Whonix-Host Operating System (OS) ISO

We now have the initial packages and can add more dependencies as required.

  • whonix-host-xfce-kvm-freedom
  • whonix-host-xfce-kvm-nonfreedom

Most dependencies (such as live-config perhaps etc) should be added to whonix-host-xfce-kvm-freedom. This is because whonix-host-xfce-kvm-nonfreedom has Depends: on whonix-host-xfce-kvm-freedom.

1 Like

Ah, I did not see whonix-stuff/2900_configure_desktop_sketch at master · onions-knight/whonix-stuff · GitHub earlier. This will help me with dependencies.

You would need to add something like:

<source file='/var/lib/libvirt/images/VM.img'/>
  <target dev='vda' bus='virtio'/>
  <readonly/>

to the xml file.
But as you said it needs to be changed to readwrite afterwards when using the installed host OS.
iirc just using the correct settings for the xml file should be sufficient i.e. you maybe don’t need to change the permissions of the file.
In this case one could maybe come up with some script which checks if we boot from an iso and accordingly sets the read only tag.
Another way would maybe be using virt-install instead of importing the VMs via the xml.

3 Likes

That’s great :slight_smile: The only caveat is it will need to be disabled temporarily to create snapshots when the host is booted in a persistent mode to update.

1 Like

Could be because systemd time daemon is conflicting with what sdwdate is setting. @Patrick can we switch the time daemon on every Debian derivative we make to sdwdate exclusively?

1 Like

sdwdate sets time, not timezone.

This is what timezone-utc package is doing essentially:
https://github.com/Whonix/timezone-utc/blob/master/debian/timezone-utc.postinst

Might give some clues on how to change timezone.

Already done.

Yes, we need to set this somehow in when Whonix host was booted into live mode only. This is not implemented yet?

Done this way:

Would this be part of the whonix libvirt host package? If so it would depend on detecting live mode is enabled and then it would edit the VM configs with somehting like sed. Since exiting amnesic mode would revert it, no need for code to undo.

Does this work in Whonix?

Disadvantage being that we have to,

  • install anon-connection-wizaard on the host too. (And then have user duplicate that work inside Whonix-Gateway.) [In theory, OneVM where Tor runs on the host would make more sense to avoid duplicate Tor config and duplicate Tor connections but OneVM may also be harder to get right in terms of leak protection, never thought that through.]
  • drop “give user option to not connect to the public Tor network”.

Would this be part of the whonix libvirt host package? If so it would depend on detecting live mode is enabled and then it would edit the VM configs with somehting like sed. Since exiting amnesic mode would revert it, no need for code to undo.

Something like this.

What’s the config that has to be changed?

Or what’s the command line command to be run to change that?

It could be implemented as a systemd unit file. Similar to: https://github.com/Whonix/shared-folder-help/blob/master/lib/systemd/system/mnt-shared-kvm.service

Probably no need for ConditionVirtualization=.

Should probably use ConditionKernelCommandLine=boot=live to then call a script.

Could you please add a /lib/systemd/system/live-libvirt.service (or so) to whonix-libvirt package?

I notice several parameters that escaped me when reading the host hardening guide. Will the installation scripts be designed such that they can be applied to an existing Debian host? If not, would it be possible to document them Arch Wiki style in order to easily replicate the config?

jpearson via Whonix Forum:

I notice several parameters that escaped me when reading the host hardening guide. Will the installation scripts be designed such that they can be applied to an existing Debian host?

Yes, more or less as a byproduct we’ll get sudo apt-get install whonix. Will be documented when time has come, not ready yet.
(Developers can already do it if that was to help with debugging.) Not
sure yet if sudo apt-get install whonix will be supported for users
since more can go wrong compared to a ISO installer build where all
default installed packages can be defined by developers.

If not, would it be possible to document them Arch Wiki style in order to easily replicate the config?

Both product Hardened Debian and product Whonix Host (temporary
names) won’t apply all steps from host hardening guide. Only what’s
doable / realistic / etc. Some are too specific like router settings to
be done by a host operating system.

Dug around on how to modify XML settings on the fly via cli. Other options were too messy or required manual editing which are useless for scripting.

sudo virt-xml Whonix-Workstation --edit --disk readonly=on

readonly takes values on/off

I am not sure whonix-libvirt is the ideal place for detection of live mode and the adjustment of image write options. Perhaps the grub-live package is a better place.

However wouldn’t doing this break VM usage since ro-mode-init is not our first choice for using it?

1 Like
1 Like

As per Whonix Live KVM instructions - Live Mode for Kicksecure - even the grub-live package says:

To increase security, the VM disks can be set to read-only.

grub-live is compatible with virtualizer read-only setting, even recommended.

Does this solve your concern?

This is really good. Could be done using systemd unit file.

Not sure too. whonix-libvirt package also seems wrong since not tied to Whonix only (also hardened debian). Since there is the grub-live and grub-default-live package, it would have to be duplicated or yet another grub-live-shared package would have to be invented. On the other hand, setting disk to read only in virtualizer settings is not generic for any VM but Whonix KVM VMs only so maybe whonix-libvirt is a good place?

1 Like

Oh now I see… didn’t know that. Yes it solves my question.

The grub-live host package would be absoutely ideal. It’s a conditional command that makes sense there.

Unless you plan on making Whonix Desktop support other virtualizers, it doesn’t matter if it’s not generic. It fits within the context of a Linux host and hypervisor IMO.

1 Like

onion_knight via Whonix Forum:

Regarding branding, actually very easy, all files live in /etc/calamares/branding/debian/ (with package calamares-settings-debian installed).

Just need to modify the .png files and the config file accordingly: /etc/calamares/branding/debian/branding.desc

Created ⚓ T919 Whonix Live Branding for it.

1 Like

@Patrick Hello, sorry I haven’t contributed much lately, a bit busy period. I will have more time in July. Many thanks for all your feedback, I’ll get back to it when I have some more spare time available.

3 Likes

Sir @onion_knight we need you, Whonix Host needs you, Freedom needs you.

1 Like