How to make Host Live RO?

sigme · September 7, 2021, 6:26am

Hello,
I want to have live mode on the host for Whonix KVM, so Using Debian 10.10. I’ve installed grub-live for that purpose, which worked all fine and I got the new entry in the bootloader. But when I run the livecheck.sh I get the following output:

user@debian:~/Downloads$ sudo sh livecheck.sh
[sudo] password for user:
/usr/share/icons/Adwaita/16x16/status/dialog-warning.png
Live
Live mode is enabled but it is still possible to write to the disk. Please power off the machine and set the disk to read-only, if possible. See: Live Mode for Kicksecure or click on the icon for more information.
x-www-browser Live Mode for Kicksecure
x-www-browser Live Mode for Kicksecure

How can I make the drive read-only for live-mode on Host?
thanks in advance.

SilentBob · September 9, 2021, 1:20am

So wait, are you trying to make the host read-only, or the virtual machine in KVM read-only? If the latter, consult this link.

Read_Only_Mode Wiki

I’ve not even been able to get the KVM images to start when using host-live mode. Did you morph Debian 10.10 into KickSecure or just leave it as default Debian?

Patrick · September 9, 2021, 6:42am

For VMs it’s possible because the virtualizer supports configuring the virtual hard drive as read-only.

For the host, I don’t know. Quite possibly requiring different hardware. Consider:

Better:

Which hard drives support physical write protection switches?

Alternative (worse):

Which BIOS / firmware comes with hard drive write protection switches?

(How can one run lsblk on the host showing all entries in the RO column as 1 (meaning read-only)?)

What livecheck.sh is doing is just looking at the output of lsblk and checking all entries in the RO column are 1.

sudo /bin/lsblk --noheadings --all --raw --output RO

Also see https://github.com/Whonix/whonix-xfce-desktop-config/blob/master/usr/share/livecheck/livecheck.sh script comments.

sigme · October 26, 2021, 12:13pm

Thanks for the answers and sorry for the late reply.
I found some drives which are RO-lockable. Also found SD Card to be a possible solution.
But I have just learned that the switch on SD Cards just sets one of the pins to a certain state which the card reading device can choose to ignore, like my usb card reader does.

Assuming a card reader which respects the lock: Is this possibly a security threat that an attacker could deactivate this safeguard somehow and place harmful data onto the drive?

Patrick · October 26, 2021, 2:19pm

Dunno.

Asking that in general computer security discussion places might yield better answers, some listed here: