Whonix live mode / amnesia / amnesic / non-persistent / anti-forensics

Interesting, but using stem is hard since that requires Tor already running. We’d have to start with DisableNetwork 1 which is cumbersome / may be unstable (script not disabling that again). Need to use the information from the disk.

Looks good. What is the used since date? How to calculate the unixtime when these time out?

Any way we can test that? Can’t really simulate a Tor entry guard cycle since if clock is too much off, Tor refuses to connect. Setting clock 10 years into future didn’t result in change of entry guard for me.

1 Like

i cannot speak on that authoritatively yet. however i can note that the guard entries that contain a unique “confirmed_idx” variable also have a unique “confirmed_on” variable which is not present for other guard entries. so “confirmed_on” may be the likely variable. the date in the entries i am viewing have not changed in weeks.

as for testing it, can probably manually edit the various date entries for the guards to set them back a year and see if it triggers a rotate. that will get around the issue with playing with the clock and tor.

1 Like

I went ahead and asked on tor-talk how to use controlport commands to enumerate this info. Might be a while until it app.ears on the list

1 Like

https://gitweb.torproject.org/torspec.git/tree/control-spec.txt

GETINFO entry-guards
1 Like

https://github.com/Whonix/Whonix/commit/69d0de6222afad9ace440054a0dad7c567d57e50

1 Like
1 Like

fix live indicator detection of ro-mode-init (when disk is set to read-only)

1 Like

Hey. Please help solve the problem. Debian Kicksecure Host Installed grub-live. When running grub-live on the host, I cannot start the KVM virtual machine.
Error text:
Startup error: internal error: child reported
(status = 125): unable to set user and group to
‘64055: 64055’ on '/ var / lib / libvirt / images / Whonix-
Gateway.qcow2 ': No device left
free space

VirtualBox has the same problem. Swears at "No device left
free space "When running a host in normal mode (non-live-mode) everything works fine. Both in VirtualBox and in KVM

You probably don’t have enough physical RAM on the host.

How much do you need? I don’t know. I only tested with 32 GB RAM on the
host which worked for me.

Reports welcome how much RAM one has and if it works for you.

free -h
mem: total - 15Gi used 404Mi free 14Gi shared 70Mi buff/cache 383Mi available 14Gi
Swapp off
Maybe I turned on / off something extra on the host? (I changed a lot of settings, installed other recommended software (on the wiki)

Read-only mode KVM - worked. (non grub-live on host)

https://www.kernel.org/doc/Documentation/filesystems/overlayfs.txt has a chapter Metadata only copy up:

When metadata only copy up feature is enabled, overlayfs will only copy up metadata (as opposed to whole file), when a metadata specific operation like chown/chmod is performed. Full file will be copied up later when file is opened for WRITE operation.

In other words, this is delayed data copy up operation and data is copied up when there is a need to actually modify data.

There are multiple ways to enable/disable this feature.
[…]

That feature would be useful for Whonix-Host. If anyone already used that, please help in ⚓ T914 Whonix Host Live - enable KVM readonly mode - virt-xml vm-name --edit --disk readonly=on.

@Patrick, your suggestion seems to be working :slight_smile:

See my last comment here
https://phabricator.whonix.org/T914

2 Likes

Need to review each of these kernel boot parameters if these are still required.

  • boot=live
  • plainroot
  • union=overlay
  • ip=frommedia
  • noeject
  • nopersistence

  • boot=live

Activates live boot (package by Debian). Probably OK.

  • plainroot

See file /lib/live/boot/9990-main.sh for variable PLAIN_ROOT. Takes a different code path. Not sure.

  • union=overlay

union=overlay|aufs
By default, live-boot uses overlay. With this parameter, you can switch to aufs.

Seems default anyhow. Could therefore be removed but never mind.

ip=frommedia

Seems required to not write /etc/network/interfaces, ok.

  • noeject

Do not prompt to eject the live medium.
This option causes live-boot to reboot without attempting to eject the media and without asking the user to remove the boot media.

Do we want this? Why?

When shutting down Whonix-Host ISO it seems to not poweroff but say “please remove ISO” or something which is bad (in case users want to quickly shutdown to clear RAM).

  • nopersistence

disables the “persistence” feature, useful if the bootloader (like syslinux) has been installed with persistence enabled.

Not sure yet. Probably ok for now. Looks related to selective persistence.

  • boot=live Needed
  • plainroot No sure neither. I found almost no valuable info. Maybe supports disk encryption (?)
    Whonix live mode / amnesia / amnesic / non-persistent / anti-forensics - #45 by Algernon
  • union=overlay Yes to keep it, probably redundant, but you never know when the default changes
  • ip=frommedia Yes, " Seems required to not write /etc/network/interfaces , ok."
  • noeject Yes, let’s keep it, maybe better for quick shutdown.
  • nopersistence, Seems we could remove this one. Maybe persistence (like Tails) could be a nice feature in the future for Whonix-Host

Btw I have just noticed that default Whonix-Host ISO (Isolinux, didn’t check on GRUB yet) does not have these kernel parameters. Is this on purpose? Or should we harmonize it and have the same exact parameters for VMs and Whonix-Host live-mode?

Edit by Patrick:
added bullet points for easier readability

2 Likes

Not on purpose. I guess that happened because these boot options are only set when booting for example Whonix-Workstation VM into Live Mode. Therefore overlooked.

Yes, that would be good.

Kernel command line persistent mode changes from ⚓ T950 set kernel.printk sysctl to prevent kernel info leaks were not added yet. But not sure we should add them yet. It’s not time to lower verbosity for Whonix-Host boot yet.
Perhaps rather the opposite. Add more verbosity?

Btw installing package debug-misc on Whonix-Host ISO wouldn’t increase debugging because current implementation ignores that raw image’s /boot/grub/grub.cfg (which is created from /etc/default/grub.d, i.e. /etc/default/grub.d is ignored) (for now hardcoded).

Could use a script to sanity check if kernel boot parameters are sync (no differences for Whonix-Host ISO) but not easy.

Why are kernel boot paramaters (such as spectre_v2=on spec_store_bypass_disable=on tsx=off …) defined in both files:

is one redundant?

Could you please create tickets (separate forum topics) for anything that isn’t easy to resolve? [Don’t worry the forum tags too much. I can do these later.]

One is for GRUB (when booting in EFI), the other is for Isolinux (when booting in BIOS).

1 Like

Any idea how to debug this?