Whonix-Host Operating System (OS) ISO

Development
,
302

Yay! :slight_smile: :slight_smile: :slight_smile:

Welcome back again and happy new year!

whonix-libvirt /usr/lib/whonix-libvirt/install is started by /lib/systemd/system/whonix-libvirt-install.service

https://github.com/Whonix/whonix-libvirt/blob/master/usr/lib/whonix-libvirt/install

That script creates a .done file:

/var/lib/whonix-libvirt/install.done

whonix-libvirt-install.service won’t run /usr/lib/whonix-libvirt/install again if the .done file exists.

ConditionPathExists=!/var/lib/whonix-libvirt/install.done

If you have suggestions on how to improve that please let me know. Would be good to support this use case somehow. Why not. Installation of Whonix-Host in a VM on USB can be a good idea how beginners/testers since that guarantees really installation to USB. Internal boot disk which the user currently booted from remains unchanged. We also need to keep things comfortable for developers/testers.

( There is also a use case of sometimes running an operating system from hardware and sometimes inside a VM. Suppose you just made a full dd backup and now want to try if the backup is functional. Assign the USB drive to a VM and boot it.)

What would be a sane way to implement this? At every boot iterate over all installed libvirt XLM’s (multiple gateway’s, workstation’s) and change back/forth from qemu to kvm? That seems surprising / intrusive? Users who set up some non-Whonix VM to qemu to notice that these where just changed to kvm after reboot.

A bit hard to script. kvm to qemu includes “remove <pvspinlock state='on'/> from XML file” but qemu to kvm would mean “re-add <pvspinlock state='on'/>”. Re-adding is more difficult because it needs to be added in the correct position.

XML files don’t support comments so comment in/out isn’t possible either.

Neither we should delete the user’s local version in /etc/ and copy over the original from /usr/share because then user modifications would be lost.

Yes.

Unfortunately not.

If anyone could implement any of that, that would help.

As for Whonix-Host KVM Firewall I never got any idea how to filter traffic by “VM name”. Simplified: How do we allow Whonix-Gateway to use the internet but prohibit everyone else?

Ideally the user could configure a list of VM names which have networking permitted. The default list would only include Whonix-Gateway.

More advanced:

  • allow Whonix-Gateway (default)
  • allow Whonix-Gateway 2 (custom, multiple Whonix-Gateway)
  • allow Kicksecure VM
  • allow debian-tor user (host operating system Tor process)

After the simplified question is solved, implementing the advanced stuff might actually be easy.

1 Like