Difference between revisions of "Kicksecure"

From RCS Wiki
Jump to navigation Jump to search
(Reboot)
(mmap_rnd_bits manual workaround no longer needed)
 
(37 intermediate revisions by the same user not shown)
Line 1: Line 1:
(This page is WIP!)
+
[http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/ Kicksecure] ([https://www.kicksecure.com/ clearnet link]) can be installed on POWER.  These instructions were tested with Kicksecure 16.
  
[http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure Kicksecure] ([https://www.whonix.org/wiki/Kicksecure clearnet link]) can be installed on POWERThese instructions were tested with Kicksecure 16.
+
First, install Debian Bullseye, Bookworm, or Sid for ppc64el or ppc64.  If installing in a VM, set the Video Model to Virtio and the Display Type to Spice ([https://github.com/Kicksecure/libvirt-dist/blob/master/usr/share/libvirt-dist/xml/Kicksecure.xml source]).  When installing Debian, do not create a separate root password, name the user <code>user</code>, and for desktop environment either pick XFCE or do not install one.  Launch a shell.
  
First, install Debian Bullseye ppc64el.  When installing Debian, do not create a separate root password, name the user <code>user</code>, and for desktop environment either pick XFCE or do not install one.  Launch a shell.
+
Import the Kicksecure signing key ([http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/wiki/Debian#Add_the_Kicksecure_%E2%84%A2_Signing_Key source]) ([https://www.kicksecure.com/wiki/Debian#Add_the_Kicksecure_%E2%84%A2_Signing_Key clearnet]):
 
 
Import the Whonix/Kicksecure signing key ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Signing_Key source]) ([https://www.whonix.org/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Signing_Key clearnet]):
 
  
 
  sudo apt-get update
 
  sudo apt-get update
 
  sudo apt-get dist-upgrade
 
  sudo apt-get dist-upgrade
 
  sudo apt-get install --no-install-recommends curl gpg gpg-agent
 
  sudo apt-get install --no-install-recommends curl gpg gpg-agent
  <nowiki>curl --tlsv1.3 --proto =https --max-time 180 --output ~/patrick.asc https://www.whonix.org/patrick.asc</nowiki>
+
  <nowiki>curl --tlsv1.3 --output ~/derivative.asc --url https://www.kicksecure.com/keys/derivative.asc</nowiki>
  sudo cp ~/patrick.asc /etc/apt/trusted.gpg.d/derivative.asc
+
  sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc
  
Initialize the <code>console</code> group ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure/Debian#Prerequisites source]) ([https://www.whonix.org/wiki/Kicksecure/Debian#Prerequisites clearnet]):
+
Initialize the <code>console</code> group ([http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/wiki/Debian#Prerequisites source]) ([https://www.kicksecure.com/wiki/Debian#Prerequisites clearnet]):
  
 
  sudo addgroup --system console
 
  sudo addgroup --system console
 
  sudo adduser user console
 
  sudo adduser user console
  
Add the Whonix/Kicksecure package repository ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Repository source]) ([https://www.whonix.org/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Repository clearnet]):
+
Add the Whonix/Kicksecure package repository ([http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/wiki/Debian#Add_the_Kicksecure_%E2%84%A2_Repository source]) ([https://www.kicksecure.com/wiki/Debian#Add_the_Kicksecure_%E2%84%A2_Repository clearnet]):
  
 
  sudo apt-get install apt-transport-tor
 
  sudo apt-get install apt-transport-tor
  <nowiki>echo "deb tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye main" | sudo tee /etc/apt/sources.list.d/derivative.list</nowiki>
+
  <nowiki>echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bullseye main" | sudo tee /etc/apt/sources.list.d/derivative.list</nowiki>
 
  sudo apt-get update
 
  sudo apt-get update
  
Note: As of 2021 September 10, there are bugs in the <code>security-misc</code> package in the Kicksecure <code>bullseye</code> suite, which break ppc64el support.  These bugs were fixed by <code>security-misc</code> version <code>3:22.7-1</code>. Until the fixes make their way to the <code>bullseye</code> suite, you can get the fixes early by substituting <code>bullseye-developers</code> for <code>bullseye</code> in the <code>derivative.list</code> line above.
+
Note: there is a bug in the <code>security-misc</code> package that breaks non-x86_64 architectures, which was fixed in version 28.4. As of 2023 May 13, 28.4 isn't yet available in the <code>bullseye</code> Kicksecure suite; you can work around the issue by using the <code>bullseye-testers</code> Kicksecure suite instead in the above command.
 +
 
 +
Note: there is a bug in the <code>sdwdate</code> package that breaks non-x86_64 architectures, which was fixed in version 21.7. As of 2023 May 13, 21.7 isn't yet available in the <code>bullseye</code> Kicksecure suite; you can work around the issue by using the <code>bullseye-testers</code> Kicksecure suite instead in the above command.
 +
 
 +
Upgrade Linux to 5.14 or higher; a bug was fixed between Linux 5.10 and Linux 5.14 that broke ppc64le support in Kicksecure.  If you're using Bullseye, this means using the Debian Bullseye-Backports suite ([http://jvgypgbnfyvfopg5msp6nwr2sl2fd6xmnguq35n7rfkw3yungjn2i4yd.onion/ source]) ([https://onion.debian.org/ clearnet]):
 +
 
 +
<nowiki>echo "deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main" | sudo tee /etc/apt/sources.list.d/backports.list</nowiki>
 +
sudo apt-get update
 +
sudo apt-get -t bullseye-backports install linux-image-powerpc64le
 +
 
 +
If you're using Bookworm or higher, you should already have a sufficiently new Linux version.
  
 
Then, run one of the following, depending on whether you want Kicksecure to use XFCE or CLI-only, and whether you are installing Kicksecure in a VM or on the host:
 
Then, run one of the following, depending on whether you want Kicksecure to use XFCE or CLI-only, and whether you are installing Kicksecure in a VM or on the host:
Line 40: Line 48:
 
  sudo apt-get install --no-install-recommends console-common
 
  sudo apt-get install --no-install-recommends console-common
  
If you get prompted with questions during package installation, you can choose the defaults.
+
If you get prompted about choosing the default display manager during package installation, choose <code>gdm3</code> ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Stable_Release#Whonix_™_16.0.2.7 source]) ([https://www.whonix.org/wiki/Stable_Release#Whonix_™_16.0.2.7 clearnet]).
  
The Kicksecure packages will install their own <code>sources.list</code> data in <code>/etc/apt/sources.list.d/debian.list</code>, which means you should clear the <code>sources.list</code> that Debian came with (in order to avoid warnings from <code>apt-get</code> about duplicated repos):
+
If you get prompted with other questions during package installation, you can choose the defaults.
 +
 
 +
The Kicksecure packages will install their own <code>sources.list</code> data in <code>/etc/apt/sources.list.d/debian.list</code>.  If you're using Bullseye, that means you should clear the <code>sources.list</code> that Debian came with (in order to avoid warnings from <code>apt-get</code> about duplicated repos):
  
 
  sudo rm /etc/apt/sources.list
 
  sudo rm /etc/apt/sources.list
 
  sudo touch /etc/apt/sources.list
 
  sudo touch /etc/apt/sources.list
 +
sudo rm /etc/apt/sources.list.d/backports.list
 +
 +
On Bookworm or higher, the Kicksecure <code>sources.list</code> is nonfunctional, so you should clear it instead:
 +
 +
sudo rm /etc/apt/sources.list.d/debian.list
 +
sudo touch /etc/apt/sources.list.d/debian.list
 +
 +
Run the following to work around a bug that breaks subsequent package updates ([http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/dist-base-files-postinst-aborted-on-ppc64el/13381/2 source]) ([https://forums.whonix.org/t/dist-base-files-postinst-aborted-on-ppc64el/13381/2 clearnet]):
 +
 +
sudo mkdir -p /etc/dist-base-files.d/
 +
echo "set +e" | sudo tee /etc/dist-base-files.d/50_user.conf
  
 
Reboot the machine; Kicksecure installation is complete.
 
Reboot the machine; Kicksecure installation is complete.
 +
 +
== Known Issues ==
 +
 +
None.

Latest revision as of 22:40, 13 May 2023

Kicksecure (clearnet link) can be installed on POWER. These instructions were tested with Kicksecure 16.

First, install Debian Bullseye, Bookworm, or Sid for ppc64el or ppc64. If installing in a VM, set the Video Model to Virtio and the Display Type to Spice (source). When installing Debian, do not create a separate root password, name the user user, and for desktop environment either pick XFCE or do not install one. Launch a shell.

Import the Kicksecure signing key (source) (clearnet):

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install --no-install-recommends curl gpg gpg-agent
curl  --tlsv1.3 --output ~/derivative.asc --url https://www.kicksecure.com/keys/derivative.asc
sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc

Initialize the console group (source) (clearnet):

sudo addgroup --system console
sudo adduser user console

Add the Whonix/Kicksecure package repository (source) (clearnet):

sudo apt-get install apt-transport-tor
echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bullseye main" | sudo tee /etc/apt/sources.list.d/derivative.list
sudo apt-get update

Note: there is a bug in the security-misc package that breaks non-x86_64 architectures, which was fixed in version 28.4. As of 2023 May 13, 28.4 isn't yet available in the bullseye Kicksecure suite; you can work around the issue by using the bullseye-testers Kicksecure suite instead in the above command.

Note: there is a bug in the sdwdate package that breaks non-x86_64 architectures, which was fixed in version 21.7. As of 2023 May 13, 21.7 isn't yet available in the bullseye Kicksecure suite; you can work around the issue by using the bullseye-testers Kicksecure suite instead in the above command.

Upgrade Linux to 5.14 or higher; a bug was fixed between Linux 5.10 and Linux 5.14 that broke ppc64le support in Kicksecure. If you're using Bullseye, this means using the Debian Bullseye-Backports suite (source) (clearnet):

echo "deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main" | sudo tee /etc/apt/sources.list.d/backports.list
sudo apt-get update
sudo apt-get -t bullseye-backports install linux-image-powerpc64le

If you're using Bookworm or higher, you should already have a sufficiently new Linux version.

Then, run one of the following, depending on whether you want Kicksecure to use XFCE or CLI-only, and whether you are installing Kicksecure in a VM or on the host:

sudo apt-get install --no-install-recommends kicksecure-xfce-host
sudo apt-get install --no-install-recommends kicksecure-xfce-vm
sudo apt-get install --no-install-recommends kicksecure-cli-host
sudo apt-get install --no-install-recommends kicksecure-cli-vm

If you get a package conflict error that mentions console-common, run the following and then try again:

sudo apt-get install --no-install-recommends console-common

If you get prompted about choosing the default display manager during package installation, choose gdm3 (source) (clearnet).

If you get prompted with other questions during package installation, you can choose the defaults.

The Kicksecure packages will install their own sources.list data in /etc/apt/sources.list.d/debian.list. If you're using Bullseye, that means you should clear the sources.list that Debian came with (in order to avoid warnings from apt-get about duplicated repos):

sudo rm /etc/apt/sources.list
sudo touch /etc/apt/sources.list
sudo rm /etc/apt/sources.list.d/backports.list

On Bookworm or higher, the Kicksecure sources.list is nonfunctional, so you should clear it instead:

sudo rm /etc/apt/sources.list.d/debian.list
sudo touch /etc/apt/sources.list.d/debian.list

Run the following to work around a bug that breaks subsequent package updates (source) (clearnet):

sudo mkdir -p /etc/dist-base-files.d/
echo "set +e" | sudo tee /etc/dist-base-files.d/50_user.conf

Reboot the machine; Kicksecure installation is complete.

Known Issues

None.