Patrick
August 19, 2019, 2:02pm
111
Awesome work!
Need to split this into many smaller tickets to make this manageable. I am loosing track if too many things are in one place. Specifically the stuff that can be reassigned to @HulaHoop or me.
onion_knight:
By default, the VMs do no start until the CPU configuration is set to “Copy host CPU configuration”, which is expected in KVM, but also happened when testing on real hardware (both using the ISO and the installed version). Might be related to my specific hardware though.
VMs do no start until the CPU configuration is set to “Copy host CPU configuration”
onion_knight:
Even with these settings and contrary to previous versions, I was not able to successfully start the VMs, both using the ISO and the installed version of Whonix-Host, both in KVM and on real hardware! The error is now: Error starting domain: unsupported configuration: host doesn't support paravirtual spinlocks
Error starting domain: unsupported configuration: host doesn't support paravirtual spinlocks
Awesome!
I don’t know much about EFI booting yet and don’t have hardware to test.
packages that we might need:
(quite possibly) Debian -- Details of package shim-signed in buster
(less likely but perhaps useful anyhow) Debian -- Details of package refind in buster
Related, more links here:
onion_knight:
As expected, the installed system has no virtual console root access. I find it very unpractical, especially for a host system. Maybe consider reverting back this recent change for the Whonix-Host version?
posted here Restrict root access - #64 by Patrick
Considered a bug. Superuser hardening is specifically useful for live mode. Even more useful later on when optional non-root boot gets added.
(multiple boot modes for better security: persistent user | live user | persistent secureadmin | persistent superadmin | persistent recovery mode )
Likely package live-config file /lib/live/config/0040-sudo is causing this. Also package live-config is doing a lot other stuff which we need to understand. Or get rid of live-config package. Had a similar issue due to live-config earlier I have written about here.
Package live-config-systemd is causing an issue. live-config-getty-generator fails. Visible in systemd journal. Debug output:
sudo /lib/systemd/system-generators/live-config-getty-generator
+ set -e
+ SYSTEMD_DIR=
+ . /lib/live/init-config.sh
/lib/systemd/system-generators/live-config-getty-generator: 15: .: Can't open /lib/live/init-config.sh
Installing live-config would fix this issue since it includes this file but it’s not an option since
grub-live boot with live-config package installed: …
Can we just leave out the live-config package or what do we rely on it for?