Difference between revisions of "Kicksecure"

Kicksecure (clearnet link) can be installed on POWER. These instructions were tested with Kicksecure 16.

First, install Debian Bullseye ppc64el or Debian Sid ppc64. When installing Debian, do not create a separate root password, name the user user, and for desktop environment either pick XFCE or do not install one. Launch a shell.

Import the Whonix/Kicksecure signing key (source) (clearnet):

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install --no-install-recommends curl gpg gpg-agent
curl --tlsv1.3 --proto =https --max-time 180 --output ~/patrick.asc https://www.whonix.org/patrick.asc
sudo cp ~/patrick.asc /etc/apt/trusted.gpg.d/derivative.asc

Initialize the console group (source) (clearnet):

sudo addgroup --system console
sudo adduser user console

Add the Whonix/Kicksecure package repository (source) (clearnet):

sudo apt-get install apt-transport-tor
echo "deb tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye main" | sudo tee /etc/apt/sources.list.d/derivative.list
sudo apt-get update

Note: As of 2021 September 10, there are bugs in the security-misc package in the Kicksecure bullseye suite, which break ppc64el support. These bugs were fixed by security-misc version 3:22.7-1. Until the fixes make their way to the bullseye suite, you can get the fixes early by substituting bullseye-developers for bullseye in the derivative.list line above.

Upgrade Linux to 5.14 or higher; a bug was fixed between Linux 5.10 and Linux 5.14 that broke ppc64le support in Kicksecure. As of 2021 September 10, this means using the Debian Experimental suite (source) (clearnet). For ppc64el:

echo "deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian experimental main" | sudo tee /etc/apt/sources.list.d/experimental.list
sudo apt-get update
sudo apt-get -t experimental install linux-image-powerpc64le

Or, for ppc64:

echo "deb tor+https://deb.debian.org/debian-ports experimental main" | sudo tee /etc/apt/sources.list.d/experimental.list
sudo apt-get update
sudo apt-get -t experimental install linux-image-powerpc64

Then, run one of the following, depending on whether you want Kicksecure to use XFCE or CLI-only, and whether you are installing Kicksecure in a VM or on the host:

sudo apt-get install --no-install-recommends kicksecure-xfce-host

sudo apt-get install --no-install-recommends kicksecure-xfce-vm

sudo apt-get install --no-install-recommends kicksecure-cli-host

sudo apt-get install --no-install-recommends kicksecure-cli-vm

If you get a package conflict error that mentions console-common, run the following and then try again:

sudo apt-get install --no-install-recommends console-common

If you get prompted with questions during package installation, you can choose the defaults.

The Kicksecure packages will install their own sources.list data in /etc/apt/sources.list.d/debian.list. On ppc64el, that means you should clear the sources.list that Debian came with (in order to avoid warnings from apt-get about duplicated repos):

sudo rm /etc/apt/sources.list
sudo touch /etc/apt/sources.list

On ppc64, the Kicksecure sources.list is nonfunctional, so you should clear it instead:

sudo rm /etc/apt/sources.list.d/debian.list
sudo touch /etc/apt/sources.list.d/debian.list

Reboot the machine; Kicksecure installation is complete.

Known Issues

On ppc64el, the systemd-sysctl service fails to start, due to the vm.mmap_rnd_bits setting introduced by the security-misc package.

On ppc64, the jitterentropy-rngd service fails to start.

On ppc64, sdwdate runs into AppArmor issues.