I wanted to report on the progress I did with the bootable live Whonix iso project.
1. Bootable live Debian 10 BIOS/UEFI ISO with Whonix KVM
In short, it works fine! I have now a 2.8GB iso file which can be burnt on a USB disk and will boot from BIOS or UEFI to a full live debian 10 desktop with KVM-virt-manager.
In details
I first created a standard XFCE4 debian 10 vm with grml-debootstrap
with the required kvm/qemu/virt-manager packages + Whonix qcow2 files. I did not use the Whonix hardened-debian build, and thus my “Whonix-Host” has nothing Whonix-specific, but I don’t see any reason why it wouldn’t work with the hardened-debian version.
I did not manage to configure the Whonix VMs in chroot, so I had to boot the host VM and configure them by hand. Very unclean, but I am sure there should be documented information on how to do this in a clean, scripted way. This master host VM is in no way optimized as it is, and its size may even be further reduced as I didn’t take time to careful review the packages I put into it (although it was quite a minimal build).
Important notice: I had to copy the qcow2 files into the master host VM with qemu-img convert -O qcow2
command (which shrinks the VMs to their “real” size) instead of cp --sparse=always
command , otherwise the live-system would be unable to start them, complaining about “no space left on the device”. Maybe when they are not shrunk, the live-system “thinks” that they are 100GB big and is unable to allocate enough space?
When the master host vm was up and running, I made a bootable BIOS/UEFI ISO file out of it with the bash script that I posted above.
Everything works fine now. I had much less success with the second, installer part of the project.
2. “Whonix-Desktop” installer
This is still very early stage to me. I did everything “by hand” in KVM to just try things out.
I attached a 20GB virtual disk that I divided into two partitions: first a 500M boot partition, and then I encrypted the rest (LVM on LUKS, basically following the Arch wiki instructions).
After that, I mounted the encrypted partition to /mnt
, the first partition to /mnt/boot
and proceeded to rsync
the live’system on the encrypted partition with:
rsync -aAXv --exclude={"/dev/","/proc/","/sys/","/tmp/","/run/","/mnt/","/media/*","/lost+found","/var/log/","/lib/live","/usr/lib/live","/var/tmp"} * /mnt/
After that, things started to get complicated. Of course, to be bootable, a lot of adjustments need to be made to the new system, such as installing grub, installing the kernel, changing the disks UUID, making sure the kernel will load the required modules to deal with encryption, rebuilding the initframs (update-initramfs -u
didn’t work in the live environment).
I did try some adjustments, but haven’t got to the point of having a bootable encrypted disk as of now. Didn’t spend to much time on it either, but again I am sure all of this pretty much documented and should be even able to be scripted somehow.
Sum-up
Part 1: bootable live Whonix Desktop
- Mostly done, proof of concept works
- Need to try with a hardened-whonix build
- Need to script all the build in an automatic way
- Need to decide what exact package would ship in the Whonix Desktop (probably need some non-free firmware to make it work with most hardware, wifi support, etc.)
Part 2: installer
- As of now, I have no working solution
- The “DD” way seems the fastest - but needs careful tailoring
- Ideally, the final installer should be some kind of simplified GUI, maybe test with Calamares?
- All in all, shouldn’t be to difficult to achieve with the right level of skills and time, nothing that hasn’t be done before