As per Whonix Live KVM instructions - Live Mode for Kicksecure - even the grub-live package says:
To increase security, the VM disks can be set to read-only.
grub-live is compatible with virtualizer read-only setting, even recommended.
Does this solve your concern?
This is really good. Could be done using systemd unit file.
Not sure too. whonix-libvirt package also seems wrong since not tied to Whonix only (also hardened debian). Since there is the grub-live and grub-default-live package, it would have to be duplicated or yet another grub-live-shared package would have to be invented. On the other hand, setting disk to read only in virtualizer settings is not generic for any VM but Whonix KVM VMs only so maybe whonix-libvirt is a good place?
1 Like
Oh now I see⌠didnât know that. Yes it solves my question.
The grub-live host package would be absoutely ideal. Itâs a conditional command that makes sense there.
Unless you plan on making Whonix Desktop support other virtualizers, it doesnât matter if itâs not generic. It fits within the context of a Linux host and hypervisor IMO.
1 Like
onion_knight via Whonix Forum:
Regarding branding, actually very easy, all files live in /etc/calamares/branding/debian/ (with package calamares-settings-debian installed).
Just need to modify the .png files and the config file accordingly: /etc/calamares/branding/debian/branding.desc
Created â T919 Whonix Live Branding for it.
1 Like
@Patrick Hello, sorry I havenât contributed much lately, a bit busy period. I will have more time in July. Many thanks for all your feedback, Iâll get back to it when I have some more spare time available.
3 Likes
Sir @onion_knight we need you, Whonix Host needs you, Freedom needs you.
1 Like
@HulaHoop Thanks for your kind message! 
Sorry if you have the feeling that I let you down. I was indeed less involved with the project lately. I want back and I also want this thing to succeed, but I guess that I wonât be able to do it alone due to my limited abilities as a developper.
All right, let me at least catch up with the new topics and try to build anew from scratch a Whonix Host Operating machine, and see where we stand with this project, what works, what doesnât, and what still needs to be done.
2 Likes
Awesome!
No worries. Your previous contributions were instrumental in moving this project forward! I donât think weâd have the iso generation code without your original research and implementation and much more. If you can keep up with as you did previously, that would already be a big help!
1 Like
Building 15.0.0.9.0-developers-only (sudo ~/Whonix/whonix_build --build --target iso --flavor whonix-host-xfce --freedom false) fails at 1700_install-packages step:
Depends: security-misc but it is not going to be installed
And then installation of security-misc fails, because:
+ export IFS
+ '[' '!' '' = yes ']'
+ echo '/var/lib/dpkg/tmp.ci/preinst: ERROR: No user is a member of group '\''sudo'\''. Installation aborted.'
/var/lib/dpkg/tmp.ci/preinst: ERROR: No user is a member of group 'sudo'. Installation aborted.
+ echo '/var/lib/dpkg/tmp.ci/preinst: ERROR: You probably want to run:'
/var/lib/dpkg/tmp.ci/preinst: ERROR: You probably want to run:
+ echo ''
I chose to ignore the error and continue the build for the moment.
1 Like
Because of this error dpkg was interrupted and I had to chroot inside the raw file and apt install -f to finish the dpkg process by hand.
Furthermore, the following packages were not properly installed and automatically removed:
kicksecure-cli kicksecure-dependencies-cli kicksecure-xfce
whonix-host-xfce-kvm-freedom whonix-host-xfce-kvm-nonfreedom
Anyway the resulting disk image is completely broken.
Iâll try it again from scratch once this error has been fixed⌠Unless someone has a proven method of building Whonix-Host.
1 Like
Itâs related to the old discussion on how user user should be created.
( Whonix Desktop Installer with Calamares - field report - #81 by Patrick )
For Non-Qubes-Whonix VM builds user user is created by anon-base-files postinst script.
https://github.com/Whonix/anon-base-files/blob/master/debian/anon-base-files.postinst
For Whonix Host builds this code does not run. This was a result of the discussion how user user (and user groups) should be created.
Nowadays security-misc disabled root login for better security (among a ton of other security hardening).
Since security-misc is also used outside of Whonix, there is a check to not install if there are no users in group sudo. This check is implemented in security-misc preinst.
security-misc/debian/security-misc.preinst at master ¡ Kicksecure/security-misc ¡ GitHub
Meanwhile perhaps remove security-misc from anon-meta-packages debian/control?
anon-meta-packages/debian/control at master ¡ Whonix/anon-meta-packages ¡ GitHub
In that case (easiest), add to build command
--allow-untagged true --allow-uncommitted true
That should help avoiding issues some sudo/root access issues security-misc can be figured out later.
I think I suggested to avoid live-config so we donât involve any of its user user creation code.
Whonix Desktop Installer with Calamares - field report - #124 by Patrick
Iâll try to fix the build.
Could you please check package live-config? Maybe itâs mostly about the scripts in /lib/live/config/. What stuff we need?
Perhaps we can get rid of live-config or re-implement the few bits that we do need.
I try to use âstandardâ anon-base-files for user user and groups creation and dropping live-config. Seems the less complex solution to this issue.
As far as I remember, we need at least a script for user creation during boot, and probably some other small stuff that I donât remember of yet.
From man live-config:
CUSTOMIZATION
live-config can be easily customized for downstream projects or local usage.
Adding new config components
Downstream projects can put their components into /lib/live/config and do not need to do anything else, the components will be called automatically during boot.
The components are best put into an own debian package. A sample package containing an example component can be found in /usr/share/doc/live-config/examples.
Removing existing config components
It is not really possible to remove components itself in a sane way yet without requiring either to ship a locally modified live-config package or using dpkg-divert. However, the same can be
achieved by disabling the respective components through the live-config.nocomponents mechanism, see above. To avoid to always need specifying disabled components through the boot parameter, a conâ
figuration file should be used, see above.
The configuration files for the live system itself are best put into an own debian package. A sample package containing an example configuration can be found in /usr/share/doc/live-config/examples.
COMPONENTS
live-config currently features the following components in /lib/live/config.
debconf
allows one to apply arbitrary preseed files placed on the live media or an http/ftp server.
hostname
configures /etc/hostname and /etc/hosts.
user-setup
adds a live user account.
sudo
grants sudo privileges to the live user.
locales
configures locales.
locales-all
configures locales-all.
tzdata
configures /etc/timezone.
gdm3
configures autologin in gdm3.
kdm configures autologin in kdm.
lightdm
configures autologin in lightdm.
lxdm
configures autologin in lxdm.
nodm
configures autologin in nodm.
slim
configures autologin in slim.
xinit
configures autologin with xinit.
keyboard-configuration
configures the keyboard.
systemd
configures systemd autologin.
sysvinit
configures sysvinit.
sysv-rc
configures sysv-rc by disabling listed services.
login
disables lastlog.
apport
disables apport.
gnome-panel-data
disables lock button for the screen.
gnome-power-manager
disables hibernation.
gnome-screensaver
disables the screensaver locking the screen.
kaboom
disables KDE migration wizard (squeeze and newer).
kde-services
disables some unwanted KDE services (squeeze and newer).
policykit
grant user privilegies through policykit.
ssl-cert
regenerating ssl snake-oil certificates.
anacron
disables anacron.
util-linux
disables util-linux' hwclock.
login
disables lastlog.
xserver-xorg
configures xserver-xorg.
broadcom-sta
configures broadcom-sta WLAN drivers.
openssh-server
recreates openssh-server host keys.
xfce4-panel
configures xfce4-panel to default settings.
xscreensaver
disables the screensaver locking the screen.
hooks
allows one to run arbitrary commands from a file placed on the live media or an http/ftp server.
I guess better if re-implemented. A quick search looks like Tails also stopped using live-config.
/usr/lib/whonix-libvirt/install is currently breaking the build on a host system that has VirtualBox installed. During virsh -c qemu:///system net-start "default" it freezes everything.
Maybe it would be better to not do this during build inside chroot? Would be ok too if /usr/lib/whonix-libvirt/install was executed during first boot using a systemd unit file?
Great, would you mind sharing the links? Couldnât find anything.
Meanwhile I did that and managed to complete the build without errors. Some did get wrong though, as the ISO file kernel panics on bootâŚ
1 Like
âgoogleâ
site:tails.boum.org "live-config"
(Search only on domain tails.boum.org for exact string live-config.)
Thanks, will have a look.
My newly built Host VM (.raw file) also kernel panics when booting into live mode:
line 244: can't open '/scripts/live' : No such file or directory
1 Like
this https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831637 ?
Or we donât have initramfs or dracut installed?
no, but package live-boot was not installed during the build⌠After installing it, it works.
1 Like
