Difference between revisions of "Kicksecure"

From RCS Wiki
Jump to navigation Jump to search
(Reboot)
(→‎Known Issues: Add vm.mmap_rnd_bits issue)
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
(This page is WIP!)
 
 
 
[http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure Kicksecure] ([https://www.whonix.org/wiki/Kicksecure clearnet link]) can be installed on POWER.  These instructions were tested with Kicksecure 16.
 
[http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure Kicksecure] ([https://www.whonix.org/wiki/Kicksecure clearnet link]) can be installed on POWER.  These instructions were tested with Kicksecure 16.
  
First, install Debian Bullseye ppc64el.  When installing Debian, do not create a separate root password, name the user <code>user</code>, and for desktop environment either pick XFCE or do not install one.  Launch a shell.
+
First, install Debian Bullseye ppc64el or Debian Sid ppc64.  When installing Debian, do not create a separate root password, name the user <code>user</code>, and for desktop environment either pick XFCE or do not install one.  Launch a shell.
  
 
Import the Whonix/Kicksecure signing key ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Signing_Key source]) ([https://www.whonix.org/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Signing_Key clearnet]):
 
Import the Whonix/Kicksecure signing key ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Signing_Key source]) ([https://www.whonix.org/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Signing_Key clearnet]):
Line 25: Line 23:
  
 
Note: As of 2021 September 10, there are bugs in the <code>security-misc</code> package in the Kicksecure <code>bullseye</code> suite, which break ppc64el support.  These bugs were fixed by <code>security-misc</code> version <code>3:22.7-1</code>.  Until the fixes make their way to the <code>bullseye</code> suite, you can get the fixes early by substituting <code>bullseye-developers</code> for <code>bullseye</code> in the <code>derivative.list</code> line above.
 
Note: As of 2021 September 10, there are bugs in the <code>security-misc</code> package in the Kicksecure <code>bullseye</code> suite, which break ppc64el support.  These bugs were fixed by <code>security-misc</code> version <code>3:22.7-1</code>.  Until the fixes make their way to the <code>bullseye</code> suite, you can get the fixes early by substituting <code>bullseye-developers</code> for <code>bullseye</code> in the <code>derivative.list</code> line above.
 +
 +
Upgrade Linux to 5.14 or higher; a bug was fixed between Linux 5.10 and Linux 5.14 that broke ppc64le support in Kicksecure.  As of 2021 September 10, this means using the Debian Experimental suite ([http://jvgypgbnfyvfopg5msp6nwr2sl2fd6xmnguq35n7rfkw3yungjn2i4yd.onion/ source]) ([https://onion.debian.org/ clearnet]).  For ppc64el:
 +
 +
<nowiki>echo "deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian experimental main" | sudo tee /etc/apt/sources.list.d/experimental.list</nowiki>
 +
sudo apt-get update
 +
sudo apt-get -t experimental install linux-image-powerpc64le
 +
 +
Or, for ppc64:
 +
 +
<nowiki>echo "deb tor+https://deb.debian.org/debian-ports experimental main" | sudo tee /etc/apt/sources.list.d/experimental.list</nowiki>
 +
sudo apt-get update
 +
sudo apt-get -t experimental install linux-image-powerpc64
  
 
Then, run one of the following, depending on whether you want Kicksecure to use XFCE or CLI-only, and whether you are installing Kicksecure in a VM or on the host:
 
Then, run one of the following, depending on whether you want Kicksecure to use XFCE or CLI-only, and whether you are installing Kicksecure in a VM or on the host:
Line 42: Line 52:
 
If you get prompted with questions during package installation, you can choose the defaults.
 
If you get prompted with questions during package installation, you can choose the defaults.
  
The Kicksecure packages will install their own <code>sources.list</code> data in <code>/etc/apt/sources.list.d/debian.list</code>, which means you should clear the <code>sources.list</code> that Debian came with (in order to avoid warnings from <code>apt-get</code> about duplicated repos):
+
The Kicksecure packages will install their own <code>sources.list</code> data in <code>/etc/apt/sources.list.d/debian.list</code>.  On ppc64el, that means you should clear the <code>sources.list</code> that Debian came with (in order to avoid warnings from <code>apt-get</code> about duplicated repos):
  
 
  sudo rm /etc/apt/sources.list
 
  sudo rm /etc/apt/sources.list
 
  sudo touch /etc/apt/sources.list
 
  sudo touch /etc/apt/sources.list
 +
 +
On ppc64, the Kicksecure <code>sources.list</code> is nonfunctional, so you should clear it instead:
 +
 +
sudo rm /etc/apt/sources.list.d/debian.list
 +
sudo touch /etc/apt/sources.list.d/debian.list
  
 
Reboot the machine; Kicksecure installation is complete.
 
Reboot the machine; Kicksecure installation is complete.
 +
 +
== Known Issues ==
 +
 +
On ppc64el, the <code>systemd-sysctl</code> service fails to start, due to the <code>vm.mmap_rnd_bits</code> setting introduced by the <code>security-misc</code> package.
 +
 +
On ppc64, the <code>jitterentropy-rngd</code> service fails to start.
 +
 +
On ppc64, <code>sdwdate</code> runs into AppArmor issues.

Latest revision as of 00:04, 12 September 2021

Kicksecure (clearnet link) can be installed on POWER. These instructions were tested with Kicksecure 16.

First, install Debian Bullseye ppc64el or Debian Sid ppc64. When installing Debian, do not create a separate root password, name the user user, and for desktop environment either pick XFCE or do not install one. Launch a shell.

Import the Whonix/Kicksecure signing key (source) (clearnet):

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install --no-install-recommends curl gpg gpg-agent
curl --tlsv1.3 --proto =https --max-time 180 --output ~/patrick.asc https://www.whonix.org/patrick.asc
sudo cp ~/patrick.asc /etc/apt/trusted.gpg.d/derivative.asc

Initialize the console group (source) (clearnet):

sudo addgroup --system console
sudo adduser user console

Add the Whonix/Kicksecure package repository (source) (clearnet):

sudo apt-get install apt-transport-tor
echo "deb tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye main" | sudo tee /etc/apt/sources.list.d/derivative.list
sudo apt-get update

Note: As of 2021 September 10, there are bugs in the security-misc package in the Kicksecure bullseye suite, which break ppc64el support. These bugs were fixed by security-misc version 3:22.7-1. Until the fixes make their way to the bullseye suite, you can get the fixes early by substituting bullseye-developers for bullseye in the derivative.list line above.

Upgrade Linux to 5.14 or higher; a bug was fixed between Linux 5.10 and Linux 5.14 that broke ppc64le support in Kicksecure. As of 2021 September 10, this means using the Debian Experimental suite (source) (clearnet). For ppc64el:

echo "deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian experimental main" | sudo tee /etc/apt/sources.list.d/experimental.list
sudo apt-get update
sudo apt-get -t experimental install linux-image-powerpc64le

Or, for ppc64:

echo "deb tor+https://deb.debian.org/debian-ports experimental main" | sudo tee /etc/apt/sources.list.d/experimental.list
sudo apt-get update
sudo apt-get -t experimental install linux-image-powerpc64

Then, run one of the following, depending on whether you want Kicksecure to use XFCE or CLI-only, and whether you are installing Kicksecure in a VM or on the host:

sudo apt-get install --no-install-recommends kicksecure-xfce-host
sudo apt-get install --no-install-recommends kicksecure-xfce-vm
sudo apt-get install --no-install-recommends kicksecure-cli-host
sudo apt-get install --no-install-recommends kicksecure-cli-vm

If you get a package conflict error that mentions console-common, run the following and then try again:

sudo apt-get install --no-install-recommends console-common

If you get prompted with questions during package installation, you can choose the defaults.

The Kicksecure packages will install their own sources.list data in /etc/apt/sources.list.d/debian.list. On ppc64el, that means you should clear the sources.list that Debian came with (in order to avoid warnings from apt-get about duplicated repos):

sudo rm /etc/apt/sources.list
sudo touch /etc/apt/sources.list

On ppc64, the Kicksecure sources.list is nonfunctional, so you should clear it instead:

sudo rm /etc/apt/sources.list.d/debian.list
sudo touch /etc/apt/sources.list.d/debian.list

Reboot the machine; Kicksecure installation is complete.

Known Issues

On ppc64el, the systemd-sysctl service fails to start, due to the vm.mmap_rnd_bits setting introduced by the security-misc package.

On ppc64, the jitterentropy-rngd service fails to start.

On ppc64, sdwdate runs into AppArmor issues.