Difference between revisions of "Whonix"

From RCS Wiki
Jump to navigation Jump to search
(→‎Known Issues: systemcheck is fixed)
 
(20 intermediate revisions by the same user not shown)
Line 1: Line 1:
[http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/ Whonix] ([https://www.whonix.org/ clearnet link]) can be installed on the Talos using KVM.  These instructions were tested with Whonix 15.
+
[http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/ Whonix] ([https://www.whonix.org/ clearnet link]) can be installed on POWER using KVM.  These instructions were tested with Whonix 17.
 
 
== Both Whonix-Gateway and Whonix-Workstation ==
 
  
 
Download Whonix from the [http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/KVM#Download_Whonix_.E2.84.A2 Whonix KVM download page] ([https://www.whonix.org/wiki/KVM#Download_Whonix_.E2.84.A2 clearnet link]).
 
Download Whonix from the [http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/KVM#Download_Whonix_.E2.84.A2 Whonix KVM download page] ([https://www.whonix.org/wiki/KVM#Download_Whonix_.E2.84.A2 clearnet link]).
Line 11: Line 9:
 
Install the Whonix virtual networks:
 
Install the Whonix virtual networks:
  
  virsh -c qemu:///system net-define Whonix_external*.xml
+
  sudo virsh -c qemu:///system net-define Whonix_external*.xml
  virsh -c qemu:///system net-define Whonix_internal*.xml
+
  sudo virsh -c qemu:///system net-define Whonix_internal*.xml
  virsh -c qemu:///system net-autostart external
+
  sudo virsh -c qemu:///system net-autostart Whonix-External
  virsh -c qemu:///system net-start external
+
  sudo virsh -c qemu:///system net-start Whonix-External
  virsh -c qemu:///system net-autostart internal
+
  sudo virsh -c qemu:///system net-autostart Whonix-Internal
  virsh -c qemu:///system net-start internal
+
  sudo virsh -c qemu:///system net-start Whonix-Internal
  
Then, create two Debian Buster ppc64el VM's.  When installing Debian, do not create a separate root password, name the user <code>user</code>, and for desktop environment either pick XFCE or do not install one.  Launch a shell in each VM, and follow the below instructions for each VM.
+
Then, create two Debian Bookworm ppc64el VM's.  Set the Video Model in each VM to Virtio ([https://github.com/Whonix/whonix-libvirt/blob/master/usr/share/whonix-libvirt/xml/Whonix-Gateway.xml source 1]) ([https://github.com/Whonix/whonix-libvirt/blob/master/usr/share/whonix-libvirt/xml/Whonix-Workstation.xml source 2]).  When installing Debian, do not create a separate root password, name the user <code>user</code>, and for desktop environment either pick XFCE or do not install one.  Launch a shell in each VM, and follow the below instructions for each VM.
  
Import the Whonix signing key ([https://github.com/Whonix/whonix-developer-meta-files/blob/master/README_generic.md#how-to-install-package-name-using-apt-get source]):
+
Import the Whonix/Kicksecure signing key ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Signing_Key source]) ([https://www.whonix.org/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Signing_Key clearnet]):
  
  <nowiki>wget https://www.whonix.org/patrick.asc</nowiki>
+
sudo apt-get update
  sudo apt-key --keyring /etc/apt/trusted.gpg.d/derivative.gpg add ~/patrick.asc
+
sudo apt-get dist-upgrade
 +
sudo apt-get install --no-install-recommends curl gpg gpg-agent
 +
  <nowiki>curl  --tlsv1.3 --output ~/derivative.asc --url https://www.kicksecure.com/keys/derivative.asc</nowiki>
 +
  sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc
  
Initialize the <code>console</code> group ([https://www.whonix.org/wiki/Security-misc#install source]):
+
Initialize the <code>console</code> group ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure/Debian#Prerequisites source]) ([https://www.whonix.org/wiki/Kicksecure/Debian#Prerequisites clearnet]):
  
 
  sudo addgroup --system console
 
  sudo addgroup --system console
 
  sudo adduser user console
 
  sudo adduser user console
  
== Whonix-Gateway ==
+
Add the Kicksecure package repository ([http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/wiki/Debian#Add_the_Kicksecure_%E2%84%A2_Repository source]) ([https://www.kicksecure.com/wiki/Debian#Add_the_Kicksecure_%E2%84%A2_Repository clearnet]):
 
 
Install Tor:
 
  
  <nowiki>echo "deb https://deb.debian.org/debian buster-backports main" | sudo tee /etc/apt/sources.list.d/backports.list</nowiki>
+
sudo apt-get install apt-transport-tor
 +
  <nowiki>echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm main" | sudo tee /etc/apt/sources.list.d/derivative.list</nowiki>
 
  sudo apt-get update
 
  sudo apt-get update
sudo apt-get -t buster-backports install tor
 
  
Add the Whonix package repository ([https://github.com/Whonix/whonix-developer-meta-files/blob/master/README_generic.md#how-to-install-package-name-using-apt-get source]):
+
Add the Whonix package repository ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Repository source]) ([https://www.whonix.org/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Repository clearnet]):
  
  <nowiki>echo "deb https://deb.whonix.org buster main" | sudo tee /etc/apt/sources.list.d/derivative.list</nowiki>
+
  <nowiki>echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bookworm main" | sudo tee /etc/apt/sources.list.d/whonix.list</nowiki>
 
  sudo apt-get update
 
  sudo apt-get update
  
Note: As of 2021 May 24, there is an <code>sdwdate</code> bug in the Whonix <code>buster</code> suite, which breaks ppc64el support. This was fixed by <code>sdwdate</code> version <code>3:14.9-1</code>.  Until the fix makes its way to the <code>buster</code> suite, you can get the fix early by substituting <code>buster-testers</code> for <code>buster</code> in the <code>derivative.list</code> line above.
+
If you're using Trixie (Bookworm is unaffected), run the following to work around a bug in the <code>xserver-xorg-video-qxl</code> package that breaks Whonix ([https://tracker.debian.org/pkg/xserver-xorg-video-qxl source]):
  
Then, run one of the following, depending on whether you want the Whonix-Gateway to use XFCE or CLI-only:
+
echo "deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/20230801/ trixie main" | sudo tee /etc/apt/sources.list.d/qxl.list
 +
sudo apt-get update
  
sudo apt-get install non-qubes-whonix-gateway-xfce
+
Then, run one of the following, depending on whether you want Whonix to use XFCE or CLI-only, and whether you are installing Whonix-Gateway or Whonix-Workstation:
  
  sudo apt-get install non-qubes-whonix-gateway-cli
+
  sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-xfce
  
If you get prompted with questions during package installation, you can choose the defaults.
+
sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-xfce
  
The Whonix packages will install their own <code>sources.list</code> data in <code>/etc/apt/sources.list.d/debian.list</code>, which means you should delete the <code>sources.list</code> that Debian came with (in order to avoid warnings from <code>apt-get</code> about duplicated repos):
+
sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-cli
 
 
sudo rm /etc/apt/sources.list
 
  
Shut off the VM.
+
sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-cli
  
Set the VM's NIC to use the <code>external</code> Network source.
+
If you get a package conflict error that mentions <code>console-common</code>, run the following and then try again:
  
Add a 2nd NIC to the VM, and set it to use the <code>internal</code> Network source.
+
sudo apt-get install --no-install-recommends console-common
  
Launch the VM again; Whonix-Gateway should be running.
+
If you get prompted about choosing the default display manager during package installation, choose <code>gdm3</code> ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Stable_Release#Whonix_™_16.0.2.7 source]) ([https://www.whonix.org/wiki/Stable_Release#Whonix_™_16.0.2.7 clearnet]).
  
If you get errors about the Tor service failing to start, this is probably an AppArmor issue.  You can fix it by running <code>sudo touch /etc/apparmor.d/local/system_tor.anondist</code>.  Restart the VM again and Tor should work.
+
If you get prompted with other questions during package installation, you can choose the defaults.
  
== Whonix-Workstation ==
+
The Whonix packages will install their own <code>sources.list</code> data in <code>/etc/apt/sources.list.d/debian.list</code>.  If you're using Bookworm, that means you should clear the <code>sources.list</code> that Debian came with (in order to avoid warnings from <code>apt-get</code> about duplicated repos):
  
Add the Whonix package repository ([https://github.com/Whonix/whonix-developer-meta-files/blob/master/README_generic.md#how-to-install-package-name-using-apt-get source]):
+
sudo rm /etc/apt/sources.list
 +
sudo touch /etc/apt/sources.list
 +
sudo rm /etc/apt/sources.list.d/backports.list
  
<nowiki>echo "deb https://deb.whonix.org buster main" | sudo tee /etc/apt/sources.list.d/derivative.list</nowiki>
+
On Trixie or higher, the Whonix <code>sources.list</code> is nonfunctional, so you should clear it instead:
sudo apt-get update
 
  
Note: As of 2021 May 24, there is an <code>sdwdate</code> bug in the Whonix <code>buster</code> suite, which breaks ppc64el support. This was fixed by <code>sdwdate</code> version <code>3:14.9-1</code>Until the fix makes its way to the <code>buster</code> suite, you can get the fix early by substituting <code>buster-testers</code> for <code>buster</code> in the <code>derivative.list</code> line above.
+
sudo rm /etc/apt/sources.list.d/debian.list
 +
  sudo touch /etc/apt/sources.list.d/debian.list
  
Then, run one of the following, depending on whether you want the Whonix-Workstation to use XFCE or CLI-only:
+
Run the following to work around a bug that breaks subsequent package updates ([http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/dist-base-files-postinst-aborted-on-ppc64el/13381/2 source]) ([https://forums.whonix.org/t/dist-base-files-postinst-aborted-on-ppc64el/13381/2 clearnet]):
  
  sudo apt-get install non-qubes-whonix-workstation-xfce
+
  sudo mkdir -p /etc/dist-base-files.d/
 +
echo "set +e" | sudo tee /etc/dist-base-files.d/50_user.conf
  
sudo apt-get install non-qubes-whonix-workstation-cli
+
Shut off the VM.
  
If you get prompted with questions during package installation, you can choose the defaults.
+
If you're installing Whonix-Gateway, set the VM's NIC to use the <code>Whonix-External</code> Network source.  Then add a 2nd NIC to the VM, and set it to use the <code>Whonix-Internal</code> Network source.
  
The Whonix packages will install their own <code>sources.list</code> data in <code>/etc/apt/sources.list.d/debian.list</code>, which means you should delete the <code>sources.list</code> that Debian came with (in order to avoid warnings from <code>apt-get</code> about duplicated repos):
+
If you're installing Whonix-Workstation, set the VM's NIC to use the <code>Whonix-Internal</code> Network source.
  
sudo rm /etc/apt/sources.list
+
Launch the VM again; Whonix should be running.
  
Shut off the VM.
+
If you get errors in Whonix-Gateway about the Tor service failing to start, this is probably an AppArmor issue. You can fix it by running the following:
  
Set the VM's NIC to use the <code>internal</code> Network source.
+
sudo touch /etc/apparmor.d/local/system_tor.anondist
  
Launch the VM again; Whonix-Workstation should be running.
+
Restart Whonix-Gateway again and Tor should work.
  
 
== Known Issues ==
 
== Known Issues ==
  
=== Checking for virtualization ===
+
See [[Kicksecure#Known_Issues|Kicksecure known issues]].
 
 
<code>whonixcheck</code> in both VM's reports this error:
 
 
 
<nowiki>[ERROR] [whonixcheck] Virtualizer Failed to check for virtualization: Permission denied unsupported by Whonix developers! Whonixcheck aborted! (qubes_detected: false)
 
 
 
Using Virtualizer Failed to check for virtualization: Permission denied together with Whonix is recommended against, because it is rarely tested. [1] [2] [3] It could be made possible, but would require more Whonix contributors.
 
It may already work, but is highly experimental.
 
 
 
 
 
 
 
This might endanger your anonymity. Do not proceed unless you know what you are doing.
 
 
 
If you wish to ignore this warning and to continue whonixcheck anyway, you can set
 
    WHONIXCHECK_NO_EXIT_ON_UNSUPPORTED_VIRTUALIZER="1"
 
in /etc/whonix.d/30_whonixcheck_default.conf.
 
 
 
Recommended action:
 
- Shut down.
 
- Read Whonix documentation [4].
 
- Use Whonix with a supported virtualizer or Physical Isolation [5].
 
 
 
Footnotes:
 
 
 
[1] https://www.whonix.org/wiki/LeakTests
 
[2] https://www.whonix.org/wiki/Test
 
[3] https://www.whonix.org/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection
 
[4] https://www.whonix.org/wiki/Documentation
 
[5] https://www.whonix.org/wiki/Physical_Isolation</nowiki>
 
 
 
It is not clear why this error shows up, or whether anything bad will happen if it's ignored.  The only mention of this error that I can find in upstream documentation is [http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/error-virtualizer-unsupported-by-whonix-developers/4471 this forum thread], which doesn't have any solution.
 
 
 
Some debug logs that might be helpful for fixing it:
 
  
<nowiki>user@host:~$ sudo journalctl | grep apparmor | grep DENIED | grep systemcheck
+
No Whonix-specific known issues.
May 24 04:26:57 host audit[710]: AVC apparmor="DENIED" operation="open" profile="/usr/lib/systemcheck/canary" name="/sys/firmware/devicetree/base/hypervisor/compatible" pid=710 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=123 ouid=0
 
May 24 04:25:20 host audit[1264]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/systemcheck" name="/sys/firmware/devicetree/base/hypervisor/compatible" pid=1264 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
 
May 24 04:25:20 host kernel: audit: type=1400 audit(1621830320.465:1537): apparmor="DENIED" operation="open" profile="/usr/bin/systemcheck" name="/sys/firmware/devicetree/base/hypervisor/compatible" pid=1264 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
 
May 24 04:25:23 host audit[1886]: AVC apparmor="DENIED" operation="mkdir" profile="/usr/bin/systemcheck" name="/run/systemcheck/.cache/" pid=1886 comm="zenity" requested_mask="c" denied_mask="c" fsuid=119 ouid=119
 
May 24 04:25:24 host kernel: audit: type=1400 audit(1621830323.997:1538): apparmor="DENIED" operation="mkdir" profile="/usr/bin/systemcheck" name="/run/systemcheck/.cache/" pid=1886 comm="zenity" requested_mask="c" denied_mask="c" fsuid=119 ouid=119
 
user@host:~$ sudo systemd-detect-virt
 
kvm
 
</nowiki>
 

Latest revision as of 21:01, 7 August 2024

Whonix (clearnet link) can be installed on POWER using KVM. These instructions were tested with Whonix 17.

Download Whonix from the Whonix KVM download page (clearnet link).

Extract it:

tar -xvf Whonix*.libvirt.xz

Install the Whonix virtual networks:

sudo virsh -c qemu:///system net-define Whonix_external*.xml
sudo virsh -c qemu:///system net-define Whonix_internal*.xml
sudo virsh -c qemu:///system net-autostart Whonix-External
sudo virsh -c qemu:///system net-start Whonix-External
sudo virsh -c qemu:///system net-autostart Whonix-Internal
sudo virsh -c qemu:///system net-start Whonix-Internal

Then, create two Debian Bookworm ppc64el VM's. Set the Video Model in each VM to Virtio (source 1) (source 2). When installing Debian, do not create a separate root password, name the user user, and for desktop environment either pick XFCE or do not install one. Launch a shell in each VM, and follow the below instructions for each VM.

Import the Whonix/Kicksecure signing key (source) (clearnet):

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install --no-install-recommends curl gpg gpg-agent
curl  --tlsv1.3 --output ~/derivative.asc --url https://www.kicksecure.com/keys/derivative.asc
sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc

Initialize the console group (source) (clearnet):

sudo addgroup --system console
sudo adduser user console

Add the Kicksecure package repository (source) (clearnet):

sudo apt-get install apt-transport-tor
echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm main" | sudo tee /etc/apt/sources.list.d/derivative.list
sudo apt-get update

Add the Whonix package repository (source) (clearnet):

echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bookworm main" | sudo tee /etc/apt/sources.list.d/whonix.list
sudo apt-get update

If you're using Trixie (Bookworm is unaffected), run the following to work around a bug in the xserver-xorg-video-qxl package that breaks Whonix (source):

echo "deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/20230801/ trixie main" | sudo tee /etc/apt/sources.list.d/qxl.list
sudo apt-get update

Then, run one of the following, depending on whether you want Whonix to use XFCE or CLI-only, and whether you are installing Whonix-Gateway or Whonix-Workstation:

sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-xfce
sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-xfce
sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-cli
sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-cli

If you get a package conflict error that mentions console-common, run the following and then try again:

sudo apt-get install --no-install-recommends console-common

If you get prompted about choosing the default display manager during package installation, choose gdm3 (source) (clearnet).

If you get prompted with other questions during package installation, you can choose the defaults.

The Whonix packages will install their own sources.list data in /etc/apt/sources.list.d/debian.list. If you're using Bookworm, that means you should clear the sources.list that Debian came with (in order to avoid warnings from apt-get about duplicated repos):

sudo rm /etc/apt/sources.list
sudo touch /etc/apt/sources.list
sudo rm /etc/apt/sources.list.d/backports.list

On Trixie or higher, the Whonix sources.list is nonfunctional, so you should clear it instead:

sudo rm /etc/apt/sources.list.d/debian.list
sudo touch /etc/apt/sources.list.d/debian.list

Run the following to work around a bug that breaks subsequent package updates (source) (clearnet):

sudo mkdir -p /etc/dist-base-files.d/
echo "set +e" | sudo tee /etc/dist-base-files.d/50_user.conf

Shut off the VM.

If you're installing Whonix-Gateway, set the VM's NIC to use the Whonix-External Network source. Then add a 2nd NIC to the VM, and set it to use the Whonix-Internal Network source.

If you're installing Whonix-Workstation, set the VM's NIC to use the Whonix-Internal Network source.

Launch the VM again; Whonix should be running.

If you get errors in Whonix-Gateway about the Tor service failing to start, this is probably an AppArmor issue. You can fix it by running the following:

sudo touch /etc/apparmor.d/local/system_tor.anondist

Restart Whonix-Gateway again and Tor should work.

Known Issues

See Kicksecure known issues.

No Whonix-specific known issues.