Whonix on Mac M1 (ARM) - Development Discussion

LoftyGoals · April 20, 2025, 4:31pm

This had fewer hiccups than I was expecting. Before I proceed to hammering VBoxManage into shape, does anyone see any problems with this approach?

These commands

execute amd64 binaries
using qemu-x86_64-static
in an amd64 chroot
in a mount of the Debian Bookworm amd64 Live ISO
in an arm64 Debian bookworm VM (the same one I used to built he raw Whonix images)
using VirtualBox 7.1.6
on macOS Sequoia
on an M1 Mac laptop

If this seems reasonable I will see if it can generate a working arm64 .vbox.

I’m kind of proud of this, particularly because it doesn’t require doing a Debian install… this is A-level cross-platform VM shenanigans. Nice idea, Patrick!

# Set variables for readability
AMD64_ROOT='/home/builder/amd64'
BINDIR_PATH='/home/builder/derivative-binary/17.3.6.2'
AMD64_WORK_PATH='/tmp/amd64_work'
RAW_FILENAME='Whonix-Gateway-CLI-17.3.6.2.arm64.raw'

# Set derived variables for readability.
RAW_PATH="${BINDIR_PATH}/${RAW_FILENAME}"
AMD64_ISO_PATH="${AMD64_ROOT}_iso"
AMD64_RO_PATH="${AMD64_ROOT}_ro"
AMD64_RW_PATH="${AMD64_ROOT}_rw"
AMD64_MERGED_PATH="${AMD64_ROOT}_merged"

# Download required items
sudo apt-get install curl qemu-user-static
curl -L -O https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-12.10.0-amd64-standard.iso

# Set up AMD64 file system and required files
mkdir "${AMD64_ISO_PATH}" "${AMD64_RO_PATH}" "${AMD64_RW_PATH}" "${AMD64_MERGED_PATH}" "${AMD64_WORK_PATH}"
sudo mount -o loop debian-live-12.10.0-amd64-standard.iso "${AMD64_ISO_PATH}"
sudo mount -o loop "${AMD64_ISO_PATH}/live/filesystem.squashfs" "${AMD64_RO_PATH}"
sudo mount --bind /dev "${AMD64_RO_PATH}/dev"
sudo mount --bind /sys "${AMD64_RO_PATH}/sys"
sudo mount --bind /proc "${AMD64_RO_PATH}/proc"
mkdir -p "${AMD64_RW_PATH}${BINDIR_PATH}"
mv "${RAW_PATH}" "${AMD64_RW_PATH}${RAW_PATH}"
sudo mkdir "${AMD64_RW_PATH}/etc"
sudo cp /etc/resolv.conf "${AMD64_RW_PATH}/etc"
sudo mkdir -p "${AMD64_RW_PATH}/usr/bin"
sudo cp $(which qemu-x86_64-static) "${AMD64_RW_PATH}/usr/bin"
sudo mount -t overlay overlay -olowerdir="${AMD64_RO_PATH}",upperdir="${AMD64_RW_PATH}",workdir="${AMD64_WORK_PATH}" "${AMD64_MERGED_PATH}"

# Run something
sudo /sbin/chroot "${AMD64_MERGED_PATH}" qemu-x86_64-static /usr/bin/apt-get install hello
sudo /sbin/chroot "${AMD64_MERGED_PATH}" qemu-x86_64-static /usr/bin/hello                
> Hello, world!
/usr/bin/dpkg --print-architecture
> arm64
sudo /sbin/chroot "${AMD64_MERGED_PATH}" qemu-x86_64-static /usr/bin/dpkg --print-architecture
> amd64

LoftyGoals · April 21, 2025, 6:51am

The good news is the problem exists in a vanilla Debian Bookworm VM in VirtualBox on an M1.

The bad news is Bookworm uses systemd 252.36-1~deb12u1 amd that is 3 major releases behind. It’s only 43 days out of date but they only accept bugs that are 1 or 2 major releases behind. So I can’t file a bug.

How should I proceed?

Patrick · April 21, 2025, 8:50am

Please try with Debian trixie.

Patrick · April 21, 2025, 11:10am

build-steps.d/1300_cowbuilder-setup is used to build chroots. Added some new code there just now.

   if [ "$dist_build_virtualbox" = "true" ]; then
      if [ "$dist_build_target_arch" = "arm64" ]; then
         true "${cyan}INFO: '--target virtualbox' and '--arch arm64', therefore also building a AMD64 chroot, because at time of writing VirtualBox is available only on ARM64 macOS but not for ARM64 Linux.${reset}"
         make_cross_build_platform_list_including_host_architecture+=" amd64 "
      fi
   fi

But…

Installing VirtualBox inside that chroot using VirtualBox Installer for Linux (virtualbox-installer-cli (dist-installer-cli --virtualbox-only));
using that chroot to run build-steps.d/4600_create-vbox-vm inside it;
and combining this with SUDO_TO_VBOX_TEMP and/or HOMEVAR_VBOX_TEMP

remains todo.

LoftyGoals · April 21, 2025, 2:05pm

@Patrick In the interest of not having to do it more than once and keeping it consistent with your vision, at what points in the code (file and section or line) do you imagine the three of these items happening?

Also, what is the digital-signatures-policy compliant way of installing VirtualBox Installer?

LoftyGoals · April 21, 2025, 9:35pm

FYI, systemd-detect-virt false negative in Debian VM in VirtualBox on Sequoia · Issue #37204 · systemd/systemd · GitHub has been filed against systemd. If it isn’t resolved before I get everything else here running I’ll double back and bang on it.

Patrick · April 27, 2025, 10:25am

This one done. And that was not easy at all.

This might be incompatible with contributing.

Written just now;

Figuring that out would be part of the contribution. Some thing are easier to do than to explain.

Researching that, writing that down and clarifications would most likely take more time than implementing this.

LoftyGoals · April 27, 2025, 1:26pm

Noted. I suspect it’s going to take me a little bit to get a reliably running system on M1. I will focus on getting that done and then I will look at some small bugs.

I’ve read the entire policy. I’m sure you don’t need my feedback but I appreciate you writing it up; it provides a good sense of what this project needs from (and can provide to) contributors.

FWIW, I do not see anything like a “good first issue” tag as mentioned in Final Notes. I can dig around in the tracker on my own, though.

Patrick · April 29, 2025, 9:25am

Created Good First Issues just now.

Patrick · December 7, 2025, 9:46am

I have succeeded cross-building a Whonix VirtualBox ova image.

The build process succeeded without errors.
I haven’t attempted to actually import and boot the ova image on VirtualBox on a Mac M#. Booting it might actually fail. Needs testing.

Some hints for building:

Version 18 (and above) only.
Build host: Debian 13 / trixie or Kicksecure 18 on architecture Intel/AMD64.
- Building on ARM64 isn’t be possible at the time of writing.
  - At the time of writing, VirtualBox provides Linux (Debian) packages for AMD64 only. ARM64 VirtualBox Linux packages aren’t available at the time of writing.
    - Whonix on Mac M1 (ARM) - User Support (still unsupported at time of writing) - #438 by Patrick
- Building Whonix VirtualBox ARM64 on Debian / Kicksecure ARM64 will potentially become possible if running vboxmanage inside a chroot as discussed above.
Set target architecture to ARM64 usingderivative-maker command line option:
- ```
--arch arm64
```
Build as per Whonix VM Build Documentation
- Build documentation has been updated just now.
- Comes with examples for ARM64 VirtualBox.

Patrick · December 25, 2025, 4:47pm

2 posts were merged into an existing topic: Whonix on Mac M1 (ARM) - User Support (still unsupported at time of writing)

Basic · May 17, 2026, 10:09pm

I’m trying to build whonix gateway virtualbox for use on a mac m3. I’ve followed the directions and it seems to finish building without error. But there is not any ova files produced, or at least I cannot find them. I’m using a x64 host running virtualbox and created a Debian trixie x64 vm. Once it’s done building I see a folder called 18.1.4.2 and inside it is a single text file called Whonix-Gateway-LXQt-18.1.4.2.text. The full build command I used was

~/derivative-maker/derivative-maker --arch arm64 --flavor whonix-gateway-lxqt --target virt
ualbox --repo true --vmsize 25G

arraybolt3 · May 17, 2026, 10:16pm

You have to build both the gateway and the workstation to get an OVA file. Run the exact command you show above, but change --flavor whonix-gateway-lxqt to --flavor whonix-workstation-lxqt; this will build the Workstation, and will then package both the gateway and workstation together into the OVA file.

I don’t think there is currently a supported way to build an OVA with just the gateway, although you could probably use the raw disk image generated during the Whonix-Gateway build all by itself with some effort.

Basic · May 18, 2026, 12:11am

Thanks. I will try to build both.

Basic · May 18, 2026, 4:19pm

After building both, the build script do indeed build a unified ova file. However, when I copy it to my mac and import it. The VM’s fail to start saying:

Cannot run the machine because its platform architecture x86 is not supported on ARM.

Result Code:
VBOX_E_PLATFORM_ARCH_NOT_SUPPORTED (0x80bb0012)
Component:
MachineWrap

This is pretty much the exact steps I followed:

git clone --depth=1 --branch 18.1.4.2-developers-only --jobs=4 --recurse-submodules --shallow-sub
modules GitHub - Whonix/derivative-maker: https://www.whonix.org/wiki/Imprint · GitHub
cd derivative-makerr
git checkout --recurse-submodules 18.1.4.2-developers-only
./derivative-maker --arch arm64 --flavor whonix-gateway-lxqt --target virtualbox --repo true
./derivative-maker --arch arm64 --flavor whonix-workstation-lxqt --target virtualbox --repo true

arraybolt3 · May 18, 2026, 9:56pm

Um… ok well that’s weird. I wonder if the built image has some architecture indicator inside that makes it claim to be x86_64, when in reality it’s arm64? OVA files are just renamed tarballs, and IIRC there should be a manifest in there with some metadata about the VM images. Can you look at that and see?

Basic · May 18, 2026, 11:03pm

I’ve since discovered that about ova files. It did contain some stuff about x64(like OsType) and even after changing it to arm64 it still doesn’t boot. I’ve exhausted my know how on this type of stuff and I guess Whonix is just not ready for me to use.

arraybolt3 · May 19, 2026, 3:42am

The Apple Silicon support isn’t well-maintained at the moment, it is worked on but isn’t perfect. You might have better luck building qcow2 images to use with UTM.

Basic · May 23, 2026, 4:25am

I’ve got utm to build and imported it into utm. When it boots I get an error:

QEMU error: drive0, #block577: Invalid argument

This error also sometimes pops up randomly.