Difference between revisions of "Whonix"

From RCS Wiki
Jump to navigation Jump to search
(Remove obsolete Whonix 14 instructions)
(→‎Known Issues: Link to Kicksecure.)
(23 intermediate revisions by the same user not shown)
Line 1: Line 1:
[http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/ Whonix] ([https://www.whonix.org/ clearnet link]) can be installed on the Talos using KVM.
+
[http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/ Whonix] ([https://www.whonix.org/ clearnet link]) can be installed on POWER using KVM.  These instructions were tested with Whonix 16.
  
 
== Both Whonix-Gateway and Whonix-Workstation ==
 
== Both Whonix-Gateway and Whonix-Workstation ==
Line 11: Line 11:
 
Install the Whonix virtual networks:
 
Install the Whonix virtual networks:
  
  virsh -c qemu:///system net-define Whonix_external*.xml
+
  sudo virsh -c qemu:///system net-define Whonix_external*.xml
  virsh -c qemu:///system net-define Whonix_internal*.xml
+
  sudo virsh -c qemu:///system net-define Whonix_internal*.xml
  virsh -c qemu:///system net-autostart external
+
  sudo virsh -c qemu:///system net-autostart Whonix-External
  virsh -c qemu:///system net-start external
+
  sudo virsh -c qemu:///system net-start Whonix-External
  virsh -c qemu:///system net-autostart internal
+
  sudo virsh -c qemu:///system net-autostart Whonix-Internal
  virsh -c qemu:///system net-start internal
+
  sudo virsh -c qemu:///system net-start Whonix-Internal
  
Then, create two Debian Buster ppc64el VM's, launch a root shell in each, and follow the below instructions for each VM.
+
Then, create two Debian Bullseye ppc64el VM's.  When installing Debian, do not create a separate root password, name the user <code>user</code>, and for desktop environment either pick XFCE or do not install one.  Launch a shell in each VM, and follow the below instructions for each VM.
  
Import the Whonix signing key ([https://github.com/Whonix/whonix-developer-meta-files/blob/master/README_generic.md#how-to-install-package-name-using-apt-get source]):
+
Import the Whonix/Kicksecure signing key ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Signing_Key source]) ([https://www.whonix.org/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Signing_Key clearnet]):
  
  apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg adv --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA
+
  sudo apt-get update
 +
sudo apt-get dist-upgrade
 +
sudo apt-get install --no-install-recommends curl gpg gpg-agent
 +
<nowiki>curl --tlsv1.3 --proto =https --max-time 180 --output ~/patrick.asc https://www.whonix.org/patrick.asc</nowiki>
 +
sudo cp ~/patrick.asc /etc/apt/trusted.gpg.d/derivative.asc
  
Add the Whonix package repository ([https://github.com/Whonix/whonix-developer-meta-files/blob/master/README_generic.md#how-to-install-package-name-using-apt-get source]):
+
Initialize the <code>console</code> group ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure/Debian#Prerequisites source]) ([https://www.whonix.org/wiki/Kicksecure/Debian#Prerequisites clearnet]):
  
  <nowiki>echo "deb http://deb.whonix.org buster main" | tee /etc/apt/sources.list.d/whonix.list</nowiki>
+
sudo addgroup --system console
 +
sudo adduser user console
 +
 
 +
Add the Whonix/Kicksecure package repository ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Repository source]) ([https://www.whonix.org/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Repository clearnet]):
 +
 
 +
sudo apt-get install apt-transport-tor
 +
  <nowiki>echo "deb tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye main" | sudo tee /etc/apt/sources.list.d/derivative.list</nowiki>
 +
sudo apt-get update
 +
 
 +
Note: As of 2021 September 10, there are bugs in the <code>security-misc</code> package in the Whonix <code>bullseye</code> suite, which break ppc64el support.  These bugs were fixed by <code>security-misc</code> version <code>3:22.7-1</code>.  Until the fixes make their way to the <code>bullseye</code> suite, you can get the fixes early by substituting <code>bullseye-developers</code> for <code>bullseye</code> in the <code>derivative.list</code> line above.
 +
 
 +
Upgrade Linux to 5.14 or higher; a bug was fixed between Linux 5.10 and Linux 5.14 that broke ppc64le support in Whonix.  As of 2021 September 10, this means using the Debian Experimental suite ([http://jvgypgbnfyvfopg5msp6nwr2sl2fd6xmnguq35n7rfkw3yungjn2i4yd.onion/ source]) ([https://onion.debian.org/ clearnet]):
 +
 
 +
<nowiki>echo "deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian experimental main" | sudo tee /etc/apt/sources.list.d/experimental.list</nowiki>
 +
sudo apt-get update
 +
sudo apt-get -t experimental install linux-image-powerpc64le
  
 
== Whonix-Gateway ==
 
== Whonix-Gateway ==
  
Run the following:
+
Run one of the following, depending on whether you want the Whonix-Gateway to use XFCE or CLI-only:
 
 
apt-get update
 
  
Then, run one of the following, depending on whether you want the Whonix-Gateway to use KDE, XFCE, or CLI-only:
+
sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-xfce
  
  apt-get install non-qubes-whonix-gateway-kde
+
  sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-cli
  
apt-get install non-qubes-whonix-gateway-xfce
+
If you get a package conflict error that mentions <code>console-common</code>, run the following and then try again:
  
  apt-get install non-qubes-whonix-gateway-cli
+
  sudo apt-get install --no-install-recommends console-common
  
 
If you get prompted with questions during package installation, you can choose the defaults.
 
If you get prompted with questions during package installation, you can choose the defaults.
Line 46: Line 63:
 
The Whonix packages will install their own <code>sources.list</code> data in <code>/etc/apt/sources.list.d/debian.list</code>, which means you should delete the <code>sources.list</code> that Debian came with (in order to avoid warnings from <code>apt-get</code> about duplicated repos):
 
The Whonix packages will install their own <code>sources.list</code> data in <code>/etc/apt/sources.list.d/debian.list</code>, which means you should delete the <code>sources.list</code> that Debian came with (in order to avoid warnings from <code>apt-get</code> about duplicated repos):
  
  rm /etc/apt/sources.list
+
  sudo rm /etc/apt/sources.list
  
 
Shut off the VM.
 
Shut off the VM.
  
Set the VM's NIC to use the <code>external</code> Network source.
+
Set the VM's NIC to use the <code>Whonix-External</code> Network source.
  
Add a 2nd NIC to the VM, and set it to use the <code>internal</code> Network source.
+
Add a 2nd NIC to the VM, and set it to use the <code>Whonix-Internal</code> Network source.
  
 
Launch the VM again; Whonix-Gateway should be running.
 
Launch the VM again; Whonix-Gateway should be running.
  
If you get errors about the Tor service failing to start, this is probably a bug in Whonix's AppArmor configuration; you can fix it by editing the file <code>/etc/apparmor.d/tunables/home.d/live-mode</code> and commenting out the line <code>@{HOMEDIRS}+=/rw/home/</code> (i.e. prefix it with a <code>#</code> character, so it will look like <code>#@{HOMEDIRS}+=/rw/home/</code>).  Restart the VM again and Tor should work.
+
If you get errors about the Tor service failing to start, this is probably an AppArmor issue.  You can fix it by running the following:
 +
 
 +
sudo touch /etc/apparmor.d/local/system_tor.anondist
 +
 
 +
Restart the VM again and Tor should work.
  
 
== Whonix-Workstation ==
 
== Whonix-Workstation ==
  
Run the following:
+
Run one of the following, depending on whether you want the Whonix-Workstation to use XFCE or CLI-only:
  
  apt-get update
+
  sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-xfce
  
Then, run one of the following, depending on whether you want the Whonix-Gateway to use KDE, XFCE, or CLI-only:
+
sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-cli
  
apt-get install non-qubes-whonix-workstation-kde
+
If you get a package conflict error that mentions <code>console-common</code>, run the following and then try again:
  
  apt-get install non-qubes-whonix-workstation-xfce
+
  sudo apt-get install --no-install-recommends console-common
 
 
apt-get install non-qubes-whonix-workstation-cli
 
  
 
If you get prompted with questions during package installation, you can choose the defaults.
 
If you get prompted with questions during package installation, you can choose the defaults.
Line 76: Line 95:
 
The Whonix packages will install their own <code>sources.list</code> data in <code>/etc/apt/sources.list.d/debian.list</code>, which means you should delete the <code>sources.list</code> that Debian came with (in order to avoid warnings from <code>apt-get</code> about duplicated repos):
 
The Whonix packages will install their own <code>sources.list</code> data in <code>/etc/apt/sources.list.d/debian.list</code>, which means you should delete the <code>sources.list</code> that Debian came with (in order to avoid warnings from <code>apt-get</code> about duplicated repos):
  
  rm /etc/apt/sources.list
+
  sudo rm /etc/apt/sources.list
  
 
Shut off the VM.
 
Shut off the VM.
  
Set the VM's NIC to use the <code>internal</code> Network source.
+
Set the VM's NIC to use the <code>Whonix-Internal</code> Network source.
  
 
Launch the VM again; Whonix-Workstation should be running.
 
Launch the VM again; Whonix-Workstation should be running.
Line 86: Line 105:
 
== Known Issues ==
 
== Known Issues ==
  
=== Checking for virtualization ===
+
See [[Kicksecure#Known_Issues|Kicksecure known issues]].
 
 
<code>whonixcheck</code> in both VM's reports this error:
 
 
 
<nowiki>[ERROR] [whonixcheck] Virtualizer Failed to check for virtualization: Permission denied unsupported by Whonix developers! Whonixcheck aborted! (qubes_detected: false)
 
 
 
Using Virtualizer Failed to check for virtualization: Permission denied together with Whonix is recommended against, because it is rarely tested. [1] [2] [3] It could be made possible, but would require more Whonix contributors.
 
It may already work, but is highly experimental.
 
 
 
 
 
 
 
This might endanger your anonymity. Do not proceed unless you know what you are doing.
 
 
 
If you wish to ignore this warning and to continue whonixcheck anyway, you can set
 
    WHONIXCHECK_NO_EXIT_ON_UNSUPPORTED_VIRTUALIZER="1"
 
in /etc/whonix.d/30_whonixcheck_default.conf.
 
 
 
Recommended action:
 
- Shut down.
 
- Read Whonix documentation [4].
 
- Use Whonix with a supported virtualizer or Physical Isolation [5].
 
 
 
Footnotes:
 
 
 
[1] https://www.whonix.org/wiki/LeakTests
 
[2] https://www.whonix.org/wiki/Test
 
[3] https://www.whonix.org/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection
 
[4] https://www.whonix.org/wiki/Documentation
 
[5] https://www.whonix.org/wiki/Physical_Isolation</nowiki>
 
  
It is not clear why this error shows up, or whether anything bad will happen if it's ignored.  The only mention of this error that I can find in upstream documentation is [http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/error-virtualizer-unsupported-by-whonix-developers/4471 this forum thread], which doesn't have any solution.
+
No Whonix-specific known issues.

Revision as of 07:52, 25 September 2021

Whonix (clearnet link) can be installed on POWER using KVM. These instructions were tested with Whonix 16.

Both Whonix-Gateway and Whonix-Workstation

Download Whonix from the Whonix KVM download page (clearnet link).

Extract it:

tar -xvf Whonix*.libvirt.xz

Install the Whonix virtual networks:

sudo virsh -c qemu:///system net-define Whonix_external*.xml
sudo virsh -c qemu:///system net-define Whonix_internal*.xml
sudo virsh -c qemu:///system net-autostart Whonix-External
sudo virsh -c qemu:///system net-start Whonix-External
sudo virsh -c qemu:///system net-autostart Whonix-Internal
sudo virsh -c qemu:///system net-start Whonix-Internal

Then, create two Debian Bullseye ppc64el VM's. When installing Debian, do not create a separate root password, name the user user, and for desktop environment either pick XFCE or do not install one. Launch a shell in each VM, and follow the below instructions for each VM.

Import the Whonix/Kicksecure signing key (source) (clearnet):

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install --no-install-recommends curl gpg gpg-agent
curl --tlsv1.3 --proto =https --max-time 180 --output ~/patrick.asc https://www.whonix.org/patrick.asc
sudo cp ~/patrick.asc /etc/apt/trusted.gpg.d/derivative.asc

Initialize the console group (source) (clearnet):

sudo addgroup --system console
sudo adduser user console

Add the Whonix/Kicksecure package repository (source) (clearnet):

sudo apt-get install apt-transport-tor
echo "deb tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye main" | sudo tee /etc/apt/sources.list.d/derivative.list
sudo apt-get update

Note: As of 2021 September 10, there are bugs in the security-misc package in the Whonix bullseye suite, which break ppc64el support. These bugs were fixed by security-misc version 3:22.7-1. Until the fixes make their way to the bullseye suite, you can get the fixes early by substituting bullseye-developers for bullseye in the derivative.list line above.

Upgrade Linux to 5.14 or higher; a bug was fixed between Linux 5.10 and Linux 5.14 that broke ppc64le support in Whonix. As of 2021 September 10, this means using the Debian Experimental suite (source) (clearnet):

echo "deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian experimental main" | sudo tee /etc/apt/sources.list.d/experimental.list
sudo apt-get update
sudo apt-get -t experimental install linux-image-powerpc64le

Whonix-Gateway

Run one of the following, depending on whether you want the Whonix-Gateway to use XFCE or CLI-only:

sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-xfce
sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-cli

If you get a package conflict error that mentions console-common, run the following and then try again:

sudo apt-get install --no-install-recommends console-common

If you get prompted with questions during package installation, you can choose the defaults.

The Whonix packages will install their own sources.list data in /etc/apt/sources.list.d/debian.list, which means you should delete the sources.list that Debian came with (in order to avoid warnings from apt-get about duplicated repos):

sudo rm /etc/apt/sources.list

Shut off the VM.

Set the VM's NIC to use the Whonix-External Network source.

Add a 2nd NIC to the VM, and set it to use the Whonix-Internal Network source.

Launch the VM again; Whonix-Gateway should be running.

If you get errors about the Tor service failing to start, this is probably an AppArmor issue. You can fix it by running the following:

sudo touch /etc/apparmor.d/local/system_tor.anondist

Restart the VM again and Tor should work.

Whonix-Workstation

Run one of the following, depending on whether you want the Whonix-Workstation to use XFCE or CLI-only:

sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-xfce
sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-cli

If you get a package conflict error that mentions console-common, run the following and then try again:

sudo apt-get install --no-install-recommends console-common

If you get prompted with questions during package installation, you can choose the defaults.

The Whonix packages will install their own sources.list data in /etc/apt/sources.list.d/debian.list, which means you should delete the sources.list that Debian came with (in order to avoid warnings from apt-get about duplicated repos):

sudo rm /etc/apt/sources.list

Shut off the VM.

Set the VM's NIC to use the Whonix-Internal Network source.

Launch the VM again; Whonix-Workstation should be running.

Known Issues

See Kicksecure known issues.

No Whonix-specific known issues.