Difference between revisions of "Whonix"

From RCS Wiki
Jump to navigation Jump to search
(systemcheck is fixed in buster-developers)
Line 43: Line 43:
 
  sudo apt-get update
 
  sudo apt-get update
  
Note: As of 2021 May 24, there is an <code>sdwdate</code> bug in the Whonix <code>buster</code> suite, which breaks ppc64el support.  This was fixed by <code>sdwdate</code> version <code>3:14.9-1</code>.  Until the fix makes its way to the <code>buster</code> suite, you can get the fix early by substituting <code>buster-testers</code> for <code>buster</code> in the <code>derivative.list</code> line above.
+
Note: As of 2021 May 24, there are bugs in the <code>sdwdate</code> and <code>systemcheck</code> packages in the Whonix <code>buster</code> suite, which break ppc64el support.  These bugs were fixed by <code>sdwdate</code> version <code>3:14.9-1</code> and <code>systemcheck</code> version <code>3:21.1-1</code>.  Until the fixes make their way to the <code>buster</code> suite, you can get the fixes early by substituting <code>buster-developers</code> for <code>buster</code> in the <code>derivative.list</code> line above.
  
 
Then, run one of the following, depending on whether you want the Whonix-Gateway to use XFCE or CLI-only:
 
Then, run one of the following, depending on whether you want the Whonix-Gateway to use XFCE or CLI-only:
Line 74: Line 74:
 
  sudo apt-get update
 
  sudo apt-get update
  
Note: As of 2021 May 24, there is an <code>sdwdate</code> bug in the Whonix <code>buster</code> suite, which breaks ppc64el support.  This was fixed by <code>sdwdate</code> version <code>3:14.9-1</code>.  Until the fix makes its way to the <code>buster</code> suite, you can get the fix early by substituting <code>buster-testers</code> for <code>buster</code> in the <code>derivative.list</code> line above.
+
Note: As of 2021 May 24, there are bugs in the <code>sdwdate</code> and <code>systemcheck</code> packages in the Whonix <code>buster</code> suite, which break ppc64el support.  These bugs were fixed by <code>sdwdate</code> version <code>3:14.9-1</code> and <code>systemcheck</code> version <code>3:21.1-1</code>.  Until the fixes make their way to the <code>buster</code> suite, you can get the fixes early by substituting <code>buster-developers</code> for <code>buster</code> in the <code>derivative.list</code> line above.
  
 
Then, run one of the following, depending on whether you want the Whonix-Workstation to use XFCE or CLI-only:
 
Then, run one of the following, depending on whether you want the Whonix-Workstation to use XFCE or CLI-only:
Line 96: Line 96:
 
== Known Issues ==
 
== Known Issues ==
  
=== Checking for virtualization ===
+
None.
 
 
<code>whonixcheck</code> in both VM's reports this error:
 
 
 
<nowiki>[ERROR] [whonixcheck] Virtualizer Failed to check for virtualization: Permission denied unsupported by Whonix developers! Whonixcheck aborted! (qubes_detected: false)
 
 
 
Using Virtualizer Failed to check for virtualization: Permission denied together with Whonix is recommended against, because it is rarely tested. [1] [2] [3] It could be made possible, but would require more Whonix contributors.
 
It may already work, but is highly experimental.
 
 
 
 
 
 
 
This might endanger your anonymity. Do not proceed unless you know what you are doing.
 
 
 
If you wish to ignore this warning and to continue whonixcheck anyway, you can set
 
    WHONIXCHECK_NO_EXIT_ON_UNSUPPORTED_VIRTUALIZER="1"
 
in /etc/whonix.d/30_whonixcheck_default.conf.
 
 
 
Recommended action:
 
- Shut down.
 
- Read Whonix documentation [4].
 
- Use Whonix with a supported virtualizer or Physical Isolation [5].
 
 
 
Footnotes:
 
 
 
[1] https://www.whonix.org/wiki/LeakTests
 
[2] https://www.whonix.org/wiki/Test
 
[3] https://www.whonix.org/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection
 
[4] https://www.whonix.org/wiki/Documentation
 
[5] https://www.whonix.org/wiki/Physical_Isolation</nowiki>
 
 
 
It is not clear why this error shows up, or whether anything bad will happen if it's ignored.  The only mention of this error that I can find in upstream documentation is [http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/error-virtualizer-unsupported-by-whonix-developers/4471 this forum thread], which doesn't have any solution.
 
 
 
Some debug logs that might be helpful for fixing it:
 
 
 
<nowiki>user@host:~$ sudo journalctl | grep apparmor | grep DENIED | grep systemcheck
 
May 24 04:26:57 host audit[710]: AVC apparmor="DENIED" operation="open" profile="/usr/lib/systemcheck/canary" name="/sys/firmware/devicetree/base/hypervisor/compatible" pid=710 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=123 ouid=0
 
May 24 04:25:20 host audit[1264]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/systemcheck" name="/sys/firmware/devicetree/base/hypervisor/compatible" pid=1264 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
 
May 24 04:25:20 host kernel: audit: type=1400 audit(1621830320.465:1537): apparmor="DENIED" operation="open" profile="/usr/bin/systemcheck" name="/sys/firmware/devicetree/base/hypervisor/compatible" pid=1264 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
 
May 24 04:25:23 host audit[1886]: AVC apparmor="DENIED" operation="mkdir" profile="/usr/bin/systemcheck" name="/run/systemcheck/.cache/" pid=1886 comm="zenity" requested_mask="c" denied_mask="c" fsuid=119 ouid=119
 
May 24 04:25:24 host kernel: audit: type=1400 audit(1621830323.997:1538): apparmor="DENIED" operation="mkdir" profile="/usr/bin/systemcheck" name="/run/systemcheck/.cache/" pid=1886 comm="zenity" requested_mask="c" denied_mask="c" fsuid=119 ouid=119
 
user@host:~$ sudo systemd-detect-virt
 
kvm
 
user@host:~$ sudo cat /sys/firmware/devicetree/base/hypervisor/compatible
 
linux,kvm</nowiki>
 
 
 
A fix is available in [https://github.com/JeremyRand/whonixcheck/commit/621f7c2faf439af5718de5843731a344570b55da this commit].
 

Revision as of 00:49, 24 May 2021

Whonix (clearnet link) can be installed on the Talos using KVM. These instructions were tested with Whonix 15.

Both Whonix-Gateway and Whonix-Workstation

Download Whonix from the Whonix KVM download page (clearnet link).

Extract it:

tar -xvf Whonix*.libvirt.xz

Install the Whonix virtual networks:

virsh -c qemu:///system net-define Whonix_external*.xml
virsh -c qemu:///system net-define Whonix_internal*.xml
virsh -c qemu:///system net-autostart external
virsh -c qemu:///system net-start external
virsh -c qemu:///system net-autostart internal
virsh -c qemu:///system net-start internal

Then, create two Debian Buster ppc64el VM's. When installing Debian, do not create a separate root password, name the user user, and for desktop environment either pick XFCE or do not install one. Launch a shell in each VM, and follow the below instructions for each VM.

Import the Whonix signing key (source):

wget https://www.whonix.org/patrick.asc
sudo apt-key --keyring /etc/apt/trusted.gpg.d/derivative.gpg add ~/patrick.asc

Initialize the console group (source):

sudo addgroup --system console
sudo adduser user console

Whonix-Gateway

Install Tor:

echo "deb https://deb.debian.org/debian buster-backports main" | sudo tee /etc/apt/sources.list.d/backports.list
sudo apt-get update
sudo apt-get -t buster-backports install tor

Add the Whonix package repository (source):

echo "deb https://deb.whonix.org buster main" | sudo tee /etc/apt/sources.list.d/derivative.list
sudo apt-get update

Note: As of 2021 May 24, there are bugs in the sdwdate and systemcheck packages in the Whonix buster suite, which break ppc64el support. These bugs were fixed by sdwdate version 3:14.9-1 and systemcheck version 3:21.1-1. Until the fixes make their way to the buster suite, you can get the fixes early by substituting buster-developers for buster in the derivative.list line above.

Then, run one of the following, depending on whether you want the Whonix-Gateway to use XFCE or CLI-only:

sudo apt-get install non-qubes-whonix-gateway-xfce
sudo apt-get install non-qubes-whonix-gateway-cli

If you get prompted with questions during package installation, you can choose the defaults.

The Whonix packages will install their own sources.list data in /etc/apt/sources.list.d/debian.list, which means you should delete the sources.list that Debian came with (in order to avoid warnings from apt-get about duplicated repos):

sudo rm /etc/apt/sources.list

Shut off the VM.

Set the VM's NIC to use the external Network source.

Add a 2nd NIC to the VM, and set it to use the internal Network source.

Launch the VM again; Whonix-Gateway should be running.

If you get errors about the Tor service failing to start, this is probably an AppArmor issue. You can fix it by running sudo touch /etc/apparmor.d/local/system_tor.anondist. Restart the VM again and Tor should work.

Whonix-Workstation

Add the Whonix package repository (source):

echo "deb https://deb.whonix.org buster main" | sudo tee /etc/apt/sources.list.d/derivative.list
sudo apt-get update

Note: As of 2021 May 24, there are bugs in the sdwdate and systemcheck packages in the Whonix buster suite, which break ppc64el support. These bugs were fixed by sdwdate version 3:14.9-1 and systemcheck version 3:21.1-1. Until the fixes make their way to the buster suite, you can get the fixes early by substituting buster-developers for buster in the derivative.list line above.

Then, run one of the following, depending on whether you want the Whonix-Workstation to use XFCE or CLI-only:

sudo apt-get install non-qubes-whonix-workstation-xfce
sudo apt-get install non-qubes-whonix-workstation-cli

If you get prompted with questions during package installation, you can choose the defaults.

The Whonix packages will install their own sources.list data in /etc/apt/sources.list.d/debian.list, which means you should delete the sources.list that Debian came with (in order to avoid warnings from apt-get about duplicated repos):

sudo rm /etc/apt/sources.list

Shut off the VM.

Set the VM's NIC to use the internal Network source.

Launch the VM again; Whonix-Workstation should be running.

Known Issues

None.