Whonix-Host (Kicksecure) Testing Report, v. 15.0.0.4.7
All tests done in KVM until now, not yet on hardware.
Addressing first the last list of bugs as per Whonix Desktop Installer with Calamares - field report - #119 by onion_knight (skipping issues already reported as fixed)
1. Virtual Machine Manager/KVM
- New issue with virt-manager (both on ISO and install target): Error connecting to graphical console: Error opening Spice console, SpiceClientGTK missing → FIXED by adding package gir1.2-spiceclientgtk-3.0 and needed dependencies
2. Calamares Installer
-
Needs correct branding → still to be done (see also: Whonix Host Calamares Branding Suggestion - #3 by onion_knight)
Problem: shouldn’t we need a complete new branding now that Whonix-Host has been officially relabeled “Kicksecure”? Shouldn’t we be installing Kicksecure on the install target instead of generic “Whonix-Host”? Any existing suggestions for graphical design? -
Does it work in EFI mode? Still failing in KVM, maybe related to virtualization, will try on real hardware.
3. Whonix-Host install on HDD
-
at least one of the kernel hardening boot parameters somehow messes with the CPU detection on the host → needs testing on real hardware, see if it still an issue
-
the installed system has no virtual console root access. Very unpractical, especially for a host system. Maybe consider reverting back this recent change for the Whonix-Host version? (see also Restrict root access) → still to be discussed and decided
4. Miscellaneous
-
power-manager plugin + pulseaudio plugin → FIXED (and audio working, at least in KVM)
-
The Whonix Host should be graphically differentiated from the Whonix-VMs. Maybe simply a different background image/color? → still to be done
-
Somehow a user user was created during the build … FIXED
-
By default, the VMs do not start because the virtual disks are not set to readonly in virt-manager → still in discussion (⚓ T914 Whonix Host Live - enable KVM readonly mode - virt-xml vm-name --edit --disk readonly=on)
As of now: Whonix-Gateway/Workstation virtualization using ISO file only works, but disks must be manually set to read-only in virt-manager AND booted in live-mode (expected behavior, but may be overwhelming/unpractical for end-user, at least needs documentation).
Same problem on the install target.
Desired behavior: when booting in live-mode, set the disks to read-only (in their xml files, as their file permissions are already 0444). BUT on the install target change .qcow2 files permissions from 0444 to 0644 during the install process (0444 only needed for live ISO. Probably achievable using some Calamares tweaks/scripting to change the permissions when they are copied over. Needs some researches). -
Currently the live system in ISO mode provides a live-user account with passwordless sudo rights → can be fixed by adding
live-config.norootto live ISO boot parameters (but then we need to change calamares polkit to allow its execution by sudoless user) → still to be discussed and decided
No more new bugs to report as of now. 
Small suggestion: add the “Show Desktop” button on the XFCE4-panel (minimize all windows immediately, very practical when you are overwhelmed with stuff, exists on Windows since ages). It is already installed, just needs to be added in the XFCE4-panel config file.
I will test on real hardware and see how it behaves.
Overall, good progress!
Some screenshots below
Whonix-Host (Kicksecure) 15.0.0.4.7 booting from the live ISO file in KVM , showing a work session with both Whonix-Gateway and Whonix-Workstation running in live-mode ((nested virtualzation,Tor tab is within the Workstation) and the host system monitor. As expected, a solid amount of RAM is needed (already 5.6 GiB consumed)
Whonix-Host (Kicksecure) 15.0.0.4.7 grub menu on the install target (KVM), providing both persistent and live-mode options. Both work.