[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [CONTRIBUTE] [DONATE]

How to make Host Live RO?

Support
#1

Hello,
I want to have live mode on the host for Whonix KVM, so Using Debian 10.10. I’ve installed grub-live for that purpose, which worked all fine and I got the new entry in the bootloader. But when I run the livecheck.sh I get the following output:

user@debian:~/Downloads$ sudo sh livecheck.sh
[sudo] password for user:
/usr/share/icons/Adwaita/16x16/status/dialog-warning.png
Live
Live mode is enabled but it is still possible to write to the disk. Please power off the machine and set the disk to read-only, if possible. See: Host Live Mode: Boot existing Host Operating System into Live Mode or click on the icon for more information.
x-www-browser Host Live Mode: Boot existing Host Operating System into Live Mode
x-www-browser Host Live Mode: Boot existing Host Operating System into Live Mode

How can I make the drive read-only for live-mode on Host?
thanks in advance.

#2

So wait, are you trying to make the host read-only, or the virtual machine in KVM read-only? If the latter, consult this link.

Read_Only_Mode Wiki

I’ve not even been able to get the KVM images to start when using host-live mode. Did you morph Debian 10.10 into KickSecure or just leave it as default Debian?

#3

For VMs it’s possible because the virtualizer supports configuring the virtual hard drive as read-only.

For the host, I don’t know. Quite possibly requiring different hardware. Consider:

Better:

Which hard drives support physical write protection switches?

Alternative (worse):

Which BIOS / firmware comes with hard drive write protection switches?

(How can one run lsblk on the host showing all entries in the RO column as 1 (meaning read-only)?)

What livecheck.sh is doing is just looking at the output of lsblk and checking all entries in the RO column are 1.

sudo /bin/lsblk --noheadings --all --raw --output RO

Also see https://github.com/Whonix/whonix-xfce-desktop-config/blob/master/usr/share/livecheck/livecheck.sh script comments.

#4

Thanks for the answers and sorry for the late reply.
I found some drives which are RO-lockable. Also found SD Card to be a possible solution.
But I have just learned that the switch on SD Cards just sets one of the pins to a certain state which the card reading device can choose to ignore, like my usb card reader does.

Assuming a card reader which respects the lock: Is this possibly a security threat that an attacker could deactivate this safeguard somehow and place harmful data onto the drive?

#5

Dunno.

Asking that in general computer security discussion places might yield better answers, some listed here:

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]