How to make Host Live RO?

Hello,
I want to have live mode on the host for Whonix KVM, so Using Debian 10.10. I’ve installed grub-live for that purpose, which worked all fine and I got the new entry in the bootloader. But when I run the livecheck.sh I get the following output:

user@debian:~/Downloads$ sudo sh livecheck.sh
[sudo] password for user:
/usr/share/icons/Adwaita/16x16/status/dialog-warning.png
Live
Live mode is enabled but it is still possible to write to the disk. Please power off the machine and set the disk to read-only, if possible. See: Live Mode for Kicksecure or click on the icon for more information.
x-www-browser Live Mode for Kicksecure
x-www-browser Live Mode for Kicksecure

How can I make the drive read-only for live-mode on Host?
thanks in advance.

So wait, are you trying to make the host read-only, or the virtual machine in KVM read-only? If the latter, consult this link.

Read_Only_Mode Wiki

I’ve not even been able to get the KVM images to start when using host-live mode. Did you morph Debian 10.10 into KickSecure or just leave it as default Debian?

For VMs it’s possible because the virtualizer supports configuring the virtual hard drive as read-only.

For the host, I don’t know. Quite possibly requiring different hardware. Consider:

Better:

Which hard drives support physical write protection switches?

Alternative (worse):

Which BIOS / firmware comes with hard drive write protection switches?

(How can one run lsblk on the host showing all entries in the RO column as 1 (meaning read-only)?)

What livecheck.sh is doing is just looking at the output of lsblk and checking all entries in the RO column are 1.

sudo /bin/lsblk --noheadings --all --raw --output RO

Also see https://github.com/Whonix/whonix-xfce-desktop-config/blob/master/usr/share/livecheck/livecheck.sh script comments.

Thanks for the answers and sorry for the late reply.
I found some drives which are RO-lockable. Also found SD Card to be a possible solution.
But I have just learned that the switch on SD Cards just sets one of the pins to a certain state which the card reading device can choose to ignore, like my usb card reader does.

Assuming a card reader which respects the lock: Is this possibly a security threat that an attacker could deactivate this safeguard somehow and place harmful data onto the drive?

Dunno.

Asking that in general computer security discussion places might yield better answers, some listed here: