Whonix on Mac M1 (ARM) - User Support (still unsupported at time of writing)

Ooo they can call it Xinohw, Whonix backwards and upload to Google drive haha but I’m sure there would be more steps, understandable policy though. I guess I can always revert back to windows for now until an easier solution comes.

For those of us just starting to get Whonix working with UTM can we expand on this a little bit? I ran into the key-related installation failures for Tor Browser and had to get it manually from Sourceforge.

This leads me to a question I’m having trouble finding a clear answer for, as well: How do we verify we aren’t creating a Tor-over-Tor situation by manually installing this way?

In addition, at appears that we can’t get a “normal” Whonix configuration by manually installing, and might also break further isolation features if we prevent Tor-over-Tor with a configuration change.

If someone can help me clarify and sort this out that would be much appreciated. I know I’m not quite asking these questions clearly, am under the weather at the moment. Tor Browser does work, but it sounds like our manual method might cause other issues. I’d like to mitigate those if possible.

ETA: I did confirm just now that I do not see any circuits displayed for Tor Browser site tabs in Whonix even though I manually installed it (I haven’t changed any relevant config details, either). So I’m not sure what state it is presently in. I think going into a little more detail here would be helpful for myself and others who experiment with UTM + Whonix.

Hi! These links don’t work. Can you share new links please?

Or maybe anybody else can send latest gz files for UTM?

Can’t help with that, but here are a few things related to rolling your own:

It’s not too difficult to build. When installing Debian on UTM though if you run into issues with the installation process failing (I can’t quote the errors I was getting at the moment, only the solution, so YMMV if your errors are different), try just picking the GNOME choice for the Debian desktop when you use the installer. That got me and some others around an installation roadblock. Also make sure that you are giving 30+ GB to the installation. It might choke on less.

As for the Whonix instructions for Apple Silicon, I found it necessary to ignore this line at the bottom of the “1. Environment Setup” section, as it seems superfluous: “Double click the Bullseye utm file to import it.” There is no utm file to import at that point in the process.

Otherwise the process went surprisingly smoothly. Do also note that it might be necessary to understand better what’s going on with the Tor Browser installation because while a tool is provided for that within the workstation, it hasn’t worked for some of us and this could be related to how we did the build (didn’t change any configuration steps; I believe I had found a discussion of this on another forum thread, but can’t dig that up just now) and / or issues with signing key(s). But this can be worked around by getting Tor Browser by user holind from Tor Browser Ports on Sourceforge; go to the Files tab and find the 11.5.1 folder (current), then scroll until you find the arm64 builds. (Sorry, I can’t post links or I would have.)

As with my above separate question, I am not 100% sure of what the implications of this manual installation method are for Tor Browser. I can only report that it does seemingly work. So again, YMMV.

And, apologies for any potential errors above, as I am still learning.

May you upload the video how you built your own whonix step-by-step?

Build instructions

Relevant information:

Note: For simplicity this instruction is based on current stable version (16.0.5.3). See link about stable release for any newer releases (if may be)

Step 1: Download Debian arm64 image
Step 2: Load Debian image into UTM
Step 3: (Inside Debian image @ UTM) - run following commands:

git clone --depth=1 --branch 16.0.5.3-stable --jobs=4 --recurse-submodules --shallow-submodules GitHub - derivative-maker/derivative-maker: https://www.kicksecure.com/wiki/Imprint
cd derivative-maker
git fetch
git verify-tag 16.0.5.3-stable
git verify-commit 16.0.5.3-stable^{commit}
git --no-pager tag
git checkout --recurse-submodules 16.0.5.3-stable
git describe
git status

(see this link for appropriate PGP verification of source

sudo ./derivative-maker --target utm --flavor whonix-gateway-xfce --build --arch arm64 --tb open
sudo ./derivative-maker --target utm --flavor whonix-workstation-xfce --build --arch arm64 --tb open

Step 4:
Done, build of Whonix ™ has been completed. Move build files from ~/derivative_binary/16.0.5.3/ to local computer and load into UTM

Note: I just got a build error during first run of derivative-maker. The process continued with success after hitting (r) for retry. No idea why I had a road bump during compilation.

Edit: If you are experiencing issues with Tor browser, see previous post from Goldeneye128.

1 Like

Is sudo apt upgrade process unnecessary?

So i have been trying to make the newest build of 16.0.6.8-developers-only too build on Mac M1. But have gotten myself into some problems. I have followed the https://forums.whonix.org/t/derivative-maker-automated-ci-builder/14468 thread and made sudo passwordless by adding /etc/sudoers.d/passwordless as explained in the thread. But got into some problems.

Building the gateway worked fine:
https://notes.anonpaste.org/?b65818cc9d69c9ed#9MzGBcqaLq9JaaxYMqvZbSDEpsz5gCQXvcssezPMxCb9

Used the command

$ ./derivative-maker --target utm --flavor whonix-gateway-xfce --build --arch arm64

But Building the workstation did not go so well:
https://notes.anonpaste.org/?7707cae5cebe5bc1#EKSDDMZCQkKEDLtDv97FFyUrSV2aXtybCanRhghY9AKK

I tried both of these commands

$ ./derivative-maker --target utm --flavor whonix-workstation-xfce --build --arch arm64
$ ./derivative-maker --target utm --flavor whonix-workstation-xfce --build --arch arm64 --tb open

From what i can see from the log its:

####################################################################
## BEGIN ERROR in /var/lib/dpkg/info/tb-updater.postinst detected!
##
## ERROR LOG:
## See above.
##
## BASH_COMMAND: $tool $chroot_maybe --postinst
## EXIT_CODE: 7
##
## END ERROR in /var/lib/dpkg/info/tb-updater.postinst detected!
## Please report this bug!
####################################################################

That is the problem for why the build fail.
Hope these logs can help you find out about this.

1 Like

Hopefully there are some contributors out here. I’m a normal user with m1, hoping to use whonix by utm.
However, while I build my image, I get 7~8 errors during the build by debian. I just continue it, since I can’t find what’s wrong.
After I finish it and initialize it at utm, vm skips to initialize booting files and goes on to uefi interactive shell.(maybe it fails to read the file)
After the failure, I even built it by qcow2, because I thought raw is not supported by utm. (but also this seems not to be the reason)
This is my 10th attempt with building this, and it seems hopeless to retry.
Is there any other options that I can use whonix…? Maybe a pre-made tar.gz file…?

I understand this is only for experts, but please give normal users a chance to use whonix… I can’t buy another laptop because of whonix…

Unfortunately, project resources are limited and there isn’t a contributor supporting this use case.

As already said in the script error handler, please do not report bugs as a result of ignoring errors. That’s very much to be expected to have all sorts of issues including being unbootable. If anything, each error has to be investigated on its own. There are no shortcuts.

Might be fixed in 16.0.6.9-testers-only.

So i have now build the 16.0.6.9-testers-only version and it was a success.
Command used was:

$ ./derivative-maker --target utm --flavor whonix-gateway-xfce --build --arch arm64
$ ./derivative-maker --target utm --flavor whonix-workstation-xfce --build --arch arm64

And here is the build log:
https://notes.anonpaste.org/?03b29a924d87a3ad#3KpehejpAVY4gY6Ekf1HymxjzSB6avf6azcxKSRtx3Qy

It manages do build without the --tb open tag. I will now test the build and will make a guide or something on how to build this version if anyone is interested.

I requested it since I saw a google drive link that was sharing a image, but now the link is void.
I know it’s expected to fail by ignoring errors, but at a normal user’s stance, nothing can be done to handle these. As I said, I studied the whole vm build documentation, and searched every community posts to solve out this for a week.
Should I retry it for a month to get this done?
I hope not.

Or any other options?

My Whonix Mac M1 Build Guide 26 August 2022 (Devs-only)

Today i have successfully build on the new 16.0.6.9-testers-only build. After following another thread:
https://forums.whonix.org/t/derivative-maker-automated-ci-builder/14468 i decided to try to build again. Things have changes a bit since last time i made a guide so this is a update to that. Remember that the build guide is the official guide for building whonix on mac. This is just a help guide for the current build process.

Step 1: Setting up Debian

I expect that you guys know how to download debian and sett it up via UTM. If you are unable to perform that i highly suggest you to not try to build this project yet as its quite advance. But i will try to explain some common problems with a new debian install and some stuff that need to be done before building.

One of the most common problems with a new debian install is that apt and sudo is not setup. There is quite a lot of guides online and youtube that explain how to set it up. But its important that they are in working condition. Also it need to be debian 11 bullseye or newer for the project to build.

Quick Sheet if anyone have problems with getting apt or sudo to work
login to debian
$ su
$ cd /etc/apt/
$ nano sources.list
-----------------------------------------sources.list-----------------------------------------------------------------
deb http://deb.debian.org/debian bullseye main contrib non-free
deb-src http://deb.debian.org/debian bullseye main contrib non-free

deb http://deb.debian.org/debian-security/ bullseye-security main contrib non-free
deb-src http://deb.debian.org/debian-security/ bullseye-security main contrib non-free

deb http://deb.debian.org/debian bullseye-updates main contrib non-free
deb-src http://deb.debian.org/debian bullseye-updates main contrib non-free

deb http://deb.debian.org/debian bullseye-backports main contrib non-free
deb-src http://deb.debian.org/debian bullseye-backports main contrib non-free
------------------------------------------------------------------------------------------------------------------------
$ exit
$ exit
Restart debian

login to debain again
$ su
$ apt update
$ apt upgrade
$ apt install sudo
$ /usr/sbin/usermod -aG sudo user
$ exit
$ exit

Restart debian

When your debian vm is up and running on UTM. First thing first is to upgrade and update the repository so everything is up to date:

$ sudo apt upgrade && sudo apt update

After this your debian vm should be up to date. After this then we can download some necessary dependencies:

$ sudo apt install git time curl apt-cacher-ng lsb-release fakeroot fasttrack-archive-keyring

These are a must to have, you can also download nano, vim, emacs or neovim as your editor. I use neovim but for the example and simplicity of this guide use nano and to download that you just:

$ sudo apt install nano

Now here is something new you need to do in the new build script.
The script need you to have sudo passwordless or else the script would fail to build.

How did you set up passwordless sudo?
The following should work:

$ sudo touch /etc/sudoers.d/passwordless
$ sudo nano /etc/sudoers.d/passwordless
--------------------------passwordless------------------------------
%sudo ALL=(ALL:ALL) NOPASSWD:ALL
--------------------------------------------------------------------
$ sudo adduser user sudo

(Required to replace user with actual user name.)

Optional - Shared folders

For transferring files from vm to your mac you could use google drive or something if you debian is setup with internett and desktop environment like GNOME or KDE. But you can also transfer file via CLI. The way i used is by downloading:
$ spice-vdagent spice-webdavd davfs2

which gives you spice tools for UTM and davfs2 for shared folders. (remember to check out shared folders on the UTM settings). Then use the command:

$ sudo mkdir /mnt/dav
$ sudo mount -t davfs -o noexec http://127.0.0.1:9843/ /mnt/dav

Step 2: Build Whonix

After you have correctly setup your debian vm then you are ready to download and build the project. To download the project use the command:

$ git clone --depth=1 --branch 16.0.6.9-testers-only --jobs=4 --recurse-submodules --shallow-submodules https://github.com/derivative-maker/derivative-maker.git

In your home directory. Then navigate yourself into the derivate folder:

$ cd derivative-maker/
$ git describe
16.0.6.9-testers-only

When inside you are ready to build the gateway (NB: only do one build at a time):

$ ./derivative-maker --target utm --flavor whonix-gateway-xfce --build --arch arm64

This should be done without sudo privileges now, then build the workstation:

$ ./derivative-maker --target utm --flavor whonix-workstation-xfce --build --arch arm64

In version 16.0.6.9-testers-only there should be no need to use the tag --tb open unless the build fail. More on that on step 4: If tb browser fail to build.

You will now find the builded project under the $HOME/derivative-binary/16.0.6.9 folder.

Note: You should wait until a newer stable release will come out. Just replace everything mentioning 16.0.6.9-testers-only with the new tag.

Step 3: Setup Whonix

When the build is finished move the tar file locally on your mac, extract them and add the .utm for gateway and workstation to your UTM application. Then i go to setting on them both and add (fit to screen, retina mode, enable clipboard sharing) and enable virtio-ramfb-gl (gpu supported). I also for workstation add a bit more ram to 6gb but thats me. When i start both vm i also adjust the mouse, keyboard and theme setting on xfce.

On the gateway i use these commands on the terminal:

$ sudo passwd root
$ sudo passwd user
$ upgrade-nonroot
$ sudo apt install spice-vdagent spice-webdavd
$ sudo shutdown now

And start it up again, And on the workstation i use these commands:

$ sudo passwd root
$ sudo passwd user
$ upgrade-nonroot
$ sudo apt install spice-vdagent spice-webdavd
$ sudo shutdown now

You can also add shared folder function just like explained earlier. Remember to run your Gateway vm if you want to browse on the Workstation. Tor browser and everything should be operational but if not then.

Step 4: If tb browser fail to build

ONLY DO THIS IS TB FAILS ON BUILD

To build the workstation if/when the tb-browser fails to build, use the command:

$ ./derivative-maker --target utm --flavor whonix-workstation-xfce --build --arch arm64 --tb open

This will build the project without concerning downloading tb-browser right away. But then you need to download it manually.

To make it work follow this guide to manually set it up:

https://www.whonix.org/wiki/Tor_Browser/Manual_Download

But instead of the link provided there use the tor browser port from Heikki Lindholm at:

https://sourceforge.net/projects/tor-browser-ports/

This will enable Tor browser to work on the workstation OR to simplify it i have used these commands instead:

$ mkdir --parents /home/user/.tb
$ wget https://sourceforge.net/projects/tor-browser-ports/files/11.0.4-alsa/tor-browser-linux-arm64-11.5.1_en-US.tar.xz/download -P /home/user/.tb/

(might have to change the link portion on the wget command if there is a newer tb available)

Then verify the download and:

open filemanager → extract download in .tb file → change filename to tor-browser

Then you get the same result.

And that should be it. This is how i made whonix work on the m1 architecture with the current build. To this date as correctly as possible. Hopefully will this help someone out there. Also available to answer some questions when it comes to building up or setting up stuff on the m1 for whonix now. Also if there is anything wrong with this guide please let me know.

3 Likes

It seems to be a normal user-friendly guide… I definitely appreciate with your support.
I’ll try this in hours, and leave a comment whether it progresses successfully.

I was wondering if you watch videos or anything that actually uses the video card. If so, how long are the VMs open and do you minimize them for long hours at a time?

I ask because all the GPU options give me a random crash with something about Metal. It only seems to happen when I have minimized the VM, but not immediately. If you are using it similarly and have no problems, could we PM and compare notes?

I have not noticed any crashes, that being said. I do not use the vm for a very long time. So could be problems with that. Why i use the gpu supported display card is that they run way better then anything else. If i use any of them without the vm seems very slow.

Hi, I’ve tried to build as per the @Goldeneye128 above in an updated Debian 11 Bullseye UTM VM, but keep on getting the following error on the initial Gateway build:

############################################################
ERROR in ././build-steps.d/1700_install-packages detected!

dist_build_version: 16.0.6.9
dist_build_error_counter: 1
benchmark: 00:00:23
last_failed_exit_code: 1
trap_signal_type_previous: unset
trap_signal_type_last    : ERR

process_backtrace_result:
1: : init
2: : sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
3: : sshd: user [priv]
4: : sshd: user@pts/0
5: : -bash
6: : /bin/bash ./derivative-maker --target utm --flavor whonix-gateway-xfce --build --arch arm64
7: : /bin/bash ././build-steps.d/1700_install-packages

function_trace_result:
main (line number: 495)
main (line number: 491)
install-packages (line number: 205)
errorhandlerunchrootunpreventunmount (line number: 392)
errorhandlerprocessshared (line number: 211)


last_failed_bash_command: "$dist_source_help_steps_folder/mount-raw"
############################################################

Any help in troubleshooting this?

The log excerpt is too short to get any idea what’s goring wrong. → Pasting Logs for Support (Whonix is based on Kicksecure.)

In this case though, to save you some work, no log is required…

Mount issues:

    1. Reboot required.
    1. Might be fixed in a later git tag. Some upstream bugs in mount / kernel has been detected during CI development. A more robust use of mount working around these bugs has been implemented since. No newer testers or release available yet. You could monitor Whonix news when that happens. → Follow Whonix ™ Developments Might happen within the next 2 weeks but please don’t quote me on that.

From what i can see is that you are using the 16.0.6.9-testers-only tag which is now kinda outdated. In my guide i did mention you need to renew the tag when a new one is coming out. Did i build today just to check using this git clone command:

$ git clone --depth=1 --branch 16.0.7.9-developers-only --jobs=4 --recurse-submodules --shallow-submodules https://github.com/derivative-maker/derivative-maker.git 

As of today the newest developers-only tag is: 16.0.7.9-developers-only. I usually follow on the github for what is the newest tag to use. I do recommend you use the newest stable or developers only tag. Try the new one? maybe that works better?

EDIT: I see patrick has already responded now. So maybe i was wrong and you need to reboot for now as well. (i am tired from work and completely blind).