Whonix on Mac M1 (ARM) - User Support (still unsupported at time of writing)

Unsupported Platforms
302

My Whonix Mac M1 Build Guide 26 August 2022 (Devs-only)

Today i have successfully build on the new 16.0.6.9-testers-only build. After following another thread:
https://forums.whonix.org/t/derivative-maker-automated-ci-builder/14468 i decided to try to build again. Things have changes a bit since last time i made a guide so this is a update to that. Remember that the build guide is the official guide for building whonix on mac. This is just a help guide for the current build process.

Step 1: Setting up Debian

I expect that you guys know how to download debian and sett it up via UTM. If you are unable to perform that i highly suggest you to not try to build this project yet as its quite advance. But i will try to explain some common problems with a new debian install and some stuff that need to be done before building.

One of the most common problems with a new debian install is that apt and sudo is not setup. There is quite a lot of guides online and youtube that explain how to set it up. But its important that they are in working condition. Also it need to be debian 11 bullseye or newer for the project to build.

Quick Sheet if anyone have problems with getting apt or sudo to work
login to debian
$ su
$ cd /etc/apt/
$ nano sources.list
-----------------------------------------sources.list-----------------------------------------------------------------
deb http://deb.debian.org/debian bullseye main contrib non-free
deb-src http://deb.debian.org/debian bullseye main contrib non-free

deb http://deb.debian.org/debian-security/ bullseye-security main contrib non-free
deb-src http://deb.debian.org/debian-security/ bullseye-security main contrib non-free

deb http://deb.debian.org/debian bullseye-updates main contrib non-free
deb-src http://deb.debian.org/debian bullseye-updates main contrib non-free

deb http://deb.debian.org/debian bullseye-backports main contrib non-free
deb-src http://deb.debian.org/debian bullseye-backports main contrib non-free
------------------------------------------------------------------------------------------------------------------------
$ exit
$ exit
Restart debian

login to debain again
$ su
$ apt update
$ apt upgrade
$ apt install sudo
$ /usr/sbin/usermod -aG sudo user
$ exit
$ exit

Restart debian

When your debian vm is up and running on UTM. First thing first is to upgrade and update the repository so everything is up to date:

$ sudo apt upgrade && sudo apt update

After this your debian vm should be up to date. After this then we can download some necessary dependencies:

$ sudo apt install git time curl apt-cacher-ng lsb-release fakeroot fasttrack-archive-keyring

These are a must to have, you can also download nano, vim, emacs or neovim as your editor. I use neovim but for the example and simplicity of this guide use nano and to download that you just:

$ sudo apt install nano

Now here is something new you need to do in the new build script.
The script need you to have sudo passwordless or else the script would fail to build.

How did you set up passwordless sudo?
The following should work:

$ sudo touch /etc/sudoers.d/passwordless
$ sudo nano /etc/sudoers.d/passwordless
--------------------------passwordless------------------------------
%sudo ALL=(ALL:ALL) NOPASSWD:ALL
--------------------------------------------------------------------
$ sudo adduser user sudo

(Required to replace user with actual user name.)

Optional - Shared folders

For transferring files from vm to your mac you could use google drive or something if you debian is setup with internett and desktop environment like GNOME or KDE. But you can also transfer file via CLI. The way i used is by downloading: 
$ spice-vdagent spice-webdavd davfs2

which gives you spice tools for UTM and davfs2 for shared folders. (remember to check out shared folders on the UTM settings). Then use the command:

$ sudo mkdir /mnt/dav
$ sudo mount -t davfs -o noexec http://127.0.0.1:9843/ /mnt/dav

Step 2: Build Whonix

After you have correctly setup your debian vm then you are ready to download and build the project. To download the project use the command:

$ git clone --depth=1 --branch 16.0.6.9-testers-only --jobs=4 --recurse-submodules --shallow-submodules https://github.com/derivative-maker/derivative-maker.git

In your home directory. Then navigate yourself into the derivate folder:

$ cd derivative-maker/
$ git describe
16.0.6.9-testers-only

When inside you are ready to build the gateway (NB: only do one build at a time):

$ ./derivative-maker --target utm --flavor whonix-gateway-xfce --build --arch arm64

This should be done without sudo privileges now, then build the workstation:

$ ./derivative-maker --target utm --flavor whonix-workstation-xfce --build --arch arm64

In version 16.0.6.9-testers-only there should be no need to use the tag --tb open unless the build fail. More on that on step 4: If tb browser fail to build.

You will now find the builded project under the $HOME/derivative-binary/16.0.6.9 folder.

Note: You should wait until a newer stable release will come out. Just replace everything mentioning 16.0.6.9-testers-only with the new tag.

Step 3: Setup Whonix

When the build is finished move the tar file locally on your mac, extract them and add the .utm for gateway and workstation to your UTM application. Then i go to setting on them both and add (fit to screen, retina mode, enable clipboard sharing) and enable virtio-ramfb-gl (gpu supported). I also for workstation add a bit more ram to 6gb but thats me. When i start both vm i also adjust the mouse, keyboard and theme setting on xfce.

On the gateway i use these commands on the terminal:

$ sudo passwd root
$ sudo passwd user
$ upgrade-nonroot
$ sudo apt install spice-vdagent spice-webdavd
$ sudo shutdown now

And start it up again, And on the workstation i use these commands:

$ sudo passwd root
$ sudo passwd user
$ upgrade-nonroot
$ sudo apt install spice-vdagent spice-webdavd
$ sudo shutdown now

You can also add shared folder function just like explained earlier. Remember to run your Gateway vm if you want to browse on the Workstation. Tor browser and everything should be operational but if not then.

Step 4: If tb browser fail to build

ONLY DO THIS IS TB FAILS ON BUILD

To build the workstation if/when the tb-browser fails to build, use the command:

$ ./derivative-maker --target utm --flavor whonix-workstation-xfce --build --arch arm64 --tb open

This will build the project without concerning downloading tb-browser right away. But then you need to download it manually.

To make it work follow this guide to manually set it up:

https://www.whonix.org/wiki/Tor_Browser/Manual_Download

But instead of the link provided there use the tor browser port from Heikki Lindholm at:

https://sourceforge.net/projects/tor-browser-ports/

This will enable Tor browser to work on the workstation OR to simplify it i have used these commands instead:

$ mkdir --parents /home/user/.tb
$ wget https://sourceforge.net/projects/tor-browser-ports/files/11.0.4-alsa/tor-browser-linux-arm64-11.5.1_en-US.tar.xz/download -P /home/user/.tb/

(might have to change the link portion on the wget command if there is a newer tb available)

Then verify the download and:

open filemanager → extract download in .tb file → change filename to tor-browser

Then you get the same result.

And that should be it. This is how i made whonix work on the m1 architecture with the current build. To this date as correctly as possible. Hopefully will this help someone out there. Also available to answer some questions when it comes to building up or setting up stuff on the m1 for whonix now. Also if there is anything wrong with this guide please let me know.

3 Likes