Ubuntu -> Debian

Running Whonix as a guest OS on a Ubuntu host system I experienced some problems: 1) slow shutdown of Whonix and 2) no USB Passthrough. I also managed to break my host firewall stopping all network-traffic.
I decided to start all over again using Debian Buster as host system (hint by Hulahoop). Do I fare any better now?
ad 1) still slow shutdown; I think it has nothing to do with Light Display Manager. Because (using CLI) I see again a stop job running but after the display manager already stopped.
ad 2) still no USB passthrough. This one is funny. My USB storage devices do work on the host. Now I am running on Buster/Whonix. But no passthrough. Can forum members testify that this feature does work?
ad 3) for now I stopped fucking with my firewall. One comment: in the Whonix doc it is suggested to use GUFW denying all incoming traffic (except as result of already established connections). Just denying incoming traffic with gufw, will not stop all incoming packets. In the firewall there are still rules for INPUT that do allow protocol messages from ICMP and IGMP.

How do you expect a different host to fix something wrong in the guest stack?

Have you followed the wiki instructions for it? see the KVM page.

Good. Too much fucking can break things.

ad 1) Well, I figured that a VM or its manager cannot access kernel modules or IO functionality directly by itself. Thought would have to go through the intermediary of the host OS. Then it might have effect to change OS. But from your remark I guess I thought wrong.
ad 2) I think I did follow the wiki closely. I say ‘think’ because I find not all instructions clear. So first I followed the instructions in the paragraph about Sandboxing the USB, and then the instructions about the Passthrough. That is the right order, no? I find the instructions somewhat unclear because I would expect the Sandboxing paragraph to appear before the Passthrough paragraph. And I don’t understand how the instruction in Sandboxing is really sandboxing the USB. It is rather the opposite. We remove the default disabling of redirection by Debian.

1 Like

Good point. Thanks for pointing it out, I went ahead and cleaned up the documentation.

Will test and get back to you.

The instructions for USB still work as expected. You need to close any libvirt/VM window open (that incldues the VMManger) after shutting down all running VMs for it to take effect, before restarting the VM

The device I plugged in did not show on the host after this.

When transitioning to xfce we disabled auto-mount in WHonix. @Patrick what steps are needed to mount devcies so I can add them to the wiki.

Ah, I might have missed that part about restart

Might be non-trivial as per:

1 Like

Finally succeeded in passing through my USB storage devices. The problem was not the usb redirection (the devices did vanish on the host already), but the fact they didn’t show in the guest. Using lsblk in the guest (whonix) I noticed that the usb device wasn’t mounted. As the usb was formatted with a ntfs filesystem, I had to install first package ntfs-3g, and then mount it with:
‘sudo mount -t ntfs-3g /dev/xyz /media’.
And there it was, my long awaited for, precious little external usb drive. I also managed to passthrough a truecrypted usb disk. First mapping with tcplay:
‘sudo tcplay --map=truecrypt --device=/dev/xyz’
, being asked for passphrase, then lsblk showed a new unmounted entry: /sda/sda1/truecrypt. Fdisk - l called this drive: /dev/mapper/truecrypt. Then I mounted this one with:
‘sudo mount /dev/mapper/truecrypt /media’
Now I may be plain stupid that I did not realize I had to mount my redirected devices. Still the Whonix wiki assumes quite uneducated users (I mean that most instructions are just dead simple: copy and paste). So there should have been additional mounting instructions.
Anyway, glad I got thus far.

1 Like

Can we disable USB support using an alternative from this article?


The current technique is just a PITA and requires many knobs to reverse.

1 Like

Not easy.

  • It’s not even clear what the knobs are. First, Disk & USB Automount in Kicksecure - #20 by 59mpci2GJ5xlHhY isn’t even fully understood, needs to be fixed / documented as much as possible before thinking about simplification.
  • Some (maybe related or unrelated) knobs aren’t set for reasons of USB security such as proc-hidepid.
  • As it’s implemented currently, solution needs to be good enough to be deployed inside VMs and on the host as at the same time because we don’t have any security related packages which are only installed inside VMs only. These could be invented, yes, but we still don’t want auto mounting of USB on the host by default.
  • Blacklisting USB (storage) kernel modules on the host could break booting from external USB HDD.
1 Like