditions.iso and to Debian Developers for providing package virtualbox-guest-additions-iso. The script to improve usability of this named vbox-guest-installer was created by the Kicksecure project.

Forum discussion:

Related: VirtualBox Generic Bug Reproduction

Compare VM Settings[edit]

1. Install a graphical difference viewer (or use command line diff if you prefer).

Install meld kdiff3. To accomplish that, the following steps A. to D. need to be done.

A. Update the package lists.

sudo apt update

B. Upgrade the system.

sudo apt full-upgrade

C. Install the meld kdiff3 package.

Using apt command line parameter --no-install-recommends is in most cases optional.

sudo apt install --no-install-recommends meld kdiff3

D. Done.

The procedure of installing meld kdiff3 is complete.

2. Learn the basic vboxmanage showvminfo syntax.

Just to show the syntax. Nothing to do. An actual example will be shown in step 4.

vboxmanage showvminfo vmname


  • vmname needs to be replaced with the actual name of the VM.
  • What is being shown here is unspecific to Kicksecure and a VirtualBox feature.

3. Learn how to redirect the output of vboxmanage showvminfo to a file.

vboxmanage showvminfo vmname &> filename.txt


  • vmname needs to be replaced with the actual name of the VM.
  • After the &> it follows the filename.
  • File redirection is unspecific to Kicksecure and a standard shell feature.

4. Dump VM settings to file to human readable format.


  • Replace the name of the VM Kicksecure-Xfce with the actual name of your VM.

For VM 1.

vboxmanage showvminfo Kicksecure-Xfce &> kicksecure-human.txt

For VM2.

vboxmanage showvminfo Debian &> debian-human.txt

5. Dump VM settings to file to machine readable format.

For VM1 with --machinereadable parameter as an alternative.

vboxmanage showvminfo --machinereadable Kicksecure-Xfce &> kicksecure-machine.txt

For VM2 with --machinereadable parameter as an alternative.

vboxmanage showvminfo --machinereadable Debian &> debian-machine.txt

6. View the differences.

meld debian-human.txt kicksecure-human.txt

kdiff3 debian-human.txt kicksecure-human.txt

View the differences in case using machinereadable.

meld debian-machine.txt kicksecure-machine.txt

kdiff3 meld debian-machine.txt kicksecure-machine.txt

7. Done.

See Also[edit]


  1. VirtualBox bug report: clarify license of VBoxGuestAdditions ISO OSE or PUEL (free vs nonfree) VirtualBox forums question: Is VBoxGuestAdditions_6.1.10.iso OSE or PUEL?
  2. manual instructions

Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!