Difference between revisions of "Whonix"

From RCS Wiki
Jump to navigation Jump to search
(Bump to Whonix 17 (WIP))
(→‎Known Issues: systemcheck is fixed)
 
(10 intermediate revisions by the same user not shown)
Line 23: Line 23:
 
  sudo apt-get dist-upgrade
 
  sudo apt-get dist-upgrade
 
  sudo apt-get install --no-install-recommends curl gpg gpg-agent
 
  sudo apt-get install --no-install-recommends curl gpg gpg-agent
  <nowiki>curl --tlsv1.3 --proto =https --max-time 180 --output ~/patrick.asc https://www.whonix.org/patrick.asc</nowiki>
+
  <nowiki>curl --tlsv1.3 --output ~/derivative.asc --url https://www.kicksecure.com/keys/derivative.asc</nowiki>
  sudo cp ~/patrick.asc /etc/apt/trusted.gpg.d/derivative.asc
+
  sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc
  
 
Initialize the <code>console</code> group ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure/Debian#Prerequisites source]) ([https://www.whonix.org/wiki/Kicksecure/Debian#Prerequisites clearnet]):
 
Initialize the <code>console</code> group ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure/Debian#Prerequisites source]) ([https://www.whonix.org/wiki/Kicksecure/Debian#Prerequisites clearnet]):
Line 31: Line 31:
 
  sudo adduser user console
 
  sudo adduser user console
  
Add the Whonix/Kicksecure package repository ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Repository source]) ([https://www.whonix.org/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Repository clearnet]):
+
Add the Kicksecure package repository ([http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/wiki/Debian#Add_the_Kicksecure_%E2%84%A2_Repository source]) ([https://www.kicksecure.com/wiki/Debian#Add_the_Kicksecure_%E2%84%A2_Repository clearnet]):
  
 
  sudo apt-get install apt-transport-tor
 
  sudo apt-get install apt-transport-tor
  <nowiki>echo "deb tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bookworm main" | sudo tee /etc/apt/sources.list.d/derivative.list</nowiki>
+
  <nowiki>echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm main" | sudo tee /etc/apt/sources.list.d/derivative.list</nowiki>
 
  sudo apt-get update
 
  sudo apt-get update
  
Upgrade Linux to 5.14 or higher; a bug was fixed between Linux 5.10 and Linux 5.14 that broke ppc64le support in Whonix.  If you're using Bullseye, this means using the Debian Bullseye-Backports suite ([http://jvgypgbnfyvfopg5msp6nwr2sl2fd6xmnguq35n7rfkw3yungjn2i4yd.onion/ source]) ([https://onion.debian.org/ clearnet]):
+
Add the Whonix package repository ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Repository source]) ([https://www.whonix.org/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Repository clearnet]):
  
  <nowiki>echo "deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main" | sudo tee /etc/apt/sources.list.d/backports.list</nowiki>
+
  <nowiki>echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bookworm main" | sudo tee /etc/apt/sources.list.d/whonix.list</nowiki>
 
  sudo apt-get update
 
  sudo apt-get update
sudo apt-get -t bullseye-backports install linux-image-powerpc64le
 
  
If you're using Bookworm, you should already have a sufficiently new Linux version.
+
If you're using Trixie (Bookworm is unaffected), run the following to work around a bug in the <code>xserver-xorg-video-qxl</code> package that breaks Whonix ([https://tracker.debian.org/pkg/xserver-xorg-video-qxl source]):
  
If you're using Bookworm (Bullseye is unaffected), run the following to work around a bug in the <code>xserver-xorg-video-qxl</code> package that breaks Whonix ([https://tracker.debian.org/pkg/xserver-xorg-video-qxl source]):
+
  echo "deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/20230801/ trixie main" | sudo tee /etc/apt/sources.list.d/qxl.list
 
 
  echo "deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/20220311/ bookworm main" | sudo tee /etc/apt/sources.list.d/qxl.list
 
 
  sudo apt-get update
 
  sudo apt-get update
  
Line 68: Line 65:
 
If you get prompted with other questions during package installation, you can choose the defaults.
 
If you get prompted with other questions during package installation, you can choose the defaults.
  
The Whonix packages will install their own <code>sources.list</code> data in <code>/etc/apt/sources.list.d/debian.list</code>.  If you're using Bullseye, that means you should clear the <code>sources.list</code> that Debian came with (in order to avoid warnings from <code>apt-get</code> about duplicated repos):
+
The Whonix packages will install their own <code>sources.list</code> data in <code>/etc/apt/sources.list.d/debian.list</code>.  If you're using Bookworm, that means you should clear the <code>sources.list</code> that Debian came with (in order to avoid warnings from <code>apt-get</code> about duplicated repos):
  
 
  sudo rm /etc/apt/sources.list
 
  sudo rm /etc/apt/sources.list
 +
sudo touch /etc/apt/sources.list
 
  sudo rm /etc/apt/sources.list.d/backports.list
 
  sudo rm /etc/apt/sources.list.d/backports.list
  
On Bookworm, the Whonix <code>sources.list</code> is nonfunctional, so you should clear it instead:
+
On Trixie or higher, the Whonix <code>sources.list</code> is nonfunctional, so you should clear it instead:
  
 
  sudo rm /etc/apt/sources.list.d/debian.list
 
  sudo rm /etc/apt/sources.list.d/debian.list
Line 82: Line 80:
 
  sudo mkdir -p /etc/dist-base-files.d/
 
  sudo mkdir -p /etc/dist-base-files.d/
 
  echo "set +e" | sudo tee /etc/dist-base-files.d/50_user.conf
 
  echo "set +e" | sudo tee /etc/dist-base-files.d/50_user.conf
 
Run the following to work around a bug in the <code>security-misc</code> package that breaks non-x86 architectures ([https://github.com/torvalds/linux/blob/master/arch/powerpc/Kconfig source], grep for <code>config ARCH_MMAP_RND_BITS_MAX</code> and <code>config COMPAT</code>):
 
 
sudo sed -i 's/vm.mmap_rnd_bits=32/vm.mmap_rnd_bits=29/' /etc/sysctl.d/30_security-misc.conf
 
sudo sed -i 's/vm.mmap_rnd_compat_bits=16//' /etc/sysctl.d/30_security-misc.conf
 
 
If you're using Bookworm (Bullseye is unaffected), run the following to work around a seccomp bug in the <code>sdwdate</code> package that breaks PowerPC-based architectures ([https://github.com/Whonix/sdwdate/pull/37 source 1]) ([https://github.com/Whonix/sdwdate/pull/39 source 2]):
 
 
sudo sed -i 's/_newselect/_newselect newfstatat pselect6 vfork/' /lib/systemd/system/sdwdate.service.d/20_arch_syscall_whitelist.conf
 
 
If you're using Bookworm (Bullseye is unaffected), run the following to work around an AppArmor bug in the <code>sdwdate</code> package ([https://github.com/Whonix/sdwdate/pull/38 source]):
 
 
echo "  network inet stream," | sudo tee --append /etc/apparmor.d/abstractions/url_to_unixtime
 
  
 
Shut off the VM.
 
Shut off the VM.
Line 114: Line 99:
 
See [[Kicksecure#Known_Issues|Kicksecure known issues]].
 
See [[Kicksecure#Known_Issues|Kicksecure known issues]].
  
On Bookworm, as of 2022 June 4, <code>systemcheck</code> fails with an AppArmor error: <code>Jun 04 14:59:26 host kernel: audit: type=1400 audit(1654354766.467:1227): apparmor="DENIED" operation="open" profile="/usr/bin/systemcheck" name="/usr/libexec/sudo/libsudo_util.so.0.0.0" pid=1705 comm="sudo" requested_mask="r" denied_mask="r" fsuid=0 ouid=0</code>.  Not sure whether this also happens on Kicksecure.
+
No Whonix-specific known issues.

Latest revision as of 21:01, 7 August 2024

Whonix (clearnet link) can be installed on POWER using KVM. These instructions were tested with Whonix 17.

Download Whonix from the Whonix KVM download page (clearnet link).

Extract it:

tar -xvf Whonix*.libvirt.xz

Install the Whonix virtual networks:

sudo virsh -c qemu:///system net-define Whonix_external*.xml
sudo virsh -c qemu:///system net-define Whonix_internal*.xml
sudo virsh -c qemu:///system net-autostart Whonix-External
sudo virsh -c qemu:///system net-start Whonix-External
sudo virsh -c qemu:///system net-autostart Whonix-Internal
sudo virsh -c qemu:///system net-start Whonix-Internal

Then, create two Debian Bookworm ppc64el VM's. Set the Video Model in each VM to Virtio (source 1) (source 2). When installing Debian, do not create a separate root password, name the user user, and for desktop environment either pick XFCE or do not install one. Launch a shell in each VM, and follow the below instructions for each VM.

Import the Whonix/Kicksecure signing key (source) (clearnet):

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install --no-install-recommends curl gpg gpg-agent
curl  --tlsv1.3 --output ~/derivative.asc --url https://www.kicksecure.com/keys/derivative.asc
sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc

Initialize the console group (source) (clearnet):

sudo addgroup --system console
sudo adduser user console

Add the Kicksecure package repository (source) (clearnet):

sudo apt-get install apt-transport-tor
echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm main" | sudo tee /etc/apt/sources.list.d/derivative.list
sudo apt-get update

Add the Whonix package repository (source) (clearnet):

echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bookworm main" | sudo tee /etc/apt/sources.list.d/whonix.list
sudo apt-get update

If you're using Trixie (Bookworm is unaffected), run the following to work around a bug in the xserver-xorg-video-qxl package that breaks Whonix (source):

echo "deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/20230801/ trixie main" | sudo tee /etc/apt/sources.list.d/qxl.list
sudo apt-get update

Then, run one of the following, depending on whether you want Whonix to use XFCE or CLI-only, and whether you are installing Whonix-Gateway or Whonix-Workstation:

sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-xfce
sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-xfce
sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-cli
sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-cli

If you get a package conflict error that mentions console-common, run the following and then try again:

sudo apt-get install --no-install-recommends console-common

If you get prompted about choosing the default display manager during package installation, choose gdm3 (source) (clearnet).

If you get prompted with other questions during package installation, you can choose the defaults.

The Whonix packages will install their own sources.list data in /etc/apt/sources.list.d/debian.list. If you're using Bookworm, that means you should clear the sources.list that Debian came with (in order to avoid warnings from apt-get about duplicated repos):

sudo rm /etc/apt/sources.list
sudo touch /etc/apt/sources.list
sudo rm /etc/apt/sources.list.d/backports.list

On Trixie or higher, the Whonix sources.list is nonfunctional, so you should clear it instead:

sudo rm /etc/apt/sources.list.d/debian.list
sudo touch /etc/apt/sources.list.d/debian.list

Run the following to work around a bug that breaks subsequent package updates (source) (clearnet):

sudo mkdir -p /etc/dist-base-files.d/
echo "set +e" | sudo tee /etc/dist-base-files.d/50_user.conf

Shut off the VM.

If you're installing Whonix-Gateway, set the VM's NIC to use the Whonix-External Network source. Then add a 2nd NIC to the VM, and set it to use the Whonix-Internal Network source.

If you're installing Whonix-Workstation, set the VM's NIC to use the Whonix-Internal Network source.

Launch the VM again; Whonix should be running.

If you get errors in Whonix-Gateway about the Tor service failing to start, this is probably an AppArmor issue. You can fix it by running the following:

sudo touch /etc/apparmor.d/local/system_tor.anondist

Restart Whonix-Gateway again and Tor should work.

Known Issues

See Kicksecure known issues.

No Whonix-specific known issues.