This post is Qubes specific only:
Trying to fix the Qubes-Whonix side:
That fix was useful but not sure is sufficient. Qubes-Whonix side of fixing this should be complete. But I don’t know if Qubes Debian templates support dracut. If the answer is yes, it would be sufficient for Qubes-Whonix too. Otherwise still not.
Without using Qubes VM kernel initramfs-tools vs dracut is meaningless.
Maybe not mandatory but --no-install-recommends highly recommended here.
dracut advantages:
dracut is kinda a “pre operating system” (“preOS”) as well as a “post operating system” (“postOS”). Similar to initramfs-tools but with an easier to use interface. initramfs-tools as far as I know also lacks a “postOS” feature.
https://wiki.gentoo.org/wiki/Dracut#List_of_modules
https://mirrors.edge.kernel.org/pub/linux/utils/boot/dracut/dracut.html#_description_6
Having made many initramfs … by hand, update-initramfs seems the fastest (but of course).
I remember the days of Kconfig trimming until got it to work without modules yet still does PGP signing (mostly for WiFi country code frequency database.
Is this what you meant by “live mode” in this thread? Where on directly boots into kernel and stays in there the first time?
Could you help please getting Whonix build process compatible with dracut?
Currently the issue is that it won’t boot. Won’t find root device. This is because dracut even with dracut-config-generic installed fails to create a generic initramfs. Got the issue that either drivers used on the build host system are leaked into the VMs initramfs or that the VMs initramfs is lacking essential drivers such as ext4.ko and whatnot.
Didn’t manage to write a full bug report for dracut yet since it’s really complex.
Dracut would need to create a generic + reproducible (deterministic) initramfs inside the build chroot.
Simplified, desired output is: grml-debootstrap + grub + dracut → Whonix VirtualBox bootable VM image.
Good progress.
dracut support was implemented in grml-debootstrap.
Kicksecure will move to dracut with its next major release (when rebasing to Debian 12 / bookworm).
(required for ram-wipe - Wipe RAM on shutdown and reboot - Kicksecure)
dracut support was completed in git tag 17.0.2.5-developers-only.
This is a major issue for Kicksecure hosts (currently cannot use dracut):
Debian bug report:
unbootable system after installing dracut on a standard Debian installation
Not an issue for Kicksecure VMs or Whonix VMs because there dracut works for some reason.
Might be a duplicate of Debian bug report dracut: generic initrd does not work with encrypted root FS without further configuration.
Thanks to Laszlo Gombos, this has been reported upstream.
Summary why Kicksecure was ported from initramfs-tools to dracut:
From the initrd generators I was aware of at the time, only dracut has an exitrd feature. Which means the system drops back into the initrd at shutdown time. It then (hopefully) cleanly unmounts encrypted devices. Then ram-wipe runs.
This couldn’t have been implemented with initramfs-tools unless contributing the exitrd functionality upstream first.
Switching to dracut was actually quite expensive. Specifically because nobody had shared in simple steps how to create a Debian based Live ISO using dracut.
Once dracut is running, writing initrd or exitrd modules is quite doable.
However, it’s best to not over invest into dracut as its days might be counted. One day it might get replaced by mkosi-initrd. On the other hand since Debian by default did not even move to dracut, it could take many Debian releases, years until that happens, if that ever happens.
initramfs-tools only: pam-tmpdir-helper breaks certain initramfs-update actions on systems with noexec on the /tmp mount · Issue #198 · Kicksecure/security-misc · GitHubdracut.