Happy New Year to you too. I always love the moments of epiphany when finally hunting down an annoying bug. This is great progress
Yes, exactly. I wasn’t very actively working on it for months, and decided to give it a try with a fresh head. Then I tried to change the name of this directory and bingo!
I am currently testing (and writing this post) using Whonix-Workstation on Whonix-Host installed on real hardware (high capacity USB stick)! Works fine.
Only thing, had to change back the domain name from qemu to kvm, as it was set to qemu for testing purposes in KVM (for nested virtualization). Just a reminder that we need to it back in the release candidate. Otherwise the VMs are unbearably slow.
See post 237 by @Patrick:
EDIT: I see that per use qemu if kvm is unavailable for easier Whonix development using ne… · Kicksecure/libvirt-dist@b77262f · GitHub there should be a check during the first installed Host boot for kvm capabilities (If I understand correctly). As I used KVM with virt-manager to install Whonix-Host on the USB stick (easier to debug), that might explain why the VMs xml files were set to qemu on first boot (also in KVM). I should try to run the entire installation process on real hardware to see if kvm domain is correctly set. Then we wouldn’t need to change anything.
So now as per our roadmap we “only” lack Whonix-Host Firewall. Whonix-Host Tor configuration and anon-connection-wizard and we are good to go.
Any news on the development of these features? How can it be helped?
Yay!
Welcome back again and happy new year!
EDIT: I see that per use qemu if kvm is unavailable for easier Whonix development using ne… · Kicksecure/libvirt-dist@b77262f · GitHub there should be a check during the first installed Host boot for kvm capabilities (If I understand correctly).
whonix-libvirt /usr/lib/whonix-libvirt/install
is started by /lib/systemd/system/whonix-libvirt-install.service
https://github.com/Whonix/whonix-libvirt/blob/master/usr/lib/whonix-libvirt/install
That script creates a .done
file:
/var/lib/whonix-libvirt/install.done
whonix-libvirt-install.service
won’t run /usr/lib/whonix-libvirt/install
again if the .done
file exists.
ConditionPathExists=!/var/lib/whonix-libvirt/install.done
If you have suggestions on how to improve that please let me know. Would be good to support this use case somehow. Why not. Installation of Whonix-Host in a VM on USB can be a good idea how beginners/testers since that guarantees really installation to USB. Internal boot disk which the user currently booted from remains unchanged. We also need to keep things comfortable for developers/testers.
( There is also a use case of sometimes running an operating system from hardware and sometimes inside a VM. Suppose you just made a full dd
backup and now want to try if the backup is functional. Assign the USB drive to a VM and boot it.)
What would be a sane way to implement this? At every boot iterate over all installed libvirt XLM’s (multiple gateway’s, workstation’s) and change back/forth from qemu to kvm? That seems surprising / intrusive? Users who set up some non-Whonix VM to qemu to notice that these where just changed to kvm after reboot.
A bit hard to script. kvm to qemu includes “remove <pvspinlock state='on'/>
from XML file” but qemu to kvm would mean “re-add <pvspinlock state='on'/>
”. Re-adding is more difficult because it needs to be added in the correct position.
XML files don’t support comments so comment in/out isn’t possible either.
Neither we should delete the user’s local version in /etc/ and copy over the original from /usr/share because then user modifications would be lost.
So now as per our roadmap we “only” lack Whonix-Host Firewall. Whonix-Host Tor configuration and anon-connection-wizard and we are good to go.
Yes.
Any news on the development of these features?
Unfortunately not.
How can it be helped?
If anyone could implement any of that, that would help.
As for Whonix-Host KVM Firewall I never got any idea how to filter traffic by “VM name”. Simplified: How do we allow Whonix-Gateway to use the internet but prohibit everyone else?
Ideally the user could configure a list of VM names which have networking permitted. The default list would only include Whonix-Gateway
.
More advanced:
- allow Whonix-Gateway (default)
- allow Whonix-Gateway 2 (custom, multiple Whonix-Gateway)
- allow Kicksecure VM
- allow
debian-tor
user (host operating system Tor process)
After the simplified question is solved, implementing the advanced stuff might actually be easy.
I now have an idea how to write the host firewall… Looking at network interfaces before/after installation of KVM and then white listing the new device.
Could you please make SecureBoot work as well? @onion_knight I.e. “just” as good as Debian has it.
Purpose: Usability. Boot compatibility. Let users where SecureBoot is enabled by default boot while SecureBoot stays enabled. Not require them to disable SecureBoot in the BIOS.
Non-purpose: Security.
Related:
Since we are going for enforce kernel module software signature verification [module signing] / disallow kernel module loading by default, should we also work towards enable Linux kernel gpg verification in grub and/or enable Secure Boot by default? Looks doable in principle. KVM: supports both EFI boot and Secure Boot. On Snippet 0x0E: Booting image files and ISOs with KVM/QEMU (EFI and BIOS) - Philipp's Tech Blog see 2. Booting image files with KVM (EFI) The Debian -- Details of package o…
Changes to EFI boot with Debian Bullseye, might affect how we do things:
https://michael-prokop.at/blog/2021/06/09/efivars-is-gone-with-debian-bullseye-newinbullseye/
does the host firewall need to be an issue here? currently, on numerous other implementations of whonix, no such firewall configs are used. would a solution be to have the typical “all incoming ports” disabled with the standard disclaimer that the host itself should not be used for standard workstation activities?
as a side note, i don’t think restricting network traffic to the gateway will work. it would prevent system updates on the host os. so, there is going to need to be an allowance for some host network activity.
i’m very glad to hear that progress is still being made here. but, if it’s near done, i’m not sure the lack of a perfect custom firewall should block release.
would a solution be to have the typical “all incoming ports” disabled with the standard disclaimer that the host itself should not be used for standard workstation activities?
That has potential to generate a bad reputation.
so, there is going to need to be an allowance for some host network activity.
For sure.
Implementing a host user clearnet
is simple. (Similar to Whonix-Gateway user clearnet
.) White listing VM traffic is a lot harder.
i’m not sure the lack of a perfect custom firewall should block release.
There’s a lot more todo.
https://phabricator.whonix.org/project/view/26/
Not all has to be done but essentials seems to be EFI boot support, SecureBoot support, Anon Connection Wizard host support, an installer ISO that works for both EFI and non-EFI booting (⚓ T979 co-install grub-efi-amd64 and grub-pc by default on Whonix-Host ISO).
Implementing a host user
clearnet
is simple. (Similar to Whonix-Gateway userclearnet
.) White listing VM traffic is a lot harder.
maybe not? since whonix host will be using kvm, all that traffic should be owned by user “libvirt-qemu.” it’s not as perfect as filtering by vm name. but, it’s a start and narrows traffic down a little bit.
or, here’s another idea, what about filtering by source ip? for example, the whonix gateway in the kvm version has the local ip address on the host of 10.0.2.2. could this not effectively serve as a “virtual machine name” in implementation?
I am not good at names but Whonix-Host is not good. All Whonix-Hosts are Whonix’s host, but not the opposite. Many other OSes can be a Whonix’s host. When you are reading for a long time, it is easy to not get the point that Whonix-Host is meant to be an OS developed to be a Whonix’s host, not any other disribution with different purposes. When talking about Whonix OSes, there are two deployed as of now, Gateway and Workstation. Gateway could be named proxy, but Gateway is a much better name…
Having a hybrid ISO for USB / DVD that supports BIOS legacy boot, EFI boot and SecureBoot is a difficult task.
Hence I am now investigating porting Kicksecure / Whonix’s build script (derivative-maker) to Debian’s live-build which can do all of the above.
For our dracut based Live ISO there was this dracut usability bug which made the ISO unbootable.
New 90overlayfs module does not set up the overlay in three cases where it happened before (breaks Fedora/RHEL installer image boot)
**Describe the bug** In dracut 058/059, with commit https://github.com/dracutde…
This long standing development blocker might now be fixed:
Make dracut iso image bottable
adrelanos:master
← DanWin:master
The `dmsquash-live` module needs to be explicitly added for the live system to b…
documentation on grub-mkrescue
:
GRUB2 How To (2) : Make boot-able ISO with xorriso
There are many tools to make boot-able ISO already. Some tools are good at some aspects, but lack supports for other features. Some tools o...
GRUB2 How To (2) : Make boot-able ISO with xorriso
There are many tools to make boot-able ISO already. Some tools are good at some aspects, but lack supports for other features. Some tools o...
Major progress has been made. A script that can convert a raw image to an ISO image has been developed.
https://github.com/Kicksecure/grml-debootstraptest/blob/master/image-to-iso