[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Whonix host operating system

A likely cause is Calamares failing to set boot time flags to allow installs with select unencrypted partitions to work on EFI systems.

Related upstream bug report:

Could have been solved in a version more recent than the one frozen in Buster.

1 Like

What about re-adding minimal QEMU support? Would be useful during development. Then one could try Whonix-Host inside VirtualBox or any other virtualizer.

Only two changes required looks like. Changing domain type from kvm to qemu and disabling host cpu passthrough.


virsh -c qemu:///system net-start "Whonix-External"

shows

error: failed to start network Whonix-External
error: internal error: Network is already in use by interface eth0

Any idea how to fix that one?

Could be because I am testing inside VirtualBox but would be useful to fix this nonetheless.

1 Like

The host-boot-popup is done and included in link below.

WARNING - Whonix-Host DEVELOPERS-ONLY Preview Version

DO NOT USE THIS YET AS A USER!

Whonix-Host is unreleased. Not even available for testers. This version is a preview for developers only.

Missing features the the initial release include

See full task list for first release of Whonix-Host.

Help welcome!


Whonix-Host DEVELOPERS-ONLY Preview Version has been uploaded.

The download link should not contain /ova/. I will fix this for the next upload.


(Qemu fixes mentioned in Whonix host operating system not included in 15.0.1.2.7. Coming in next git tag.)

2 Likes

OK will work on resurrecting it. Any suggestion where you want the config templates?

1 Like

HulaHoop via Whonix Forum:

OK will work on resurrecting it. Any suggestion where you want the config templates?

Great! Maybe no separate xml files. Just what kind of modifications are
required / suggested. If that seems as a workable appraoch.

If sudo virsh capabilities does not contain <domain type='kvm'> then
the xml files are currently in git master copied to a temporary location
and patched before import. For now it’s just two replacements.

   search="<domain type='kvm'>"
   replace="<domain type='qemu'>"

   search="<cpu mode='host-passthrough'/>"
   replace=""

Implemented here:

https://github.com/Whonix/whonix-libvirt/blob/master/usr/lib/whonix-libvirt/install

onion_knight via Whonix Forum:

Yes!! :slight_smile:
It works fine now, why not keep as is?

I don’t know the nuances between update-initramfs and and mkinitramfs.
Looks like update-initramfs adheres config /etc/initramfs-tools/ of
which we have a few.

./packages/swap-file-creator/etc/initramfs-tools/conf.d/30_swap-file-creator.conf
./packages/ro-mode-init/etc/initramfs-tools/scripts/init-premount/livetest
./packages/security-misc/etc/initramfs-tools/hooks/sysctl-initramfs
./packages/security-misc/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs
./packages/apparmor-profile-everything/etc/initramfs-tools/hooks/apparmor-profile-everything
./packages/apparmor-profile-everything/etc/initramfs-tools/scripts/init-bottom/apparmor-profile-everything

Plus whatever Debian might be doing by default.

While mkinitramfs might ignore that.

Therefore better stick as close to Debian defaults (update-initramfs) as
possible.

Created
use update-initramfs during installation of Whonix-Host
https://phabricator.whonix.org/T982
for it.

Wow that’s great. Downloading now.
Maybe we could put it somewhere else also such as in the News section to give it more visibility?

1 Like

Thanks for the information, will take a look.
In our case however not only encrypted, but also non-encrypted standard EFI install fails. Which is not the case with vanilla Debian Calamares install.

2 Likes

Testing https://download.whonix.org/ova/15.0.1.2.7/Whonix-Host-XFCE-15.0.1.2.7.iso right now (in KVM).

  • Booted into the ISO, started the VMs -> OK
  • BIOS encrypted install, rebooting into the installed target (persistent and live mode) -> OK
  • Starting the gw/ws VM (both peristent and live-mode) in installed target in persistent mode AND in installed target in live-mode-> OK (disk permissions seem to be fixed!!)

Great!

Only issue I’ve seen so far: the genmon livecheck panel seems broken (always show Live Mode even when in persistent mode).

2 Likes

onion_knight via Whonix Forum:

Wow that’s great. Downloading now.

:slight_smile:

Maybe we could put it somewhere else also such as in the News section to give it more visibility?

Feel free to suggest rewording etc for future releases.

1 Like

mkinitramfs seems to also "adhere config /etc/initramfs-tools/ "

By default it uses /etc/initramfs-tools as its configuration directory.

from man mkinitramfs

FILES
       /etc/initramfs-tools/initramfs.conf
              The   default   configuration   file   for   the   script.   See
              initramfs.conf(5)  for a description of the available configura‐
              tion parameter.

       /etc/initramfs-tools/modules
              Specified modules will be put in the generated image and  loaded
              when  the system boots. The format - one per line - is identical
              to that of /etc/modules, which is described in modules(5).

       /etc/initramfs-tools/conf.d
              The  conf.d  directory  allows  one  to  hardcode  bootargs   at
              initramfs build time via config snippets. This allows one to set
              ROOT or RESUME.  This  is  especially  useful  for  bootloaders,
              which do not pass an root bootarg.

       /etc/initramfs-tools/DSDT.aml
              If  this  file exists, it will be appended to the initramfs in a
              way that causes it to be loaded by ACPI.
1 Like

Great!

1 Like

Not sure reading manpages alone can explain the differences but it’s certainly a good start. Hard to find a justification / explanation why Debian has two tools for update-initramfs (a wrapper) vs mkinitramfs. Intution tells me that the wrapper isn’t entirely useless but the provided benefit is unclear. Looking at the source code. Found one interesting thing.

/usr/sbin/update-initramfs contains:

# Invoke bootloader
run_bootloader()
{
	# invoke policy conformant bootloader hooks
	if [ -d /etc/initramfs/post-update.d/ ]; then
		run-parts --arg=${version} --arg=${initramfs} \
			/etc/initramfs/post-update.d/
		return 0
	fi
}

/usr/sbin/update-initramfs processes this folder:

/etc/initramfs/post-update.d/

This folder could be important.

https://wiki.debian.org/EFIStub mentions /etc/initramfs/post-update.d/zz-update-efistub

Calling that a lead.

Due to these unknown unknowns I very much think better use the Debian defaults for update-initramfs vs mkinitramfs. If we’re lucky it would even solve EFI issues.

Could you please compare functional EFI boot (iso and/or installed) vs failed EFI boot folder /etc/initramfs-tools? Maybe also /etc/grub.d/?

Change ‘kvm’ to:
<domain type='qemu'>

Remove:

  <cpu mode='host-passthrough' check='none'/>

  <pvspinlock state='on'/>
1 Like

Done in whonix-libvirt git master.

1 Like

so far, this is working great. here’s some of the issues i ran into, most being minor:

  1. on a couple laptops that need a synaptics driver, tap-to-click on a touchpad isn’t an easy configuration option. no, this is not a whonix problem. it’s a documented debian buster issue with xfce4 that is fixable with dropping a config file into /etc/apt/xorg.conf.d/. as release gets closer to final, it may be an issue worth addressing for user friendliness.
  1. both the gateway and the workstation appear to be configured to be best viewed in fullscreen, where it will scale to the native resolution. this could potentially lead to confusion with a user switching between windows and mistaking the gateway for the workstation. is it worth considering some type of visual distinguishment between the two?

Aside from those two things, no real usability complaints. the installation was straightforward and painless. one thing to be aware of is, on an old lower end dualcore laptop with about 2 gigs of ram, running whonix host from a usb drive with usb2 protocol, caused some various thrashing issues and anomalies. i used the various known commands out there to tweak the journaling/disk writes on the usb drive partition. but, on first boot of the whonix workstation vm, the machine appears to go into a lock state. eventually, mouse control comes back, but then virt-manager says qemu is disconnected, until eventually all the vm windows and virt-manager closes. now, this was not a huge issue since, upon opening virt-manager again, both the gateway and workstation vms were running and they could be opened to continue as usual. i don’t believe there is any applicable project fix that can be done here. i offer it as a consideration for when minimum hardware requirements are addressed.

for the most part, so far, so good. honestly, i’m really excited for “whonix host.” it simplifies so much that, in the past, has taken a lot of pages to document for people.

2 Likes

2 posts were split to a new topic: enable Debian stable-updates repository by default

Using update-initramfs fails in Calamares installer due to the fact that the installed target still has live-boot related packages (by choice and by design, to allow live-mode in the installed target).

I’ll try and look at that again.

1 Like

Great, thanks for your review!

Host, gw and ws should be visually distinguishable as of now: greyish background for the host, dark blue for the gw, and greenish for the ws.

Indeed, this is way below the minimal requirement to run Whonix-Host. I would not expect a smooth experience with less than 4gigs of RAM, see:
https://phabricator.whonix.org/T976

2 Likes

thanks for your work.

i’ll check again. may be worth considering the color choices because it didn’t stand out. perhaps “black” for the gateway?

it is. however, i’d gotten to work on the same machine in the past without this issue. however, that may have been with stretch as the host, gnome as the de and vbox as virtual machine base. like i said, i don’t think it’s a project issue. simply sharing. if you want, i have a “nonfree” based buster installed on a usb2 drive. could install the kvm packages for whonix on there and see if the same issue occurs. but, i doubt it’s worth it.

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]