I now have an idea how to write the host firewall… Looking at network interfaces before/after installation of KVM and then white listing the new device.
Could you please make SecureBoot work as well? @onion_knight I.e. “just” as good as Debian has it.
Purpose: Usability. Boot compatibility. Let users where SecureBoot is enabled by default boot while SecureBoot stays enabled. Not require them to disable SecureBoot in the BIOS.
does the host firewall need to be an issue here? currently, on numerous other implementations of whonix, no such firewall configs are used. would a solution be to have the typical “all incoming ports” disabled with the standard disclaimer that the host itself should not be used for standard workstation activities?
as a side note, i don’t think restricting network traffic to the gateway will work. it would prevent system updates on the host os. so, there is going to need to be an allowance for some host network activity.
i’m very glad to hear that progress is still being made here. but, if it’s near done, i’m not sure the lack of a perfect custom firewall should block release.
maybe not? since whonix host will be using kvm, all that traffic should be owned by user “libvirt-qemu.” it’s not as perfect as filtering by vm name. but, it’s a start and narrows traffic down a little bit.
or, here’s another idea, what about filtering by source ip? for example, the whonix gateway in the kvm version has the local ip address on the host of 10.0.2.2. could this not effectively serve as a “virtual machine name” in implementation?
That feature request could take a long time if it ever materializes.
It will be possible without that feature request being implemented too but then additional options have to be passed to grub-rescue (or mkisofs) or other tools have to be used (manual use of grub-mkimage). The code / options to do this can probably be extracted from Debian’s live-build but that’s something that I wanted to avoid because that is very difficult for me.