Difference between revisions of "Whonix"

From RCS Wiki
Jump to navigation Jump to search
(Add some Whonix 15 docs)
(Add documentation for morphing from Bookworm)
 
(34 intermediate revisions by the same user not shown)
Line 1: Line 1:
[http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/ Whonix] ([https://www.whonix.org/ clearnet link]) can be installed on the Talos using KVM.
+
[http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/ Whonix] ([https://www.whonix.org/ clearnet link]) can be installed on POWER using KVM.  These instructions were tested with Whonix 16.
 
 
== Both Whonix-Gateway and Whonix-Workstation ==
 
 
 
=== For Whonix 14 ===
 
 
 
Download Whonix-Gateway from the [http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/KVM#Download_Whonix_.E2.84.A2 Whonix KVM download page] ([https://www.whonix.org/wiki/KVM#Download_Whonix_.E2.84.A2 clearnet link]).
 
 
 
Extract it:
 
 
 
  tar -xvf Whonix-Gateway*.libvirt.xz
 
 
 
=== For Whonix 15 ===
 
  
 
Download Whonix from the [http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/KVM#Download_Whonix_.E2.84.A2 Whonix KVM download page] ([https://www.whonix.org/wiki/KVM#Download_Whonix_.E2.84.A2 clearnet link]).
 
Download Whonix from the [http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/KVM#Download_Whonix_.E2.84.A2 Whonix KVM download page] ([https://www.whonix.org/wiki/KVM#Download_Whonix_.E2.84.A2 clearnet link]).
Line 19: Line 7:
 
  tar -xvf Whonix*.libvirt.xz
 
  tar -xvf Whonix*.libvirt.xz
  
=== For Whonix 14 and Whonix 15 ===
+
Install the Whonix virtual networks:
  
Install the Whonix virtual networks:
+
sudo virsh -c qemu:///system net-define Whonix_external*.xml
 +
sudo virsh -c qemu:///system net-define Whonix_internal*.xml
 +
sudo virsh -c qemu:///system net-autostart Whonix-External
 +
sudo virsh -c qemu:///system net-start Whonix-External
 +
sudo virsh -c qemu:///system net-autostart Whonix-Internal
 +
sudo virsh -c qemu:///system net-start Whonix-Internal
  
  virsh -c qemu:///system net-define Whonix_external*.xml
+
Then, create two Debian Bullseye or Bookworm ppc64el VM's.  (Bookworm is only tested with Workstation.) Set the Video Model in each VM to Virtio ([https://github.com/Whonix/whonix-libvirt/blob/master/usr/share/whonix-libvirt/xml/Whonix-Gateway.xml source 1]) ([https://github.com/Whonix/whonix-libvirt/blob/master/usr/share/whonix-libvirt/xml/Whonix-Workstation.xml source 2]). When installing Debian, do not create a separate root password, name the user <code>user</code>, and for desktop environment either pick XFCE or do not install one.  Launch a shell in each VM, and follow the below instructions for each VM.
virsh -c qemu:///system net-define Whonix_internal*.xml
 
virsh -c qemu:///system net-autostart external
 
virsh -c qemu:///system net-start external
 
virsh -c qemu:///system net-autostart internal
 
  virsh -c qemu:///system net-start internal
 
  
=== For Whonix 14 ===
+
Import the Whonix/Kicksecure signing key ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Signing_Key source]) ([https://www.whonix.org/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Signing_Key clearnet]):
  
Then, create two Debian Stretch ppc64el VM's, launch a root shell in each, and follow the below instructions for each VM.
+
sudo apt-get update
 +
sudo apt-get dist-upgrade
 +
sudo apt-get install --no-install-recommends curl gpg gpg-agent
 +
<nowiki>curl --tlsv1.3 --proto =https --max-time 180 --output ~/patrick.asc https://www.whonix.org/patrick.asc</nowiki>
 +
sudo cp ~/patrick.asc /etc/apt/trusted.gpg.d/derivative.asc
  
Install <code>dirmngr</code> (this is required in order to import the Whonix signing key):
+
Initialize the <code>console</code> group ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure/Debian#Prerequisites source]) ([https://www.whonix.org/wiki/Kicksecure/Debian#Prerequisites clearnet]):
  
  apt-get install dirmngr
+
  sudo addgroup --system console
 +
sudo adduser user console
  
Import the Whonix signing key ([https://github.com/Whonix/whonix-developer-meta-files/blob/master/README_generic.md#how-to-install-package-name-using-apt-get source]):
+
Add the Whonix/Kicksecure package repository ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Repository source]) ([https://www.whonix.org/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Repository clearnet]):
  
  apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg adv --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA
+
  sudo apt-get install apt-transport-tor
 +
<nowiki>echo "deb tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye main" | sudo tee /etc/apt/sources.list.d/derivative.list</nowiki>
 +
sudo apt-get update
  
Add the Whonix package repository ([https://github.com/Whonix/whonix-developer-meta-files/blob/master/README_generic.md#how-to-install-package-name-using-apt-get source]):
+
Upgrade Linux to 5.14 or higher; a bug was fixed between Linux 5.10 and Linux 5.14 that broke ppc64le support in Whonix.  If you're using Bullseye, this means using the Debian Bullseye-Backports suite ([http://jvgypgbnfyvfopg5msp6nwr2sl2fd6xmnguq35n7rfkw3yungjn2i4yd.onion/ source]) ([https://onion.debian.org/ clearnet]):
  
  <nowiki>echo "deb http://deb.whonix.org stretch main" | tee /etc/apt/sources.list.d/whonix.list</nowiki>
+
  <nowiki>echo "deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main" | sudo tee /etc/apt/sources.list.d/backports.list</nowiki>
 +
sudo apt-get update
 +
sudo apt-get -t bullseye-backports install linux-image-powerpc64le
  
== Whonix-Gateway ==
+
If you're using Bookworm, you should already have a sufficiently new Linux version.
  
Unfortunately, Whonix's <code>tor</code> package, which is a required dependency of Whonix-Gateway, is not available for ppc64el.  Debian's <code>stretch-backports</code> repo does have a <code>tor</code> package that works, we just need to edit its metadata to make the package manager happy. First, we download the <code>tor</code> package and extract it:
+
If you're using Bookworm (Bullseye is unaffected), run the following to work around a bug in the <code>xserver-xorg-video-qxl</code> package that breaks Whonix ([https://tracker.debian.org/pkg/xserver-xorg-video-qxl source]):
  
  <nowiki>echo "deb http://http.debian.net/debian stretch-backports main" | tee /etc/apt/sources.list.d/stretch-backports.list
+
  echo "deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/20220311/ bookworm main" | sudo tee /etc/apt/sources.list.d/qxl.list
apt-get update
+
sudo apt-get update
apt-get download -t stretch-backports tor
 
mkdir tor_extracted
 
dpkg-deb -R ./tor_*.deb ./tor_extracted</nowiki>
 
  
Then, run the following command.  It will fail with a dependency error, note the minimum <code>tor</code> version that it wants.
+
Then, run one of the following, depending on whether you want Whonix to use XFCE or CLI-only, and whether you are installing Whonix-Gateway or Whonix-Workstation:
  
  apt-get install non-qubes-whonix-gateway-kde whonix-gateway-shared-packages-shared-meta whonix-gateway-packages-recommended-cli tor-geoipdb
+
  sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-xfce
  
Then, edit the metadata file:
+
sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-xfce
  
  nano tor_extracted/DEBIAN/control
+
  sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-cli
  
And replace the Version field with the minimum version you noted earlier. Then exit <code>nano</code>.
+
  sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-cli
  
Rebuild the package and install it:
+
If you get a package conflict error that mentions <code>console-common</code>, run the following and then try again:
  
  mkdir tor_rebuilt
+
  sudo apt-get install --no-install-recommends console-common
dpkg-deb -b tor_extracted tor_rebuilt
 
apt-get install ./tor_rebuilt/tor*.deb
 
  
Now we can install the Whonix packages:
+
If you get prompted about choosing the default display manager during package installation, choose <code>gdm3</code> ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Stable_Release#Whonix_™_16.0.2.7 source]) ([https://www.whonix.org/wiki/Stable_Release#Whonix_™_16.0.2.7 clearnet]).
  
apt-get install non-qubes-whonix-gateway-kde
+
If you get prompted with other questions during package installation, you can choose the defaults.
  
The Whonix packages will install their own <code>sources.list</code> data in <code>/etc/apt/sources.list.d/debian.list</code>, which means you should delete the <code>sources.list</code> that Debian came with (in order to avoid warnings from <code>apt-get</code> about duplicated repos):
+
The Whonix packages will install their own <code>sources.list</code> data in <code>/etc/apt/sources.list.d/debian.list</code>.  If you're using Bullseye, that means you should clear the <code>sources.list</code> that Debian came with (in order to avoid warnings from <code>apt-get</code> about duplicated repos):
  
  rm /etc/apt/sources.list
+
  sudo rm /etc/apt/sources.list
 +
sudo rm /etc/apt/sources.list.d/backports.list
  
Shut off the VM.
+
On Bookworm, the Whonix <code>sources.list</code> is nonfunctional, so you should clear it instead:
  
Set the VM's NIC to use the <code>external</code> Network source.
+
sudo rm /etc/apt/sources.list.d/debian.list
 +
sudo touch /etc/apt/sources.list.d/debian.list
  
Add a 2nd NIC to the VM, and set it to use the <code>internal</code> Network source.
+
Run the following to work around a bug that breaks subsequent package updates ([http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/dist-base-files-postinst-aborted-on-ppc64el/13381/2 source]) ([https://forums.whonix.org/t/dist-base-files-postinst-aborted-on-ppc64el/13381/2 clearnet]):
  
Launch the VM again; Whonix-Gateway should be running.
+
sudo mkdir -p /etc/dist-base-files.d/
 +
echo "set +e" | sudo tee /etc/dist-base-files.d/50_user.conf
  
== Whonix-Workstation ==
+
Run the following to work around a bug in the <code>security-misc</code> package that breaks non-x86 architectures ([https://github.com/torvalds/linux/blob/master/arch/powerpc/Kconfig source], grep for <code>config ARCH_MMAP_RND_BITS_MAX</code> and <code>config COMPAT</code>):
  
This one's a lot easier, since Whonix's <code>tor</code> package version isn't a requirement.
+
sudo sed -i 's/vm.mmap_rnd_bits=32/vm.mmap_rnd_bits=29/' /etc/sysctl.d/30_security-misc.conf
 +
sudo sed -i 's/vm.mmap_rnd_compat_bits=16//' /etc/sysctl.d/30_security-misc.conf
  
Install the Whonix packages:
+
If you're using Bookworm (Bullseye is unaffected), run the following to work around a seccomp bug in the <code>sdwdate</code> package that breaks PowerPC-based architectures ([https://github.com/Whonix/sdwdate/pull/37 source 1]) ([https://github.com/Whonix/sdwdate/pull/39 source 2]):
  
  apt-get update
+
  sudo sed -i 's/_newselect/_newselect newfstatat pselect6 vfork/' /lib/systemd/system/sdwdate.service.d/20_arch_syscall_whitelist.conf
apt-get install non-qubes-whonix-workstation-kde
 
  
The Whonix packages will install their own <code>sources.list</code> data in <code>/etc/apt/sources.list.d/debian.list</code>, which means you should delete the <code>sources.list</code> that Debian came with (in order to avoid warnings from <code>apt-get</code> about duplicated repos):
+
If you're using Bookworm (Bullseye is unaffected), run the following to work around an AppArmor bug in the <code>sdwdate</code> package ([https://github.com/Whonix/sdwdate/pull/38 source]):
  
  rm /etc/apt/sources.list
+
  echo "  network inet stream," | sudo tee --append /etc/apparmor.d/abstractions/url_to_unixtime
  
 
Shut off the VM.
 
Shut off the VM.
  
Set the VM's NIC to use the <code>internal</code> Network source.
+
If you're installing Whonix-Gateway, set the VM's NIC to use the <code>Whonix-External</code> Network source.  Then add a 2nd NIC to the VM, and set it to use the <code>Whonix-Internal</code> Network source.
  
Launch the VM again; Whonix-Workstation should be running.
+
If you're installing Whonix-Workstation, set the VM's NIC to use the <code>Whonix-Internal</code> Network source.
  
== Known Issues ==
+
Launch the VM again; Whonix should be running.
  
=== Checking for virtualization ===
+
If you get errors in Whonix-Gateway about the Tor service failing to start, this is probably an AppArmor issue.  You can fix it by running the following:
  
<code>whonixcheck</code> in both VM's reports this error:
+
sudo touch /etc/apparmor.d/local/system_tor.anondist
  
<nowiki>[ERROR] [whonixcheck] Virtualizer Failed to check for virtualization: Permission denied unsupported by Whonix developers! Whonixcheck aborted! (qubes_detected: false)
+
Restart Whonix-Gateway again and Tor should work.
  
Using Virtualizer Failed to check for virtualization: Permission denied together with Whonix is recommended against, because it is rarely tested. [1] [2] [3] It could be made possible, but would require more Whonix contributors.
+
== Known Issues ==
It may already work, but is highly experimental.
 
 
 
 
 
 
 
This might endanger your anonymity. Do not proceed unless you know what you are doing.
 
 
 
If you wish to ignore this warning and to continue whonixcheck anyway, you can set
 
    WHONIXCHECK_NO_EXIT_ON_UNSUPPORTED_VIRTUALIZER="1"
 
in /etc/whonix.d/30_whonixcheck_default.conf.
 
 
 
Recommended action:
 
- Shut down.
 
- Read Whonix documentation [4].
 
- Use Whonix with a supported virtualizer or Physical Isolation [5].
 
 
 
Footnotes:
 
  
[1] https://www.whonix.org/wiki/LeakTests
+
See [[Kicksecure#Known_Issues|Kicksecure known issues]].
[2] https://www.whonix.org/wiki/Test
 
[3] https://www.whonix.org/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection
 
[4] https://www.whonix.org/wiki/Documentation
 
[5] https://www.whonix.org/wiki/Physical_Isolation</nowiki>
 
  
It is not clear why this error shows up, or whether anything bad will happen if it's ignored.  The only mention of this error that I can find in upstream documentation is [http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/error-virtualizer-unsupported-by-whonix-developers/4471 this forum thread], which doesn't have any solution.
+
On Bookworm, as of 2022 June 4, <code>systemcheck</code> fails with an AppArmor error: <code>Jun 04 14:59:26 host kernel: audit: type=1400 audit(1654354766.467:1227): apparmor="DENIED" operation="open" profile="/usr/bin/systemcheck" name="/usr/libexec/sudo/libsudo_util.so.0.0.0" pid=1705 comm="sudo" requested_mask="r" denied_mask="r" fsuid=0 ouid=0</code>.  Not sure whether this also happens on Kicksecure.

Latest revision as of 10:13, 4 June 2022

Whonix (clearnet link) can be installed on POWER using KVM. These instructions were tested with Whonix 16.

Download Whonix from the Whonix KVM download page (clearnet link).

Extract it:

tar -xvf Whonix*.libvirt.xz

Install the Whonix virtual networks:

sudo virsh -c qemu:///system net-define Whonix_external*.xml
sudo virsh -c qemu:///system net-define Whonix_internal*.xml
sudo virsh -c qemu:///system net-autostart Whonix-External
sudo virsh -c qemu:///system net-start Whonix-External
sudo virsh -c qemu:///system net-autostart Whonix-Internal
sudo virsh -c qemu:///system net-start Whonix-Internal

Then, create two Debian Bullseye or Bookworm ppc64el VM's. (Bookworm is only tested with Workstation.) Set the Video Model in each VM to Virtio (source 1) (source 2). When installing Debian, do not create a separate root password, name the user user, and for desktop environment either pick XFCE or do not install one. Launch a shell in each VM, and follow the below instructions for each VM.

Import the Whonix/Kicksecure signing key (source) (clearnet):

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install --no-install-recommends curl gpg gpg-agent
curl --tlsv1.3 --proto =https --max-time 180 --output ~/patrick.asc https://www.whonix.org/patrick.asc
sudo cp ~/patrick.asc /etc/apt/trusted.gpg.d/derivative.asc

Initialize the console group (source) (clearnet):

sudo addgroup --system console
sudo adduser user console

Add the Whonix/Kicksecure package repository (source) (clearnet):

sudo apt-get install apt-transport-tor
echo "deb tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye main" | sudo tee /etc/apt/sources.list.d/derivative.list
sudo apt-get update

Upgrade Linux to 5.14 or higher; a bug was fixed between Linux 5.10 and Linux 5.14 that broke ppc64le support in Whonix. If you're using Bullseye, this means using the Debian Bullseye-Backports suite (source) (clearnet):

echo "deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main" | sudo tee /etc/apt/sources.list.d/backports.list
sudo apt-get update
sudo apt-get -t bullseye-backports install linux-image-powerpc64le

If you're using Bookworm, you should already have a sufficiently new Linux version.

If you're using Bookworm (Bullseye is unaffected), run the following to work around a bug in the xserver-xorg-video-qxl package that breaks Whonix (source):

echo "deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/20220311/ bookworm main" | sudo tee /etc/apt/sources.list.d/qxl.list
sudo apt-get update

Then, run one of the following, depending on whether you want Whonix to use XFCE or CLI-only, and whether you are installing Whonix-Gateway or Whonix-Workstation:

sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-xfce
sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-xfce
sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-cli
sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-cli

If you get a package conflict error that mentions console-common, run the following and then try again:

sudo apt-get install --no-install-recommends console-common

If you get prompted about choosing the default display manager during package installation, choose gdm3 (source) (clearnet).

If you get prompted with other questions during package installation, you can choose the defaults.

The Whonix packages will install their own sources.list data in /etc/apt/sources.list.d/debian.list. If you're using Bullseye, that means you should clear the sources.list that Debian came with (in order to avoid warnings from apt-get about duplicated repos):

sudo rm /etc/apt/sources.list
sudo rm /etc/apt/sources.list.d/backports.list

On Bookworm, the Whonix sources.list is nonfunctional, so you should clear it instead:

sudo rm /etc/apt/sources.list.d/debian.list
sudo touch /etc/apt/sources.list.d/debian.list

Run the following to work around a bug that breaks subsequent package updates (source) (clearnet):

sudo mkdir -p /etc/dist-base-files.d/
echo "set +e" | sudo tee /etc/dist-base-files.d/50_user.conf

Run the following to work around a bug in the security-misc package that breaks non-x86 architectures (source, grep for config ARCH_MMAP_RND_BITS_MAX and config COMPAT):

sudo sed -i 's/vm.mmap_rnd_bits=32/vm.mmap_rnd_bits=29/' /etc/sysctl.d/30_security-misc.conf
sudo sed -i 's/vm.mmap_rnd_compat_bits=16//' /etc/sysctl.d/30_security-misc.conf

If you're using Bookworm (Bullseye is unaffected), run the following to work around a seccomp bug in the sdwdate package that breaks PowerPC-based architectures (source 1) (source 2):

sudo sed -i 's/_newselect/_newselect newfstatat pselect6 vfork/' /lib/systemd/system/sdwdate.service.d/20_arch_syscall_whitelist.conf

If you're using Bookworm (Bullseye is unaffected), run the following to work around an AppArmor bug in the sdwdate package (source):

echo "  network inet stream," | sudo tee --append /etc/apparmor.d/abstractions/url_to_unixtime

Shut off the VM.

If you're installing Whonix-Gateway, set the VM's NIC to use the Whonix-External Network source. Then add a 2nd NIC to the VM, and set it to use the Whonix-Internal Network source.

If you're installing Whonix-Workstation, set the VM's NIC to use the Whonix-Internal Network source.

Launch the VM again; Whonix should be running.

If you get errors in Whonix-Gateway about the Tor service failing to start, this is probably an AppArmor issue. You can fix it by running the following:

sudo touch /etc/apparmor.d/local/system_tor.anondist

Restart Whonix-Gateway again and Tor should work.

Known Issues

See Kicksecure known issues.

On Bookworm, as of 2022 June 4, systemcheck fails with an AppArmor error: Jun 04 14:59:26 host kernel: audit: type=1400 audit(1654354766.467:1227): apparmor="DENIED" operation="open" profile="/usr/bin/systemcheck" name="/usr/libexec/sudo/libsudo_util.so.0.0.0" pid=1705 comm="sudo" requested_mask="r" denied_mask="r" fsuid=0 ouid=0. Not sure whether this also happens on Kicksecure.