Need to review each of these kernel boot parameters if these are still required.
Activates live boot (package by Debian). Probably OK.
/lib/live/boot/9990-main.sh for variable
PLAIN_ROOT. Takes a different code path. Not sure.
By default, live-boot uses overlay. With this parameter, you can switch to aufs.
Seems default anyhow. Could therefore be removed but never mind.
Seems required to not write
Do not prompt to eject the live medium.
This option causes live-boot to reboot without attempting to eject the media and without asking the user to remove the boot media.
Do we want this? Why?
When shutting down Whonix-Host ISO it seems to not poweroff but say “please remove ISO” or something which is bad (in case users want to quickly shutdown to clear RAM).
disables the “persistence” feature, useful if the bootloader (like syslinux) has been installed with persistence enabled.
Not sure yet. Probably ok for now. Looks related to selective persistence.
plainroot No sure neither. I found almost no valuable info. Maybe supports disk encryption (?)
Whonix live mode / amnesia / amnesic / non-persistent / anti-forensics - #45 by Algernon
union=overlay Yes to keep it, probably redundant, but you never know when the default changes
ip=frommedia Yes, " Seems required to not write
/etc/network/interfaces , ok."
noeject Yes, let’s keep it, maybe better for quick shutdown.
nopersistence, Seems we could remove this one. Maybe persistence (like Tails) could be a nice feature in the future for Whonix-Host
Btw I have just noticed that default Whonix-Host ISO (Isolinux, didn’t check on GRUB yet) does not have these kernel parameters. Is this on purpose? Or should we harmonize it and have the same exact parameters for VMs and Whonix-Host live-mode?
Edit by Patrick:
added bullet points for easier readability
Is this on purpose?
Not on purpose. I guess that happened because these boot options are only set when booting for example Whonix-Workstation VM into Live Mode. Therefore overlooked.
Yes, that would be good.
Kernel command line persistent mode changes from
⚓ T950 set kernel.printk sysctl to prevent kernel info leaks were not added yet. But not sure we should add them yet. It’s not time to lower verbosity for Whonix-Host boot yet.
Perhaps rather the opposite. Add more verbosity?
Btw installing package
debug-misc on Whonix-Host ISO wouldn’t increase debugging because current implementation ignores that raw image’s
/boot/grub/grub.cfg (which is created from
/etc/default/grub.d is ignored) (for now hardcoded).
Could use a script to sanity check if kernel boot parameters are sync (no differences for Whonix-Host ISO) but not easy.
Why are kernel boot paramaters (such as
spectre_v2=on spec_store_bypass_disable=on tsx=off …) defined in both files:
is one redundant?
Could you please create tickets (separate forum topics) for anything that isn’t easy to resolve? [Don’t worry the forum tags too much. I can do these later.]
One is for GRUB (when booting in EFI), the other is for Isolinux (when booting in BIOS).
Any idea how to debug this?
I have installed grub-live package on plain debian (netinstall xfce version) and i cant boot grub-live it will just show blinking dash -
This is comparison of /boot/grub/grub.cfg between plain debian+grublive package (on the left) and kicksecure (on the right):
How now set Read-only Mode for VM?
This manual no longer work /wiki/VM_Live_Mode/Read_Only_Mode_Hard_Drive
It is also impossible to start VM with live mode on host. There is an error VERR_DISK_FULL
Not whonix issue:
“I thought it was the VirtualBox’s vdi hard disk drive that was full, but it was much easier. Just a “df -h” and I realized that my host disk was full!”
@Patrick maybe we can add this to:
Anyone can use the live mod with the recent changes to AHCI? I can’t.
With VB 6.1.18 everything worked great. But wit VB 6.1.2 and with AHCI I can’t start a whonix VB in a live mode with live mode on host.
Not whonix issue:
My disk has enough free space. When I used VB 6.1.18 with LisLogic SAS live mode on the host worked well and I was able to start whonix VB with a live mode on the host. But now when live mode is on on the host I got this error - VERR_DISK_FULL
Also now is impossible to switch AHCI VB to read only.
Never mind VB issued version 6.1.22 with fixed LsiLogic SAS problem.
Thanks for reporting the bug, Though im getting different error message:(Debian host)
and debian didnt yet upgraded vbox in sid yet to .22:
As noticed in above forum thread,
/boot isn’t write protected. Any idea how
/boot could also be covered?
mount time (time of last mounting of partition) is a pretty good guess.
Maybe mount option in /etc/fstab noatime for /boot (and generally?) would help?
Maybe there is a kernel boot parameter similar to noatime that we could set?
Ideally in live mode mount times shouldn’t be recorded. It’s not a critical issue but for simplicity of dd whole encrypted disk and compare it would be much more handy if this issue wouldn’t exist.
Non-Qubes-Whonix (and Kicksecure) VM images do not have a separate /b…
grub-live ported to dracut would be great!
If we want to implement a
live boot option for Whonix we maybe need to change the default tool for generating the initramfs from the current initramfs-tools to dracut. Therefore, also some minor changes to the build scripts are required.
Dracut is mostly used by everything Fedora based (RedHat, CentOS, Qubes) and OpenSuse. Initramfs-tools is used by Debian and derivatives by default.
I couldn’t find any important differences between both, which doesn’t mean they don’t exist. Dracut is also in …
Debian feature request
Boot existing Host Operating System or VM into Live Mode (grub-live)
replacing initramfs-tools with dracut
grub-live dracut support has been implemented.
A post was merged into an existing topic:
replacing initramfs-tools with dracut