Kicksecure

From RCS Wiki
Revision as of 06:03, 9 May 2023 by JeremyRand (talk | contribs) (Signing key goes in /usr/share/keyrings/)
Jump to navigation Jump to search

Kicksecure (clearnet link) can be installed on POWER. These instructions were tested with Kicksecure 16.

First, install Debian Bullseye, Bookworm, or Sid for ppc64el or ppc64. If installing in a VM, set the Video Model to Virtio and the Display Type to Spice (source). When installing Debian, do not create a separate root password, name the user user, and for desktop environment either pick XFCE or do not install one. Launch a shell.

Import the Kicksecure signing key (source) (clearnet):

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install --no-install-recommends curl gpg gpg-agent
curl  --tlsv1.3 --output ~/derivative.asc --url https://www.kicksecure.com/keys/derivative.asc
sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc

Initialize the console group (source) (clearnet):

sudo addgroup --system console
sudo adduser user console

Add the Whonix/Kicksecure package repository (source) (clearnet):

sudo apt-get install apt-transport-tor
echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bullseye main" | sudo tee /etc/apt/sources.list.d/derivative.list
sudo apt-get update

Upgrade Linux to 5.14 or higher; a bug was fixed between Linux 5.10 and Linux 5.14 that broke ppc64le support in Kicksecure. If you're using Bullseye, this means using the Debian Bullseye-Backports suite (source) (clearnet):

echo "deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main" | sudo tee /etc/apt/sources.list.d/backports.list
sudo apt-get update
sudo apt-get -t bullseye-backports install linux-image-powerpc64le

If you're using Bookworm or higher, you should already have a sufficiently new Linux version.

If you're using Bookworm (Bullseye and Sid are unaffected), run the following to work around a bug in the xserver-xorg-video-qxl package that breaks Kicksecure (source 1) (source 2) (appears to be fixed, need to test):

echo "deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/20220311/ bookworm main" | sudo tee /etc/apt/sources.list.d/qxl.list
sudo apt-get update

Then, run one of the following, depending on whether you want Kicksecure to use XFCE or CLI-only, and whether you are installing Kicksecure in a VM or on the host:

sudo apt-get install --no-install-recommends kicksecure-xfce-host
sudo apt-get install --no-install-recommends kicksecure-xfce-vm
sudo apt-get install --no-install-recommends kicksecure-cli-host
sudo apt-get install --no-install-recommends kicksecure-cli-vm

If you get a package conflict error that mentions console-common, run the following and then try again:

sudo apt-get install --no-install-recommends console-common

If you get prompted about choosing the default display manager during package installation, choose gdm3 (source) (clearnet).

If you get prompted with other questions during package installation, you can choose the defaults.

The Kicksecure packages will install their own sources.list data in /etc/apt/sources.list.d/debian.list. If you're using Bullseye, that means you should clear the sources.list that Debian came with (in order to avoid warnings from apt-get about duplicated repos):

sudo rm /etc/apt/sources.list
sudo touch /etc/apt/sources.list
sudo rm /etc/apt/sources.list.d/backports.list

On Bookworm or higher, the Kicksecure sources.list is nonfunctional, so you should clear it instead:

sudo rm /etc/apt/sources.list.d/debian.list
sudo touch /etc/apt/sources.list.d/debian.list

Run the following to work around a bug that breaks subsequent package updates (source) (clearnet):

sudo mkdir -p /etc/dist-base-files.d/
echo "set +e" | sudo tee /etc/dist-base-files.d/50_user.conf

Run the following to work around a bug in the security-misc package that breaks non-x86 architectures (source 1, grep for config ARCH_MMAP_RND_BITS_MAX and config COMPAT) (source 2) (source 3):

sudo sed -i 's/vm.mmap_rnd_bits=32/vm.mmap_rnd_bits=29/' /etc/sysctl.d/30_security-misc.conf

On ppc64el, also run the following:

sudo sed -i 's/vm.mmap_rnd_compat_bits=16//' /etc/sysctl.d/30_security-misc.conf

On ppc64, run the following:

sudo sed -i 's/vm.mmap_rnd_compat_bits=16/vm.mmap_rnd_compat_bits=13/' /etc/sysctl.d/30_security-misc.conf

If you're using Bookworm or higher (Bullseye is unaffected), run the following to work around a seccomp bug in the sdwdate package that breaks PowerPC-based architectures (source 1) (source 2):

sudo sed -i 's/_newselect/_newselect newfstatat pselect6 vfork/' /lib/systemd/system/sdwdate.service.d/20_arch_syscall_whitelist.conf

If you're using Bookworm or higher (Bullseye is unaffected), run the following to work around an AppArmor bug in the sdwdate package (source):

echo "  network inet stream," | sudo tee --append /etc/apparmor.d/abstractions/url_to_unixtime

Reboot the machine; Kicksecure installation is complete.

Known Issues

None.