I have a Mac mini M1 2020. I am currently running Asahi Linux Remix on it. I made a Debian VM and used that to build a Whonix image.
~/derivative-maker/derivative-maker --flavor whonix-gateway-xfce --target qcow2 --arch arm64 --repo true
Machine type is set to q35 when it should be virt for aarch64
Got this error
error: unsupported configuration: ACPI requires UEFI on this architecture
Fixed with
<os firmware='efi'>
<type machine='virt'>hvm</type>
<loader secure='no'/>
<boot dev='hd'/>
</os>
Next error
error: unsupported configuration: this QEMU does not support the 'genid' capability
Just commented out the genid line. I don’t know what that means security wise
Next error
error: unsupported configuration: Configuring the 'kvmclock' timer is not supported for virtType=kvm arch=aarch64 machine=virt-8.2 guests
commented out kvmclock line
Next error
error: unsupported configuration: setting ACPI S3/S4 not supported
commented out pm section
Next error
error: unsupported configuration: The 'pvspinlock' feature is not supported for architecture 'aarch64' or machine type 'virt-8.2'
commented out
Next error
error: unsupported configuration: vmport is not available with this QEMU binary
commented out
Please let me know if there are alternate settings, and which ones are serious security issues.
I am wondering if there is something wrong with the qemu machine installed from the Asahi Linux repos. Are all these features supported on everyone else’s aarch64 qemu machines?
1 Like
At this time, ARM64 is unsupported.
In case that was to ever change, ARM64 would be obvious, easy to find on the usual websites such as on the Download Whonix (FREE) page.
You would need to look up both the upstream documentation on these settings as well as derivative documentation, discussions on the setting in question to find out why it had been set.
1 Like
malloc
December 18, 2024, 10:01am
3
@phirestalker I wrote the xml out and it works here it is
admin@localhost:~$ virsh -c qemu:///system dumpxml Whonix-Gateway
virsh -c qemu:///system dumpxml Whonix-Workstation
<domain type='kvm' id='3'>
<name>Whonix-Gateway</name>
<uuid>33a54b8d-b63a-41f5-b093-ab428edcbf82</uuid>
<description>Whonix Gateway</description>
<memory dumpCore='off' unit='KiB'>1048576</memory>
<currentMemory unit='KiB'>1048576</currentMemory>
<memoryBacking>
<nosharepages/>
<allocation mode='ondemand'/>
<discard/>
</memoryBacking>
<vcpu placement='static'>1</vcpu>
<resource>
<partition>/machine</partition>
</resource>
<os firmware='efi'>
<type arch='aarch64' machine='virt-9.1'>hvm</type>
<firmware>
<feature enabled='no' name='enrolled-keys'/>
<feature enabled='no' name='secure-boot'/>
</firmware>
<loader readonly='yes' type='pflash'>/usr/share/edk2/aarch64/QEMU_EFI-pflash.raw</loader>
<nvram template='/usr/share/edk2/aarch64/vars-template-pflash.raw'>/var/lib/libvirt/qemu/nvram/Whonix-Gateway_VARS.fd</nvram>
<boot dev='hd'/>
</os>
<features>
<hap state='on'/>
<gic version='3'/>
</features>
<cpu mode='host-passthrough' check='none'>
<topology sockets='1' dies='1' clusters='1' cores='1' threads='1'/>
</cpu>
<clock offset='utc'>
<timer name='rtc'/>
<timer name='pit' present='no'/>
<timer name='hpet' present='no'/>
</clock>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<devices>
<emulator>/usr/bin/qemu-system-aarch64</emulator>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/var/lib/libvirt/images/Whonix-Gateway.qcow2' index='1'/>
<backingStore/>
<target dev='vda' bus='virtio'/>
<alias name='virtio-disk0'/>
<address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
</disk>
<controller type='virtio-serial' index='0'>
<alias name='virtio-serial0'/>
<address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
</controller>
<controller type='pci' index='0' model='pcie-root'>
<alias name='pcie.0'/>
</controller>
<controller type='pci' index='1' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='1' port='0x8'/>
<alias name='pci.1'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0' multifunction='on'/>
</controller>
<controller type='pci' index='2' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='2' port='0x9'/>
<alias name='pci.2'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
</controller>
<controller type='pci' index='3' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='3' port='0xa'/>
<alias name='pci.3'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
</controller>
<controller type='pci' index='4' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='4' port='0xb'/>
<alias name='pci.4'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x3'/>
</controller>
<controller type='pci' index='5' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='5' port='0xc'/>
<alias name='pci.5'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x4'/>
</controller>
<controller type='pci' index='6' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='6' port='0xd'/>
<alias name='pci.6'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x5'/>
</controller>
<controller type='pci' index='7' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='7' port='0xe'/>
<alias name='pci.7'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x6'/>
</controller>
<controller type='pci' index='8' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='8' port='0xf'/>
<alias name='pci.8'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x7'/>
</controller>
<controller type='pci' index='9' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='9' port='0x10'/>
<alias name='pci.9'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</controller>
<interface type='network'>
<mac address='52:54:00:91:42:1d'/>
<source network='Whonix-External' portid='668c9a9c-c39f-4329-b512-90e87f71e223' bridge='virbr1'/>
<target dev='vnet3'/>
<model type='virtio'/>
<driver name='qemu'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
</interface>
<interface type='network'>
<mac address='52:54:00:d3:10:b7'/>
<source network='Whonix-Internal' portid='c52c5412-dbfe-4e02-8426-92ce38079942' bridge='virbr2'/>
<target dev='vnet4'/>
<model type='virtio'/>
<driver name='qemu'/>
<alias name='net1'/>
<address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
</interface>
<serial type='pty'>
<source path='/dev/pts/2'/>
<target type='system-serial' port='0'>
<model name='pl011'/>
</target>
<alias name='serial0'/>
</serial>
<console type='pty' tty='/dev/pts/2'>
<source path='/dev/pts/2'/>
<target type='serial' port='0'/>
<alias name='serial0'/>
</console>
<channel type='spicevmc'>
<target type='virtio' name='com.redhat.spice.0' state='connected'/>
<alias name='channel0'/>
<address type='virtio-serial' controller='0' bus='0' port='1'/>
</channel>
<input type='keyboard' bus='virtio'>
<alias name='input0'/>
<address type='pci' domain='0x0000' bus='0x07' slot='0x00' function='0x0'/>
</input>
<input type='tablet' bus='virtio'>
<alias name='input1'/>
<address type='pci' domain='0x0000' bus='0x08' slot='0x00' function='0x0'/>
</input>
<graphics type='spice'>
<listen type='none'/>
<clipboard copypaste='yes'/>
<filetransfer enable='no'/>
<gl enable='no'/>
</graphics>
<audio id='1' type='spice'/>
<video>
<model type='virtio' heads='1' primary='yes'/>
<alias name='video0'/>
<address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0'/>
</video>
<memballoon model='none'/>
<rng model='virtio'>
<backend model='random'>/dev/urandom</backend>
<alias name='rng0'/>
<address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
</rng>
</devices>
<seclabel type='dynamic' model='selinux' relabel='yes'>
<label>system_u:system_r:svirt_t:s0:c194,c928</label>
<imagelabel>system_u:object_r:svirt_image_t:s0:c194,c928</imagelabel>
</seclabel>
<seclabel type='dynamic' model='dac' relabel='yes'>
<label>+107:+107</label>
<imagelabel>+107:+107</imagelabel>
</seclabel>
</domain>
<domain type='kvm'>
<name>Whonix-Workstation</name>
<uuid>c59f55d7-09e8-4ea9-9505-bd7058435733</uuid>
<description>Whonix Workstation</description>
<memory dumpCore='off' unit='KiB'>1572864</memory>
<currentMemory unit='KiB'>1572864</currentMemory>
<memoryBacking>
<nosharepages/>
<allocation mode='ondemand'/>
<discard/>
</memoryBacking>
<vcpu placement='static'>1</vcpu>
<os firmware='efi'>
<type arch='aarch64' machine='virt-9.1'>hvm</type>
<firmware>
<feature enabled='no' name='enrolled-keys'/>
<feature enabled='no' name='secure-boot'/>
</firmware>
<loader readonly='yes' type='pflash'>/usr/share/edk2/aarch64/QEMU_EFI-pflash.raw</loader>
<nvram template='/usr/share/edk2/aarch64/vars-template-pflash.raw'>/var/lib/libvirt/qemu/nvram/Whonix-Workstation_VARS.fd</nvram>
<boot dev='hd'/>
</os>
<features>
<hap state='on'/>
<gic version='3'/>
</features>
<cpu mode='host-passthrough' check='none'>
<topology sockets='1' dies='1' clusters='1' cores='1' threads='1'/>
</cpu>
<clock offset='utc'>
<timer name='rtc'/>
<timer name='pit' present='no'/>
<timer name='hpet' present='no'/>
</clock>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<devices>
<emulator>/usr/bin/qemu-system-aarch64</emulator>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/var/lib/libvirt/images/Whonix-Workstation.qcow2'/>
<target dev='vda' bus='virtio'/>
<address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
</disk>
<controller type='virtio-serial' index='0'>
<address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
</controller>
<controller type='pci' index='0' model='pcie-root'/>
<controller type='pci' index='1' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='1' port='0x8'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0' multifunction='on'/>
</controller>
<controller type='pci' index='2' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='2' port='0x9'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
</controller>
<controller type='pci' index='3' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='3' port='0xa'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
</controller>
<controller type='pci' index='4' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='4' port='0xb'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x3'/>
</controller>
<controller type='pci' index='5' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='5' port='0xc'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x4'/>
</controller>
<controller type='pci' index='6' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='6' port='0xd'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x5'/>
</controller>
<controller type='pci' index='7' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='7' port='0xe'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x6'/>
</controller>
<controller type='pci' index='8' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='8' port='0xf'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x7'/>
</controller>
<interface type='network'>
<mac address='52:54:00:45:a7:4e'/>
<source network='Whonix-Internal'/>
<model type='virtio'/>
<driver name='qemu'/>
<address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
</interface>
<serial type='pty'>
<target type='system-serial' port='0'>
<model name='pl011'/>
</target>
</serial>
<console type='pty'>
<target type='serial' port='0'/>
</console>
<channel type='spicevmc'>
<target type='virtio' name='com.redhat.spice.0'/>
<address type='virtio-serial' controller='0' bus='0' port='1'/>
</channel>
<input type='keyboard' bus='virtio'>
<address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0'/>
</input>
<input type='tablet' bus='virtio'>
<address type='pci' domain='0x0000' bus='0x07' slot='0x00' function='0x0'/>
</input>
<graphics type='spice'>
<listen type='none'/>
<clipboard copypaste='no'/>
<filetransfer enable='no'/>
<gl enable='no'/>
</graphics>
<audio id='1' type='spice'/>
<video>
<model type='virtio' heads='1' primary='yes'/>
<address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
</video>
<memballoon model='none'/>
<rng model='virtio'>
<backend model='random'>/dev/urandom</backend>
<address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
</rng>
</devices>
</domain>
Just can’t get Tor to boot strap
2 Likes
malloc
December 19, 2024, 11:18am
5
These are the errors I am getting as soon as I boot the whonix gateway
[gateway user ~]% systemcheck
[ERROR] [systemcheck] check network interfaces Result: network interface eth0 not up!
Recommendation:
Try to manually start Whonix networking.
sudo systemctl restart networking
Or reboot.
Debugging information:
Command
sudo --non-interactive cat /sys/class/net/eth0/carrier
failed.
If this error happens only during upgrading or is transient this error can be safely ignored.
If you know what you are doing, feel free to disable this check.
Create a file /etc/systemcheck.d/50_user.conf and add:
systemcheck_skip_functions+=" check_network_interfaces "
zsh: exit 1 systemcheck
[gateway user ~]% ip link show eth0
ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:91:42:1d brd ff:ff:ff:ff:ff:ff
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 52:54:00:91:42:1d brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global eth0
valid_lft forever preferred_lft forever
1 Like
Patrick
December 20, 2024, 8:19am
6
Try running that command. And if it’s failing, you need to investigate why that files does not exist.
Try to boot a Debian Live ISO and see if that file exists to make sure the VM network configuration is correct.
1 Like
malloc
December 20, 2024, 10:59am
7
gateway user ~]% sudo --non-interactive cat /sys/class/net/eth0/carrier
1
Here is the output from that command
I’m not sure what the output is supposed to be any ideas?
1 Like
Patrick
December 21, 2024, 12:04pm
8
AppArmor issues. → apparmor-info
1 Like
malloc
December 21, 2024, 2:18pm
9
[gateway user ~]% sudo apparmor-info --boot | grep DENIED
zsh: done sudo apparmor-info --boot |
zsh: exit 1 grep --color=auto DENIED
[gateway user ~]% apparmor
zsh: command not found: apparmor
zsh: exit 127 apparmor
[gateway user ~]% ^?a
zsh: command not found: ^?a
zsh: exit 127 a
[gateway user ~]% ls /etc/apparmor.d/
abi usr.bin.man
abstractions usr.bin.onioncircuits
apache2.d usr.bin.pidgin
disable usr.bin.sdwdate
force-complain usr.bin.systemcheck
local usr.bin.timesanitycheck
tunables usr.bin.tor-circuit-established-check
bin.ping usr.bin.totem
bootclockrandomization usr.bin.totem-previewers
home.tor-browser.firefox usr.bin.url_to_unixtime
lightdm-guest-session usr.lib.onion-grater
lsb_release usr.libexec.systemcheck.canary
nvidia_modprobe usr.sbin.apt-cacher-ng
php-fpm usr.sbin.avahi-daemon
samba-bgqd usr.sbin.dnsmasq
samba-dcerpcd usr.sbin.haveged
samba-rpcd usr.sbin.identd
samba-rpcd-classic usr.sbin.mdnsd
samba-rpcd-spoolss usr.sbin.nmbd
sbin.klogd usr.sbin.nscd
sbin.syslog-ng usr.sbin.smbd
sbin.syslogd usr.sbin.smbldap-useradd
system_tor usr.sbin.traceroute
usr.bin.hexchat whonix-firewall
usr.bin.irssi
[gateway user ~]%
[gateway user ~]% sudo aa-status
apparmor module is loaded.
52 profiles are loaded.
28 profiles are in enforce mode.
/**/*-browser/Browser/firefox
/usr/bin/hexchat
/usr/bin/man
/usr/bin/onioncircuits
/usr/bin/pidgin
/usr/bin/pidgin//sanitized_helper
/usr/bin/sdwdate
/usr/bin/systemcheck
/usr/bin/timesanitycheck
/usr/bin/tor-circuit-established-check
/usr/bin/totem
/usr/bin/totem-audio-preview
/usr/bin/totem-video-thumbnailer
/usr/bin/totem//sanitized_helper
/usr/bin/url_to_unixtime
/usr/lib/aarch64-linux-gnu/lightdm/lightdm-guest-session
/usr/lib/aarch64-linux-gnu/lightdm/lightdm-guest-session//chromium
/usr/lib/onion-grater
/usr/libexec/systemcheck/canary
/usr/sbin/haveged
apt-cacher-ng
bootclockrandomization
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
system_tor
24 profiles are in complain mode.
/usr/bin/irssi
/usr/bin/whonix_firewall
/usr/libexec/whonix-firewall/**
avahi-daemon
dnsmasq
dnsmasq//libvirt_leaseshelper
identd
klogd
mdnsd
nmbd
nscd
php-fpm
ping
samba-bgqd
samba-dcerpcd
samba-rpcd
samba-rpcd-classic
samba-rpcd-spoolss
smbd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
syslog-ng
syslogd
traceroute
0 profiles are in kill mode.
0 profiles are in unconfined mode.
8 processes have profiles defined.
5 processes are in enforce mode.
/usr/bin/python3.11 (1146) /usr/lib/onion-grater
/usr/bin/bash (1230) /usr/libexec/systemcheck/canary
/usr/bin/sleep (34536) /usr/libexec/systemcheck/canary
/usr/sbin/haveged (912)
/usr/bin/tor (1187) system_tor
3 processes are in complain mode.
/usr/bin/bash (1016) /usr/libexec/whonix-firewall/**
/usr/bin/bash (1059) /usr/libexec/whonix-firewall/**
/usr/bin/inotifywait (1064) /usr/libexec/whonix-firewall/**
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
``` followed your instructions here is some output I'm still not sure what the specific issue could be as everything seems fine unless I am missing something
1 Like
malloc
December 22, 2024, 12:20am
11
Ok thank you, I’ll keep troubleshooting would be good to resolve this I would maintain it if that is something you would want, if there was a decision to support this architecture
1 Like
Patrick
December 22, 2024, 6:05am
12
Patches/documentation for this is welcome.
2 Likes
malloc
December 22, 2024, 7:31am
13
I think it it’s likely to do with config of Tor or something… I can ping the gateway so the commutation between the host and the gateway works
1 Like
malloc
December 22, 2024, 7:31am
14
During the build process with derivative-maker the only parts that failed to build that I had skipped were tirdad-dkms but I was able to skip those failures
1 Like
Patrick
December 22, 2024, 10:29am
15
If you skip, other packages might be missing too. Issues need to be fixed at the root. Ignoring these will only lead to more confusion down the line.
1 Like