[Help Welcome] KVM Development - staying the course

Dev/KVM - Whonix

1 Like

Whonix ™ for KVM still needs update.

Yes I know, but I am waiting for instructions to upload to sf.

Sorted.


Please remove from script used to build Whonix:

WHONIX_APT_REPOSITORY_OPTS='--enable --repository stable'
export WHONIX_APT_REPOSITORY_OPTS

And as replacement, whenever a line says:

--build

Keep the --build but add also the following switch:

--redistribute

I.e. it should look like this:

--build --redistribute

After booting Whonix, please check that Whonix stable (buster!) repository is enabled and apt-get update is functional.

(This was required because of this.)


Whonix 15 build testing can start as per

However, functionality wise, it will take some more time.

1 Like

Could you please port Whonix ™ for KVM and KVM/Minimalized Installation - Whonix to be using CodeSelect rather than pre tags? That would help using wiki templates.

A series of scripts for downloading, verifying, and installing KVM Whonix on Debian. - juxtin/install-whonix

Did we ever see this one? I don’t remember? Wondering why its author never contacted us?

(It’s gpg verification code might be unsafe in fully automated scripts. → Should use GitHub - Kicksecure/gpg-bash-lib: gpg file verification bash library, addresses comprehensive threat model, that covers file name tampering, indefinite freeze, rollback, endless data attacks, etc. style.)

1 Like
1 Like

Done. Changed it for all commands however some command outputs are just left as pre as no one is expected to copy paste those. I didn’t realize how much info was added over the years until I went thru it all to change it. :sweat_smile:


Never. He didn’t contact us either, but it’s definitely an interesting building block for a “KVM installer” once the crypto stuff gets sorted out.

1 Like

I don’t think it gets sorted out. And maybe also not needed for Whonix KVM Host / whonix-host-kvm.

For Whonix KVM Host we could copy over the files during a build-step.

For sudo apt-get install whonix-host-kvm on Debian hosts it looks more complicated. We’d need a deb package shipping the qcow2 files. Not sure that would be crazy.

Good.

Will there be a Whonix host meta-package for vanilla Debian hosts that includes as much securtiy specific and privacy enhancements as applicably possible? This is doubly relevant for a hardened Debian VM which can also act as a sandbox for the browser that accesses captive portals.

1 Like

Will there be a Whonix host meta-package for vanilla Debian hosts that includes as much security specific and privacy enhancements as applicably possible?

Yes. It’s required for a Whonix-KVM-Host anyhow.

  • hardened-debian-host-kvm-xfce (rename required) (not sure in which order the name, getting a lot: host vs VM, kvm vs virtualbox, xfce vs cli)
  • whonix-host-kvm (depending on hardened-debian-host-kvm-xfce most likely to avoid code duplication, that’s a clean way to implement it anyhow)

But I am not sure yet a whonix-host-kvm meta package (installable on Debian hosts or default installed meta package on a Whonix-KVM-Host) could be capable of fetching Whonix qcow2 images since we don’t have a Debian package(s) which which ships qcow2 images, and I am not sure yet it’s sane to create them.

This is doubly relevant for a hardened Debian VM which can also act as a sandbox for the browser that accesses captive portals.

Interesting idea, so we could ship the hardened Debian VM by default on a Whonix-Host too.

1 Like

Are these two packages available anywhere? I’m building a new host and it sounds like this could save me some time.

No, for now it’s only a development discussion.

KVM Testers Only Version - Whonix is broken.

This page is strange. When I edit the steps 1 and 2 don;t appear in the page source just the broken template link. If I paste the proper download table template, it replaces everything.

Somewhat(?) fixed. See now please.

1 Like

Looks good now :slight_smile:

1 Like

Could you invite this guy here to join development please? GitHub - juxtin/install-whonix: A series of scripts for downloading, verifying, and installing KVM Whonix on Debian.

1 Like

Qubes does something similar. Qubes ships rpm (similar deb) packages with VM images.

The problem with such a package is if used just as regular package:

  • A) big size
  • B) once upgraded (new version), user modifications are lost.

Issue B) could be solved by not using the file from the package but by using a copy of that file originating from such a package. But then we are at issue C):
the package would get getting upgraded (wasting download time and download quota)

Qubes (dom0 is Fedora based) solves this issue by disabling upgrading of the package. It can be done on Debian too using sudo apt-mark hold package-name. On Debian that would lead to a probably user confusing message during sudo apt-get dist-upgrade. For example:

The following packages have been kept back:
  whonix-vm-image-kvm

That would allow users to stick with whatever vm image they got earlier and keep their modifications. That would also allow users to easily re-install their vm image (thereby loosing all image modification) by using apt-unhold, apt-get dist-upgrade, apt-hold (re-block from upgrading).

1 Like