Whonix for arm64 / Raspberry Pi (RPi)

Patrick · September 5, 2018, 8:37am

Correct.

Can do… But… Could you please add the code for doing that here https://github.com/Whonix/Whonix/blob/master/build-steps.d/1200_create-debian-packages?

This would require a new file here as well: https://github.com/Whonix/Whonix/tree/master/build_sources

Or could we add buster just here https://github.com/Whonix/Whonix/blob/master/build_sources/debian_stable_current_clearnet.list without screwing the build process by installing buster packages in stretch (Whonix 14) Non-Qubes-Whonix GUI builds? In theory should work. Would you mind comparing the build log for Non-Qubes-Whonix GUI builds?

(If that is working in theory also we could abolish https://github.com/Whonix/Whonix/blob/master/build_sources/debian_testing_current_clearnet.list etc and simplify the code.)

For redistributable builds doing that manually would be a quality regression. Any opinion? @HulaHoop

HulaHoop · September 5, 2018, 1:47pm

It would complicate the process and can harm the security of the build environment.

Algernon · September 5, 2018, 9:22pm

I’m going to give apt-pinning a try.

Is this even used during the build?

Patrick · September 6, 2018, 6:40am

Yes, used.

mygrep -r build_sources

build-steps.d/1300_create-raw-image:   cp "$whonix_build_sources_list_primary" "/etc/debootstrap/etc/apt/sources.list"
build-steps.d/1100_prepare-build-machine:   cp "$whonix_build_sources_list_primary" "$cow_folder/etc/apt/sources.list"
build-steps.d/1100_prepare-build-machine:            true "INFO: Installing VirtualBox using $whonix_build_sources_list_primary..."
build-steps.d/1100_prepare-build-machine:               -o Dir::Etc::sourcelist="$whonix_build_sources_list_primary" \
build-steps.d/1100_prepare-build-machine:               -o Dir::Etc::sourcelist="$whonix_build_sources_list_primary" \
build-steps.d/1100_prepare-build-machine:            ## Get rid of $whonix_build_sources_list_primary package list, while keeping
build-steps.d/1200_create-debian-packages:   ## Update $whonix_build_sources_list_primary package list while keeping
build-steps.d/1200_create-debian-packages:      -o Dir::Etc::sourcelist="$whonix_build_sources_list_primary" \
build-steps.d/1200_create-debian-packages:   ## Download VirtualBox guest additions from $whonix_build_sources_list_primary.
build-steps.d/1200_create-debian-packages:         -o Dir::Etc::sourcelist="$whonix_build_sources_list_primary" \
build-steps.d/1200_create-debian-packages:         -o Dir::Etc::sourcelist="$whonix_build_sources_list_primary" \
build-steps.d/1200_create-debian-packages:               -o Dir::Etc::sourcelist="$whonix_build_sources_list_primary" \
build-steps.d/1200_create-debian-packages:   ## Get rid of $whonix_build_sources_list_primary package list, while keeping
buildconfig.d/30_apt_opts.conf:## Does not play well with onion build_sources.
buildconfig.d/30_dependencies.conf:## required for onion build_sources
buildconfig.d/30_apt_sources.conf:if [ "$whonix_build_sources_list_newer" = "" ]; then
buildconfig.d/30_apt_sources.conf:   if [ "$whonix_build_sources_clearnet_or_onion" = "clearnet" ]; then
buildconfig.d/30_apt_sources.conf:      whonix_build_sources_list_newer="$WHONIX_SOURCE_FOLDER/build_sources/debian_testing_current_clearnet.list"
buildconfig.d/30_apt_sources.conf:      whonix_build_sources_list_newer="$WHONIX_SOURCE_FOLDER/build_sources/debian_testing_current_onion.list"
buildconfig.d/30_apt_sources.conf:if [ "$whonix_build_sources_list_primary" = "" ]; then
buildconfig.d/30_apt_sources.conf:   if [ "$whonix_build_sources_clearnet_or_onion" = "clearnet" ]; then
buildconfig.d/30_apt_sources.conf:      whonix_build_sources_list_primary="$WHONIX_SOURCE_FOLDER/build_sources/debian_stable_current_clearnet.list"
buildconfig.d/30_apt_sources.conf:      whonix_build_sources_list_primary="$WHONIX_SOURCE_FOLDER/build_sources/debian_stable_current_onion.list"
buildconfig.d/30_apt_sources.conf:true "whonix_build_sources_list_primary      : $whonix_build_sources_list_primary"
buildconfig.d/30_apt_sources.conf:true "whonix_build_sources_list_newer        : $whonix_build_sources_list_newer"
buildconfig.d/30_apt_sources.conf:   temp_="$(grep --invert-match "#" "$whonix_build_sources_list_primary")"
buildconfig.d/30_apt_sources.conf:   temp_="$(grep --invert-match "#" "$whonix_build_sources_list_primary")"
buildconfig.d/30_apt_sources.conf:   temp_="$(grep --invert-match "#" "$whonix_build_sources_list_newer")"
help-steps/parse-cmd:                  whonix_build_sources_clearnet_or_onion="clearnet"
help-steps/parse-cmd:                  whonix_build_sources_clearnet_or_onion="onion"
help-steps/parse-cmd:               export whonix_build_sources_list_primary="build_sources/debian_testing_frozen.list"
help-steps/parse-cmd:   if [ "$whonix_build_sources_clearnet_or_onion" = "" ]; then
help-steps/parse-cmd:Defaulting whonix_build_sources_clearnet_or_onion to ${under}clearnet${eunder}.
help-steps/parse-cmd:      export whonix_build_sources_clearnet_or_onion="clearnet"                                                                                                           
help-steps/create-local-temp-apt-repo:   cp "$whonix_build_sources_list_primary" "$CHROOT_FOLDER/$WHONIX_SOURCES_LIST_TEMP_BUILD_FOLDER/build_sources.list"                                   
help-steps/create-local-temp-apt-repo:   cat "$CHROOT_FOLDER/$WHONIX_SOURCES_LIST_TEMP_BUILD_FOLDER/build_sources.list"                                                                       
help-steps/remove-local-temp-apt-repo:   rm --force "$CHROOT_FOLDER/$WHONIX_SOURCES_LIST_TEMP_BUILD_FOLDER/build_sources.list"

Algernon · September 6, 2018, 12:08pm

I made a test with apt-pinning and it just installed only the raspi3-firmware package from buster and the rest from stretch. Going to do some more tests, though. We could maybe also just enable the apt-pinning for the rpi-gateway so it won’t get used for the other builds.

Patrick · September 7, 2018, 5:45am

We could maybe also just enable the apt-pinning for the rpi-gateway so it won’t get used for the other builds.

Maybe.

As per Re: Can a package pull a another package from another repository to be added? and Re: Can a package pull a another package from another repository to be added? APT pinning can break in very bad ways.

And offend Debian.

(And don’t forget all the hate you will get from me and other deity@l.d.o inhabitants because your users end up reporting bugs about APT)

Our past APT pinning instructions lead to breaking the system. ( Templates incorrectly think they're not connected to a Whonix gateway. - #25 by safasfasv )

Advantages:

less code for download / reupload RPI firmware package
less maintenance work for me for download / reupload RPI firmware package

Disadvantages:

quality regression
offending Debian
possible issues on release upgrade
other possible issues due to APT pinning (no specific example, hard to foresee)

I am inclined to say yes to APT pinning.

Any opinion @HulaHoop?

How would that technically work? Shipping file /etc/apt/sources.list.d/rpi.list as well as /etc/apt/preferences.d/ in some package?

deb http://http.debian.net/debian stretch-backports main contrib non-free
deb tor+http://vwakviie2ienjx6t.onion/debian stretch-backports main contrib non-free

(Plus comments.)

And then include instructions to remove that file before release upgrade of Whonix when upgrading to Debian 10 / buster in Whonix release upgrade instructions?

Algernon · September 7, 2018, 9:17am

imo, the reason for this was that each package got upgraded. Not just the desired one.

Disadvantages for building from source are: currently does not work due to being an architecture specific package, while the rest of the packages is not. Lots of lintian errors which I think are also due to being architecture specific.

Currently it is implemented via copying the build_sources_testing.list and preferences file to the build folder during the create-local-temp-apt-repo step. They can also be removed later on.
The firmware package currently depends only on dosfstools, though no specific version. Therefore, currently only raspi3-firmware is installed from buster and nothing else. Since the sources.list in the final version also does not contain anything from buster I would not expect any breakage from updates. The package should be more or less fixed at that version until Whonix gets updated to buster. To admit, the last part is more or less theory.

HulaHoop · September 7, 2018, 10:52pm

apt-pinning done properly is safe enough. I’ve been running my host with it enabled before upgrading to Stretch without any problems and never had to remove packages before the upgrade. Everything updated seamlessly enough.

It would benefit it us in other cases besides RPi builds too.

The most important thing is to find and apply accurate and updated documentation about pinning priority so things don’t unexpectedly start pulling in more deps and wreaking havoc. I think the important thing is to advise users to keep their hands off and not add more programs if they don’t know what they are doing and not doing so voids our “support”.

Patrick · September 8, 2018, 5:59pm

https://github.com/Whonix/anon-meta-packages/pull/12

https://github.com/Whonix/Whonix/pull/420

Merged. Minor commit on top.

https://github.com/Whonix/Whonix/commit/653d97664f45fdbd21fab3cd162c19f5d22607c1

Algernon · September 8, 2018, 6:23pm

That was quick
Currently the network and date still has to be set manually. You likely also need to use a serial console. At least I could not yet get it working with HDMI. Either the reason is my hardware or something else during early boot like firmware or kernel. I’m going to make a test with a newer kernel and see if it helps. I’ll maybe also remove the wifi packages and make them Recommends instead of Depends. I think also a network config package specific to the cli versions would be required which sets eth0 to dhcp and the MAC to e.g. the one used for the gateway on Virtualbox.

Algernon · September 10, 2018, 6:14pm

I added the backports kernel as Depends for the rpi-gw metapackage. With this there is also HDMI output.

Patrick · September 11, 2018, 7:03am

https://github.com/Whonix/Whonix/pull/421

https://github.com/Whonix/anon-meta-packages/pull/13

Patrick · September 11, 2018, 4:55pm

Merged.

Patrick · September 13, 2018, 9:41pm

I hope you’ll like the clean rename of all packages with appendix -cli / -gui / -kde in anon-meta-packages/control at master · Whonix/anon-meta-packages · GitHub.

Do you think you could add, and maintain --whonix-workstation-cli? The command line switch is already implemented but the meta package non-qubes-whonix-workstation-cli does not exist yet.

Algernon · September 14, 2018, 11:07am

Yeah, I already saw them when my old build commands broke^^
The build script, however, reminded me of the new flavors

I’d carefully say yes. The question is what the usecase would be, how this should look like and which applications should be in there. If we would remove everything gui specific it would be mostly Debian + a bit of Whonix specific network config/hardening

Patrick · September 14, 2018, 6:03pm

Due to KDE resource hunger and upcoming spectre/meltdown defenses security penalty, I am also considering to developing/introducing XFCE flavors.

I’d carefully say yes.

Yay!

The question is what the usecase would be,

I am not sure. (What an answer.) It’s an experiment. A shoot into the blue. Just like there was no way to know there would be interest in Whonix generally.
Onion Services.
Development base for other desktop environments.

how this should look like and which applications should be in there.

Similar to Whonix-Gateway CLI.
No packages ending with -gui.

If we would remove everything gui specific it would be mostly Debian + a bit of Whonix specific network config/hardening

Yes.

Algernon · September 14, 2018, 7:45pm

Some people recently claimed in some benchmarking thread on the linux reddit that KDE now consumes less resources. Afaik even less than XFCE. Same happened back then on github qubes-issues when qubes introduced XFCE. So it would be maybe a good idea to do some benchmarking first, in particular for stuff from buster which is not that far away and would be the likeliest target for a new desktop environment.

Patrick · September 16, 2018, 8:27am

Algernon:

Patrick:

Due to KDE resource hunger and upcoming spectre/meltdown defenses security penalty, I am also considering to developing/introducing XFCE flavors.

Some people recently claimed in some benchmarking thread on the linux reddit that KDE now consumes less resources. Afaik even less than XFCE. Same happened back then on github qubes-issues when qubes introduced XFCE. So it would be maybe a good idea to do some benchmarking first, in particular for stuff from buster which is not that far away and would be the likeliest target for a new desktop environment.

I haven’t found any mentions of this. Please provide.

What I did read though was that XFCE works better in low RAM
environments. KDE might be even faster than that but requires more RAM
for that. Since RAM is limited in Whonix, this would still point at
XFCE. Also KDE might have better rendering speed on real hardware, but
that again wouldn’t effect Whonix in VMs much.

It was horrible to change from Whonix-Gateway from 512 MB RAM → 768 MB
RAM; and Whonix-Workstation from 768 MB RAM to 1024 MB RAM.

Algernon · September 16, 2018, 8:58am

https://old.reddit.com/r/linux/comments/91cxbt/kde_is_the_fastest_desktop_in_1804/

Though you might want to look in the comments because some say the measurements were flawed.

github.com/QubesOS/qubes-issues

Get rid of KDE, use Xfce as the default Dom0 WM/DE

opened 02:58PM - 27 Jun 16 UTC

closed 08:13AM - 05 Aug 16 UTC

rootkovska

C: desktop-linux P: critical release notes ux C: desktop-linux-xfce4 r3.2-dom0-stable

We've long wanted to get rid of the KDE out of Dom0 (because it's been: 1. bloat…ed, 2. heavy on resources, 3. unstable, and last but not least: 4. ugly, see #84), yet we somehow always postponed it until later. More recently, we decided to try to get Gnome env as the default Qubes GUI (#1806). But the road to get Gnome working is still long and bumpy. Meanwhile, we have released Qubes 3.2-rc1 with upgraded KDE to 5.x which, for me at least, looks like a total disaster... A disaster that must be worked around ASAP, i.e. before the final 3.2 release, IMHO. And the best we could do, I think, is to switch to Xfce4, which today works really well, as I've had a chance to test over the last 2 days of extensive use. So, what's wrong with the latest KDE we got in Qubes 3.2? A few things: 1. It seems very unstable. I installed and tested on several machines with different GPUs (some very old ones!) and on every one I keep getting plasma/kwin crashes every few hours. This is just ridiculous. 2. KDE has a reputation for being heavy and slow, but this latest release seems to beat itself in this respect beyond any reasonable expectation. This is clearly visible on some HiDPI systems, where the number of pixels (more specifically: memory pages) to process causes our GUI daemons to draw very slowly. Admittedly there are some bottlenecks in our GUI protocol (specifically that the actual lists of PFNs are copied), but switching from KDE to Xfce4 visibly improved the graphics speed from totally-not-usable to somehow-slow. Apparently KDE (kwin) tries some composition magic that slows down the system. Perhaps there are humans who could understand the KDE's graphics settings dialog-box, but surely this is beyond my mental powers. 3. The KDE's infamous bloated UI got even more bloated. Specifically the new "Start Menu" distracts the user even more from the Qubes isolated domains concept. 4. While this is a very subjective opinion, the KDE is ugly, and it's getting uglier with each new release. Plus it completely doesn't match the mostly-gnome apps we have in AppVMs by default (and which we have because they are so much lighter than their KDE alternatives). Plus all the usual bugs with complex handling of appmemus (due to caching, etc.), see e.g. #890, #1628, #751. Now, all the above problems can be resolved with the latest Xfce4, which we already support well (incl. decoration plugins, and general customization/striping for Qubes). Looks like currently the only one features originally mentioned in #84 as the showstopper, is the lack of the expose-like effect. However, the new Xfce4 does have composition-based Alt-Tab poor-man's expose-like functionality, which should just be good enough for the purpose of securely identifying GUI decoration spoofing attacks (i.e. displaying e.g. a green-bordered password-prompting fake window within a red-bordered Web browser window). There are still a few, rather minor I think, issues with the Xfce4 that I will describe in the upcoming separate tickets. But these seem so minor, compared with the problems outlined above and pertinent to the KDE, that I suggest that we **promote the Xfce4 to the default GUI manager for Qubes 3.2**, starting with rc2, and **get rid of the KDE from the installer ISO** (still preserving, of course, this as an optional WM, next to others we also offer via our repos). I think that we should also give up on trying to get Gnome for Qubes 4.0 and just use Xfce4. FWIW, I now use Qubes 3.2-rc1 with Xfce4 on my primary laptop.

Patrick · November 9, 2018, 12:10pm

What’s next?

Should Whonix for arm64 / Raspberry Pi ( RPi ) be documented, announced as Whonix news, call for testers or something?