Difference between revisions of "Kicksecure"
JeremyRand (talk | contribs) (sdwdate bugs are fixed) |
JeremyRand (talk | contribs) (Use bullseye-testers Kicksecure suite) |
||
Line 21: | Line 21: | ||
<nowiki>echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bullseye main" | sudo tee /etc/apt/sources.list.d/derivative.list</nowiki> | <nowiki>echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bullseye main" | sudo tee /etc/apt/sources.list.d/derivative.list</nowiki> | ||
sudo apt-get update | sudo apt-get update | ||
+ | |||
+ | Note: there is a bug in the <code>security-misc</code> package that breaks non-x86_64 architectures, which was fixed in version 28.4. As of 2023 May 13, 28.4 isn't yet available in the <code>bullseye</code> Kicksecure suite; you can work around the issue by using the <code>bullseye-testers</code> Kicksecure suite instead in the above command. | ||
+ | |||
+ | Note: there is a bug in the <code>sdwdate</code> package that breaks non-x86_64 architectures, which was fixed in version 21.7. As of 2023 May 13, 21.7 isn't yet available in the <code>bullseye</code> Kicksecure suite; you can work around the issue by using the <code>bullseye-testers</code> Kicksecure suite instead in the above command. | ||
Upgrade Linux to 5.14 or higher; a bug was fixed between Linux 5.10 and Linux 5.14 that broke ppc64le support in Kicksecure. If you're using Bullseye, this means using the Debian Bullseye-Backports suite ([http://jvgypgbnfyvfopg5msp6nwr2sl2fd6xmnguq35n7rfkw3yungjn2i4yd.onion/ source]) ([https://onion.debian.org/ clearnet]): | Upgrade Linux to 5.14 or higher; a bug was fixed between Linux 5.10 and Linux 5.14 that broke ppc64le support in Kicksecure. If you're using Bullseye, this means using the Debian Bullseye-Backports suite ([http://jvgypgbnfyvfopg5msp6nwr2sl2fd6xmnguq35n7rfkw3yungjn2i4yd.onion/ source]) ([https://onion.debian.org/ clearnet]): |
Revision as of 22:34, 13 May 2023
Kicksecure (clearnet link) can be installed on POWER. These instructions were tested with Kicksecure 16.
First, install Debian Bullseye, Bookworm, or Sid for ppc64el or ppc64. If installing in a VM, set the Video Model to Virtio and the Display Type to Spice (source). When installing Debian, do not create a separate root password, name the user user
, and for desktop environment either pick XFCE or do not install one. Launch a shell.
Import the Kicksecure signing key (source) (clearnet):
sudo apt-get update sudo apt-get dist-upgrade sudo apt-get install --no-install-recommends curl gpg gpg-agent curl --tlsv1.3 --output ~/derivative.asc --url https://www.kicksecure.com/keys/derivative.asc sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc
Initialize the console
group (source) (clearnet):
sudo addgroup --system console sudo adduser user console
Add the Whonix/Kicksecure package repository (source) (clearnet):
sudo apt-get install apt-transport-tor echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bullseye main" | sudo tee /etc/apt/sources.list.d/derivative.list sudo apt-get update
Note: there is a bug in the security-misc
package that breaks non-x86_64 architectures, which was fixed in version 28.4. As of 2023 May 13, 28.4 isn't yet available in the bullseye
Kicksecure suite; you can work around the issue by using the bullseye-testers
Kicksecure suite instead in the above command.
Note: there is a bug in the sdwdate
package that breaks non-x86_64 architectures, which was fixed in version 21.7. As of 2023 May 13, 21.7 isn't yet available in the bullseye
Kicksecure suite; you can work around the issue by using the bullseye-testers
Kicksecure suite instead in the above command.
Upgrade Linux to 5.14 or higher; a bug was fixed between Linux 5.10 and Linux 5.14 that broke ppc64le support in Kicksecure. If you're using Bullseye, this means using the Debian Bullseye-Backports suite (source) (clearnet):
echo "deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main" | sudo tee /etc/apt/sources.list.d/backports.list sudo apt-get update sudo apt-get -t bullseye-backports install linux-image-powerpc64le
If you're using Bookworm or higher, you should already have a sufficiently new Linux version.
Then, run one of the following, depending on whether you want Kicksecure to use XFCE or CLI-only, and whether you are installing Kicksecure in a VM or on the host:
sudo apt-get install --no-install-recommends kicksecure-xfce-host
sudo apt-get install --no-install-recommends kicksecure-xfce-vm
sudo apt-get install --no-install-recommends kicksecure-cli-host
sudo apt-get install --no-install-recommends kicksecure-cli-vm
If you get a package conflict error that mentions console-common
, run the following and then try again:
sudo apt-get install --no-install-recommends console-common
If you get prompted about choosing the default display manager during package installation, choose gdm3
(source) (clearnet).
If you get prompted with other questions during package installation, you can choose the defaults.
The Kicksecure packages will install their own sources.list
data in /etc/apt/sources.list.d/debian.list
. If you're using Bullseye, that means you should clear the sources.list
that Debian came with (in order to avoid warnings from apt-get
about duplicated repos):
sudo rm /etc/apt/sources.list sudo touch /etc/apt/sources.list sudo rm /etc/apt/sources.list.d/backports.list
On Bookworm or higher, the Kicksecure sources.list
is nonfunctional, so you should clear it instead:
sudo rm /etc/apt/sources.list.d/debian.list sudo touch /etc/apt/sources.list.d/debian.list
Run the following to work around a bug that breaks subsequent package updates (source) (clearnet):
sudo mkdir -p /etc/dist-base-files.d/ echo "set +e" | sudo tee /etc/dist-base-files.d/50_user.conf
Run the following to work around a bug in the security-misc
package that breaks non-x86 architectures (source 1, grep for config ARCH_MMAP_RND_BITS_MAX
and config COMPAT
) (source 2) (source 3):
sudo sed -i 's/vm.mmap_rnd_bits=32/vm.mmap_rnd_bits=29/' /etc/sysctl.d/30_security-misc.conf
On ppc64el, also run the following:
sudo sed -i 's/vm.mmap_rnd_compat_bits=16//' /etc/sysctl.d/30_security-misc.conf
On ppc64, run the following:
sudo sed -i 's/vm.mmap_rnd_compat_bits=16/vm.mmap_rnd_compat_bits=13/' /etc/sysctl.d/30_security-misc.conf
Reboot the machine; Kicksecure installation is complete.
Known Issues
None.