{{Header}} {{title|title= ToDo for Developers }} {{#seo: |description=TODO }} {{devwiki}}vir {{intro| TODO }} {{Developers-only}} = TODO DEV = == virtualbox / kvm - dynamic resolution resizing with labwc == * Automatic display resizing is no longer working under VirtualBox with Wayland. It actually does work, but it requires the user to manually set the resolution to the "native" resolution after every window resize. * Possible solutions listed for discussion at https://github.com/labwc/labwc/discussions/3109 * Discussion ongoing, currently waiting on upstream to reply. I might attempt to do further development work on this if we consider it a priority. * Discussed with Patrick, we should probably solve this ourselves via a daemon that watches udev messages, as not having this feature may result in serious usability issues with VirtualBox. == approx - work around and report metadata caching problems == * Sometimes the data in the approx cache goes out of date and approx fails to update it, resulting in failed builds and possibly resulting in builds containing outdated packages * Reproduce issue, report upstream, create workaround in derivative-maker == misc review == * https://github.com/Kicksecure/security-misc/issues/199#issuecomment-3345059129 - opinion? ** Aaron: Reviewed, did some testing and commented. * https://github.com/Kicksecure/security-misc/pull/323 * https://github.com/Kicksecure/security-misc/pull/322 * https://github.com/KSPP/kspp.github.io/issues/9 * https://github.com/QubesOS/qubes-core-admin-addon-whonix/pull/25 == security-misc /etc/systemd/system/ review == * Do /etc/systemd/system folder contents still make sense nowadays? == stardict - investigate == * debian policy appliable? * https://www.kicksecure.com/wiki/Dev/Debian#startdict == qubes - qrexec to NetVM == * investigate if it is possible to get the name of a qube's NetVM from within the qube, or otherwise send qrexec requests to the NetVM * contribute feature to upstream if it doesn't exist * use case: don't require sdwdate-gui in Qubes-Whonix-Workstation to be explicitly configured to talk to the appropriate Qubes-Whonix-Gateway in a multi-gateway setup == compiled code - investigate using clang == * clang provides a minimal UBSan runtime which may be usable as an additional hardening feature. * Investigate if this is worthwhile. * gcc supports more warnings, perhaps use gcc and clang together for "diagnostic builds" and static analysis, and clang for release builds? ** Patrick: Keeping gcc support might be worthwhile as per non-technical reasons: [[Miscellaneous_Threats_to_User_Freedom#GCC_vs_Clang-LLVM|GCC vs Clang-LLVM]] == port to sequoia-pgp == * port all code base from gpg to sequoia-pgp as much as sensible * related - not part of this task - only for reference - https://github.com/QubesOS/qubes-issues/issues/8241 * https://sequoia-pgp.org/blog/2022/12/19/202212-chameleon-0.1/ * https://packages.debian.org/trixie/sequoia-chameleon-gnupg ** Can we just symlink /usr/bin/gpg to /usr/bin/gpg-sq? * Aaron: Unsure if replacing gpg with gpg-sq wholesale is a good idea. Quoting the blog post on gpg-sq: ** "A consequence of not modifying GnuPG’s state but using an overlay is that changes made using the Chameleon will not be picked up by GnuPG. For example, if you import a certificate using the Chameleon, it will only be inserted into the overlay, and GnuPG will not see it." ** Would prefer porting to sq's native API instead, to avoid consistency issues. * Aaron: Delay until after the release of Kicksecure 18 perhaps? That way the work done here doesn't end up causing us major problems before the release is complete. ** Delaying this may be essential, as Whonix 18 should release before Qubes OS R4.3 does. ** Please move to WAITING ON if good to delay, move back to TODO if we should pursue this now. *** Patrick: Please do in sequoia branch. == user-sysmaint-split versus Qubes Video Companion is broken on Whonix-Workstation == * please comment how this could be resolved * https://github.com/QubesOS/qubes-issues/issues/10163 * https://forums.whonix.org/t/qubes-sudo-su-root-hardening-development-discussion/8561/73 == kloak - Qubes OS mouse anonymization improvements == * https://github.com/QubesOS/qubes-issues/issues/10292 == three finger salute == * https://forums.kicksecure.com/t/ctrl-alt-del-three-finger-salute-action/1197 * the three finger salute should so something useful similar to what it does on Windows ** lock screen (Qubes does that) ** start task manager ** emergency shutdown button * Open a sysmaint (or root) shell? ** This feature can be deferred. ** SAK alike? *** Can a compromised Wayland swallow the three finger salute and mount a login spoofing attack? **** Aaron: No, because the salute is read by the handler via evdev, which is provided directly by the kernel. It could receive the keypress despite emerg-shutdown or similar seeing it too, but emerg-shutdown would SIGSTOP the compositor before running the actual Ctrl+Alt+Delete handler. *** Perhaps we should use the real SAK, but reconfigure its action, if that is at all possible? **** Aaron: Does not appear to be possible, see https://www.kernel.org/doc/html/v6.0/security/sak.html ** research SIGSTOP *** Aaron: Looks like it works reliably, even when a stuck kernel thread is involved ** research locked up kernel threads and their abuse potential *** Aaron: It appears the worst they can do is prevent processes from fully exiting, which isn't a problem for us. They also seem to be very hard to create, unless you have root access. See https://chrisdown.name/2024/02/05/reliably-creating-d-state-processes-on-demand.html ** anti-phishing code *** static *** TOTP - perhaps at a later time == live-hardener vs efi bug == * probably already resolved?
Aug 10 08:30:55 host live-hardener[767]: mount: /boot/efi: wrong fs type, bad option, bad superblock on overlay, missing codepage or helper program, or other error.
== emergency-shutdown - bug - breaks Calamares installer == * todo * Patrick: Still an issue? Duplicate of [[Dev/todo#Kicksecure_installer_versus_live-hardener_bug|Kicksecure installer versus live-hardener bug]]? ** might have been fixed in: https://github.com/Kicksecure/security-misc/commit/c59a3b233bd8893d466c020a2e2695ab545c6e60 ** KVM affected? == emerg-shutdown - delayed shutdown == * emerg-shutdown may be triggered by accident, users should have an opportunity to cancel unless the root device has vanished entirely * for delayed shutdowns, show a warning of some sort and provide clear instructions on how to cancel the shutdown ** switch to a TTY and display a red screen with warning text on it? *** may conflict with agetty, investigate how to suppress it (or switch to a TTY that isn't in use and that agetty isn't configured to spawn on) * some users may need instant shutdown without warning, allow configuring the shutdown timeout, including making it 0 == emerg-shutdown - versus ram-wipe == * an init (systemd) wrapper? * root disk must be unmounted so kernel deletes {{fde}} key from RAM == emerg-shutdown - bugs == * Qubes: ** Should probably not run in Qubes at all? Disable using systemd unit file conditional?
Aug 10 06:10:23 host emerg-shutdown[635]: Failed to find any input device supporting panic keys!
Aug 10 06:10:23 host systemd[1]: emerg-shutdown.service: Main process exited, code=exited, status=1/FAILURE
Aug 10 06:10:23 host systemd[1]: emerg-shutdown.service: Failed with result 'exit-code'.
Aug 10 06:10:35 host memlockd[677]: Mapped file /lib/x86_64-linux-gnu/libgpg-error.so.0
* Non-Qubes: ** So far only observed in non-Qubes.
Aug 11 08:27:57 localhost memlockd[1006]: Error mmaping /etc/resolv.conf: Invalid argument
== emergency-shutdown - debugging improvements == * add more debug output: ** every relevant code path should be written to journal ** trigger needs to be recorded ** action needs to be recorded ** purpose: in case of bugs (such as above), it should be able to debug this at least with a (virtual) serial console == chvt hardening == * https://forums.kicksecure.com/t/chvt-change-foreground-virtual-terminal-vt-tty-prevent-malware-from-forced-tty-change/1274 == Qubes OS IPv6 DNS == * https://github.com/QubesOS/qubes-core-agent-linux/pull/592 == Qubes in-vm kernel boot mode support == * GRUB patch for Xen command line parsing has been merged * implement boot mode support for in-vm kernels in qubes-core-admin * Qubes issue: https://github.com/QubesOS/qubes-issues/issues/9872 == Qubes in-vm kernel support in general == * https://github.com/QubesOS/qubes-issues/issues/9570 * https://github.com/QubesOS/qubes-issues/issues/8649 * https://github.com/QubesOS/qubes-issues/issues/9759 == timesync developer wiki page improvements == * https://www.whonix.org/wiki/Dev/TimeSync * [[anondate]] * https://www.kicksecure.com/wiki/Dev/sdwdate * please study, improve * take note of Tor consensus and replay attacks * in preparation for follow-up tasks == sdwdate refactoring and improvements == * study sdwdate source code * lightweight refactoring (such as no longer using classes because these are used inconsistently) * separate into sdwdate-daemon and sdwdate-time-fetcher? ** Aaron: sdwdate-daemon is a very interesting idea, most likely useful for the ClockVM idea, however it is only feasible in situations where one either has multiple networked physical machines or multiple connected virtual machines (i.e. VBox with one Whonix-Gateway and many Whonix-Workstations, or Qubes OS). This is because the daemon has to be able to change the system's time as it sees fit in order to get Tor working (i.e. first get consensus to work by using certificate lifetime if possible, then get circuits to work using consensus, then get real time from three separate servers which are now accessible since circuits work). There is no way to isolate CLOCK_REALTIME changes from the rest of the system, Linux has time namespaces but they don't virtualize CLOCK_REALTIME. Thus sdwdate-daemon would have to be able to modify the system time freely in its mission to find the right time. ** In theory, this could be avoided if time changes could be communicated to the Tor daemon without modifying the system's wall clock. I do not know if this is possible, I suspect it isn't. Even though it is technically feasible, it would potentially be immensely complicated to implement. ** Perhaps implement sdwdate-daemon as a process that only returns whatever the next time step is, and also indicate whether there are further steps? Then sdwdate-time-fetcher could either ignore the date if the daemon indicates more steps are still to come, or accept it. The ClockVM itself would unconditionally accept sdwdate-daemon's reported time values in order to assist it in finding the correct time, then client VMs would only update their clock once the "final step" was reached. * sdwdate oneshot feature (pick the median time from the 3 pools, output to console, then exit) if considered useful for the next bullet point * add support for sdwdate to be used as a [https://forums.whonix.org/t/qubes-whonix-gateway-as-clockvm/19015 Qubes-Whonix-Gateway as ClockVM] * note: sdwdate can already fix the clock if it is very slow (with the help of Tor consensus and anondate) ** Aaron: If the clock is very very slow, this seems to not work. Might be possible to use Tor certificates to get within a year of the correct date, then attempt to brute-force a month that will allow Tor consensus to work. As long as the Tor network itself will not work if the clock is too far off, we don't have to worry too much about replay attacks, untrusted data, etc. - the worst an attacker could do is denial of service, we'll only get working connectivity if we get very close to the correct time (or an adversary controls so many of the servers we're using it can trick us into thinking our time is correct, which is statistically unlikely...? is it actually statistically unlikely?) * add feature to sdwdate to allow it fixing the clock if it is very fast too ** it may not be possible to implement such a feature securely (setting the clock forward has no security risk but setting the clock backwards makes already expired keys valid again). perhaps should just be a manual action? in theory, by setting the clock backwards very far into the past, sdwdate should be able to fix it. Perhaps we could try once to set the clock backwards just a few hours (not years) based on Tor consensus / anondate? Or perhaps this should only be possible by manual user action? * use chrony - time setting only - not time fetching - as a replacement for sclockadj as per [[Dev/sdwdate]] ** or if easier, saner, port sclockadj from clock_settime to adjtimex? ** Aaron: Probably easier to port sclockadj, chrony looks a bit dangerous to me. ** please research, consider various options == kicksecure - update torification improvements == * only shipped-by-default apt repositories go through Tor * ideally, newly added apt repositories should go through Tor as well, as should flatpak installation and updates ** Flatpaks can be made to go through Tor by enabling an HTTPTunnelPort in Tor, then setting http_proxy and https_proxy to http://localhost:9080 (assuming your port number is 9080) when running Flatpak. There doesn't appear to be a way to set a proxy in Flatpak's configuration, thus this would probably require a wrapper. == flatpak update integration == * users are given the ability to easily install flatpaks via browser-choice, but aren't given any easy way to update them * add code to upgrade-nonroot that also updates flatpaks * Aaron: Implemented: https://github.com/ArrayBolt3/usability-misc/tree/arraybolt3/flatpak-update * Patrick: should be deferred until update torification has been improved == investigate Debian Rolling == * investigate why Debian Rolling initiative failed ** From initial research: *** Lots of disagreement about how exactly to implement it, although https://lists.debian.org/debian-devel/2011/05/msg00275.html had a very large amount of positive feedback compared to other proposals **** See also DEP-10 (https://dep-team.pages.debian.net/deps/dep10/) which is somewhat orthogonal but related *** Limited manpower, no one appears to have tried to actually do it *** Need to cope with the activity occurring in Debian's unstable and testing repositories, which have some turbulence and can cause issues if one isn't careful *** Likely worth trying to resurrect * contact people involved previously, if that makes sense * suggest prospective developers * Started to write tooling for this: https://github.com/ArrayBolt3/drk Very incomplete, nowhere near usable. Will keep developing this. == repository-dist - improvements == * {{Github_link|repo=repository-dist * GUI: detect stable, stable-proposed-updates, testers, developers setting in GUI. I.e. if re-running the tool, keep the former setting. Should this depend on previous choice in the GUI (status files, probably easier) or actual status on the disk (might be manually modified by the user)|path=?}} * add support for switching back and forth between clearnet and onion == Tool to onionize all APT sources == * https://forums.whonix.org/t/tool-to-onionize-all-apt-sources/13367 * Should it be part of repository-dist or a standalone tool? == verified boot implementation == * assume firmware can extend trust to kernel via Sovereign Boot * create a system for extending trust from kernel to initramfs and userland * possibly investigate immutable images? * Implementation idea notes: ** A system running with Verified Boot enabled must have the root partition in live mode (read only with tmpfs overlay). Therefore something similar to live mode will be needed when running in "verified mode" ** dm-verify is what Google uses, there seems to be no compelling reason for us to avoid it. ** Kernel modifications are not permitted, Kicksecure will be signing Debian's shim meaning only vanilla Debian kernels will be bootable. Rely on alternative ways of storing the dm-verify root hash in a secure immutable fashion, such as: *** TPM / Measured Boot? Highly desirable if security issues don't result, as this avoids the need for user interaction unless something goes wrong. **** Would require some way of authenticating that the TPM has not been reset (similar to Heads TOTP/HOTP codes) *** User providing the hash on an external drive? *** Verification passphrase similar to LUKS passphrase? ** Patrick: TPM is unavailable inside VMs? In this case, verified boot support is still desirable. * Patrick ** Whonix-Gateway: either no verified boot initially or install user-sysmaint-split by default ** persistent mode, verified boot should still allow for logs persistent ** [[Verified_Boot#When_the_verification_is_over.3F|When the verification is over?]]: *** "verification is a continuous process happening as data is loaded into memory" *** "This means if malware manages to modify the /usr/bin/mv program despite immutability, then dm-verity would notice this the next time the user or system is attempting to execute that command." *** This security gained from this feature is somewhat reduced if the attacker can use ephermal overlays. ** consider [[Sysmaint#enable_sudo_access_in_USER_session|enable sudo access in USER session]] (developer debug mode): disable verified boot + write to disk + regenerate verified boot hash tree (this is to ease debugging issues only happening in user session but not in sysmaint session) * prefer Debian on true read-only filesystem without ephemeral overlay to benefit from kernel verified continuous verification after boot feature ** [[Verified_Boot#Challenges_with_Immutable_Filesystems|Challenges with Immutable Filesystems]] *** As-needed ephemeral overlays *** Use alternate software that doesn't require root to be writable *** as feasible, up for discussion == permission-hardener - live bug == * got a bug report by e-mail
sudo apt install network-manager-openvpn-gnome
security-misc (3:44.4-1)  ...
INFO: triggered security-misc: 'security-misc' security-misc DPKG_MAINTSCRIPT_
NAME: 'postinst' $\*: 'triggered /usr' 2: '/usr'
/usr/libexec/security-misc/mmap-rnd-bits: INFO: Successfully written ASLR map
config file:
/etc/sysctl.d/30_security-misc_aslr-mmap.conf
Running SUID Disabler and Permission Hardener... See also:
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener
/var/lib/dpkg/info/security-misc.postinst: INFO: running: permission-hardener
enable
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkpwd
dpkg-statoverride: : `/usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkpwd'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkpwd' failed with exit code '2'! calling functio
n name: 'commit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root shadow 744 /usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkp
wd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec
dpkg-statoverride: : `/usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec' failed with exit code '2'! calling function name:
'commit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo
dpkg-statoverride: : `/usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo' failed with exit code '2'! calling function name: 'c
ommit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/medium/usr/sbin/unix_chkpwd
dpkg-statoverride: : `/usr/lib/live/mount/medium/usr/sbin/unix_chkpwd'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/medium/usr/sbin/unix_chkpwd' failed with exit code '2'! calling function name: 'co
mmit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root shadow 744 /usr/lib/live/mount/medium/usr/sbin/unix_chkpwd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/pkexec
dpkg-statoverride: : `/usr/lib/live/mount/medium/usr/bin/pkexec'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/pkexec' failed with exit code '2'! calling function name: 'commit_pol
icy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/medium/usr/bin/pkexec
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/sudo
dpkg-statoverride: : `/usr/lib/live/mount/medium/usr/bin/sudo'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/sudo' failed with exit code '2'! calling function name: 'commit_polic
y'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/medium/usr/bin/sudo
permission-hardener: [NOTICE]: To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes:
sudo apt install --no-install-recommends meld
meld /var/lib/permission-hardener-v2/existing_mode/statoverride /var/lib/permission-hardener-v2/new_mode/statoverride
permission-hardener: [ERROR]: Exiting with non-zero exit code: '203'
/var/lib/dpkg/info/security-misc.postinst: ERROR: Permission hardening failed.
* random guess: Could there be issues with non-latin language settings? * Why is it /usr/lib/live/mount/rootfs/filesystem? * Could it be that the user booted into live mode? * Maybe a case of low RAM where no further writes to RAM were possible? * Booting into live mode and using APT should be supported as much as feasible. * In case of insufficient information, could you please add debug code to provide more information in the future? * Unsure if further information can be requested form the reporter, but I could try. * Useful to add:
test -w "${file_name_from_stat}"
* permission hardener might not be the cause of this issue. However, ideally it would show a better error message pointing out the issue. * Aaron: Cannot reproduce on ISO or in LIVE mode USER. ** The /usr/lib/live/mount path suggests that the issue is the result of attempting to distribution-morph a vanilla Debian Live session. This, IMO, is not something we should support, because: *** All changes will be lost on reboot, meaning someone who uses this in production will be downloading a lot of Kicksecure packages from our infra every time they start the system. *** We already offer a live Kicksecure ISO. *** None of the kernel hardening options will be enabled, and they can't be enabled, because that would require a reboot which will discard everything. *** And of course, permission-hardener doesn't expect anything under /usr to be read-only. ** Would suggest adding a warning to the distribution morphing documentation that a live Debian ISO session can't be morphed, and that one should download a live Kicksecure ISO if they need a Kicksecure-enhanced live system. * Patrick: Done. Documented. * Could you please add better error handling in this case? == audio == === audio generally === * https://forums.whonix.org/t/port-from-pulseaudio-to-pipewire-for-audio-support/16879/40 * please read, comment if something useful to share === VirtualBox Intel HD Audio and PipeWire Incompatibility / Audio broken after increasing ram to 5 GB / No sound after latest updates - PipeWire Bug? === * https://forums.whonix.org/t/virtualbox-intel-hd-audio-and-pipewire-incompatibility-audio-broken-after-increasing-ram-to-5-gb-no-sound-after-latest-updates-pipewire-bug/18211 * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081965 * please investigate if doable with reasonable effort * Tried switching between Pulseaudio and Pipewire on a booted VM, discovered I could "initialize" the speakers with Pulseaudio and then Pipewire would work thereafter * Virtually certain this is an upstream bug, was able to reproduce with both Ubuntu 24.04 and Arch Linux. * Suggest switching to AC97 audio (even Arch Linux defaults to this under Virtualbox). * Need to investigate upstream code * Could not get any meaningful hints from pipewire, wireplumber, and pipewire-pulse logs. Pulseaudio shows an "alsa woke us up to write new data to the device but there was actually nothing to write" error in its logs. At this point this is likely to be a bug in VirtualBox or the snd-hda-intel kernel driver. == live-build - test lb config --dm-verity == * Does the ISO still function if build with lb config --dm-verity? * Does it break apt-get install pkg-name? It might not break it due to overlayfs. * Lacks live-build support when used with dracut: ** lb config won't even run if you try to enable verity and dracut at the same time, unless you override live-build by commenting that sanity check out ** The ISO won't build initially because the dm-verity building code is trying to find the live filesystem in the wrong location ** dracut isn't configured to include systemd-veritysetup-generator, needed for verifying the root FS in the first place ** No kernel command line options are added to the ISO for verity setup == Kicksecure Firewall == https://forums.kicksecure.com/t/kicksecure-firewall/378/10 == Meta Packages, Kicksecure, Whonix - Desktop versus Server == https://forums.kicksecure.com/t/meta-packages-kicksecure-desktop-versus-kicksecure-server/415 == wipe video RAM == * add wipe video RAM support to [[ram-wipe]] * maybe based on https://wiki.archlinux.org/title/Swap_on_video_RAM * maybe also based on https://github.com/divestedcg/Brace/blob/master/brace/etc/profile.d/brace-env-overrides.sh
# zero video RAM to prevent leakage
# see (CC BY-SA 4.0): https://www.adlerweb.info/blog/2012/06/20/nvidia-x-org-video-ram-information-leak
export R600_DEBUG=zerovram;
export AMD_DEBUG=zerovram;
export RADV_DEBUG=zerovram;
* if doable with reasonable effort == Tor 0.4.8.9 broken in combination with vanguards == * https://gitlab.torproject.org/tpo/core/tor/-/issues/40892 * write a script to use git bisect to auto test which commit introduced this issue maybe based on https://forums.whonix.org/t/vanguards-additional-protections-for-tor-onion-services/8064/64 * if not done by upstream yet * if doable with reasonable effort * Aaron: vanguards has been removed from Debian Trixie, still worth doing? == VirtualBox serial console == * {{CodeSelect|inline=true|code= sudo apt install serial-console-enable }} * [[Recovery#Serial_Console|Serial Console]] * causes bug (spam of journal) * https://forums.whonix.org/t/serial-console-in-virtualbox/8021/13 * fixable? upstream bug report? * would installation by default be sane or a security issue? == KVM related == === KVM - 3D Graphics Acceleration - SPICE - Testing - drm === * please test: https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_drm * please mention your configuration (still using SPICE), quote Patrick and report here: https://forums.whonix.org/t/how-to-enable-3d-acceleration-in-kvm/16501/22 * test if DRM (direct rendering manager) is enabled as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_Direct_Rendering_Manager * test performance as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_Performance === KVM - 3D Graphics Acceleration - Performance Test - Display SDL === * https://forums.whonix.org/t/how-to-enable-3d-acceleration-in-kvm/16501/22 * test SDL * test if DRM (direct rendering manager) is enabled as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_drm * test performance as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_Performance === KVM - 3D Graphics Acceleration - Performance Test - Display GDK === * https://forums.whonix.org/t/how-to-enable-3d-acceleration-in-kvm/16501/22 * test GTK * test if DRM (direct rendering manager) is enabled as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_drm * test performance as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_Performance === KVM - verify AppArmor sVirt confinement operation === * https://forums.whonix.org/t/help-welcome-kvm-development-staying-the-course/166/593 === KVM - use rootless === * https://forums.whonix.org/t/rootless-virtual-machines-with-kvm-and-qemu/20952 * port documentation (and XML files, if needed) to qemu:///session, if sane * search Kicksecure; and Whonix wiki - using [[Special:ReplaceText]] * re-check if sVirt is still functional === KVM - port to unix domain socket based internal networking for Whonix-Gateway to Whonix-Workstation connections === * https://forums.whonix.org/t/help-welcome-kvm-development-staying-the-course/166/594 * update documentation ** https://www.whonix.org/wiki/Multiple_Whonix-Workstation#How-to:_Use_more_than_One_Whonix-Workstation_-_Easy ** https://www.whonix.org/wiki/KVM#Creating_Multiple_Internal_Networks ** https://www.whonix.org/wiki/Multiple_Whonix-Gateway#KVM === KVM - IPv6 router advertisement issues === * when is set in Whonix-external-network.xml, Whonix-Gateway cannot get an Internet-facing IPv6 address * router solicitation messages are being sent according to tcpdump but router advertisement messages are not being received in response * removing from both the external and internal network configuration resolves the issue * removing from only the external network configuration resolves the issue if and only if Whonix-Gateway is allowed to fully boot before Whonix-Workstation is started * above issues are present with Ubuntu 24.04's libvirt * test a newer libvirt version (using Arch Linux?) * file bug report if necessary == machine-id research == * in preparation for the next task * please read prior discussions * https://www.whonix.org/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection#Identifiers_Design_Goals * https://forums.whonix.org/t/revisit-handling-of-var-lib-dbus-machine-id/18827 * https://forums.whonix.org/t/anonymize-etc-machine-id/7721 * https://gitlab.tails.boum.org/tails/tails/-/issues/7100 * nowadays implemented in dist-base-files ** ./packages/kicksecure/dist-base-files/var/lib/dbus/machine-id ** ./packages/kicksecure/dist-base-files/etc/machine-id * but maybe needs to be moved back to anon-base-files when porting to Debian trixie? (hard to migrate within the same release codename) * The machine-id files should not be shipped by a package. They are intended to be generated, not hardcoded, thus Debian's code is probably not going to cope well when a package ships these files. Case in point, live-build deleting them to avoid machines with duplicate IDs in the wild, when we want machines with duplicate IDs in the wild. * Calamares is designed to write the machine-id files at instalation time. It has a dedicated module for this purpose. However, it does not permit specifying a hardcoded machine-id other than a literal "uninitialized" value or an empty file. So we will have to resort to using a shellprocess for Whonix-Host that will detect when Whonix is in use, and overwrite the machine-id files with a static machine-id. Calamares is the proper location to do this at IMO, since it's designed for this, systemd's docs suggest using the installer for this, and I fear we could run into problems trying to do this on first boot with a systemd unit. ** Patrick: Please implement. ** Patrick: Note, Whonix VMs are built using grml-debootstrap. While using a package to handle these files might be the wrong way. Whonix VMs still need these. == Polkit - run only in sysmaint mode == * [[Polkit]] * todo: discuss * find solutions on how to have functional shutdown/restart/etc. buttons == speed up build system == * get --force-unsafe-io working again or at least partially working, it's broken with mmdebstrap but maybe we can use it in some areas at least * parallelize package builds if possible * if we could figure out a hack to use native (de)compression routines rather than emulated ones that would probably help immensely == per-app UID sandboxing == * todo: discuss * related to the following tasks == stackable wrappers == * in preparation for the next two tasks * forum discussion: [https://forums.whonix.org/t/stackable-wrappers/7944 stackable wrappers] * {{Github_link|repo=proposals|path=/blob/master/634-stackable-wrappers.md|text=proposals repository: 634-stackable-wrappers.md}} * Debian feature request: [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=822693 Feature Request: Automatically starting programs under firejail] * review, comment, pull request where applicable * draft and/or open a discussion on debian-devel * use cases: ** automatically sandbox applications (such as when typing "browser-name") ** warn user against starting certain applications inside sysmaint mode such as browsers ** apply system resources restraint: https://forums.whonix.org/t/constrained-system-resources-program-starter-wrapper/10914 == check out bubblejail == * https://github.com/igo95862/bubblejail * in preparation for next task == sandbox-app-launcher == * [[sandbox-app-launcher]] * review * promising? worth bringing back to life, polishing? * at odds with apparmor.d? * better using bubblejail? == automated test suite - cli version == * todo: discuss == apparmor.d review == * https://github.com/roddhjav/apparmor.d * https://forums.whonix.org/t/apparmor-d-full-set-of-apparmor-profiles-1500-profiles/17389 ** review * https://github.com/roddhjav/apparmor.d/issues?q=is%3Aissue+author%3Aadrelanos ** check ticket status * lightweight security review ** conceivable or too much effort? == improved server support == * documentation ** rebrand wiki CLI for server * Linux account passwords? * cloudinit? * vm-config-dist versus autologin CLI vs GUI vs server == hidepid == * general information: https://www.kicksecure.com/wiki/Security-misc#hidepid * enable by default for users of user-sysmaint-split? * hidepid seems to make most sense if using user-sysmaint-split, because then account "user" cannot use sudo/pkexec anyhow * test and implement https://github.com/systemd/systemd/issues/29893#issuecomment-2757436101 if sane == research shred == * research if shred is still useful nowadays * if not, should be replaced by safe-rm = WAITING ON = == trixie port - Whonix Qubes template issues == * reported by Marek on Matrix: ** "in Whonix 18 workstation, opening "file manager" via domains widget opens "Catfish", not "pcmanfm-qt". Looks like some default apps are not set correctly (qubes calls xdg-open $HOME, which should open default app for inode/directory type)." ** "something doesn't work with pcmanfm-qt actions - I see only "QubesOS Edit in DisposableVM" action, not any of copy/move, or view in disposable; on top of that, looks like file names are swapped (action for viewing in dispvm is in file named edit, and action for editing is in file named open); and I have no idea from "QubesOS" prefix comes" *** Aaron: Fixed, required changes both on our side and on the Qubes side: **** usability-misc: https://github.com/ArrayBolt3/usability-misc/commit/0a8c2d7d97345d78aa7cd58199b5b67925ab93cf **** qubes-gui-agent-linux: https://github.com/QubesOS/qubes-gui-agent-linux/pull/246 *** Aaron: Fixed: **** kicksecure-meta-packages https://github.com/ArrayBolt3/kicksecure-meta-packages/commit/ab29e2a064404b7462dca7e3956712e86799e30f **** developer-meta-files: https://github.com/ArrayBolt3/developer-meta-files/commit/36056e1856cd37b2f57b573a029dfa427f23f41c * Patrick: Merged. * Aaron: Still working on the Qubes PR. == kloak - Qubes OS input anonymization flicker bug == * https://github.com/QubesOS/qubes-issues/issues/10286 * Fix submitted: https://github.com/QubesOS/qubes-gui-daemon/pull/172 == kloak - handle dynamic keyboard layout changes == * when the user changes the keyboard layout in labwc, kloak's keyboard layout configuration does not change to match * Aaron: Discovered this is a bug in labwc, reported: https://github.com/labwc/labwc/issues/3113 ** Waiting on upstream's response. For now, we should document that one must restart kloak with Right Shift + Escape to make a keyboard layout change take effect. == apt solver bug - pulling in incorrect alternative dependencies == * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113744 * Obtain requested debugging information and attach to ticket * Aaron: Added new information to ticket, waiting on response. == trixie port - update derivative signing key derivative.asc == * plan how to use a new signing key ** Aaron: Where all do we use the signing key? It's used to sign: *** apt packages *** git commits *** git tags *** OS images *** Warrant canaries? **** These are signed by OpenBSD's signify tool, not GPG, thus their key migration does not necessarily have to be bound to derivative.gpg's rotation. *** anything else? ** apt package migration: *** Due to how apt packages work, it is probably best to do this during release upgrade. Ship a new version of the key in legacy-dist in Bookworm only, install it during the release upgrade procedure and ensure all packages that are ever a part of the trixie repositories are signed with the new key. ** git commit/tag migration: *** The key expires, so there isn't a risk of it being used to sign newer packages after expiration. Just start signing commits with the new key and let expiration handle everything else. *** Add the new key to the list of trusted keys in derivative-maker so that people can still build older tags/commits if they need to. ** OS image migration: *** Just start using the new key to sign OS images. Announce the key change publicly (i.e. on the forums) so users expect to need to update their key. Sign the new key with the old key so that users with high security requirements can transition from one key to the next without having to re-establish trust in the key. ** Canary migration, if needed: *** Can we just start signing canaries with the new key? Or do we need to put the canaries in a different location and stop updating the old ones? * Patrick: ** The plan might be good enough. ** I might just extend the validity of the signing key and postpone this plan. * Patrick: ** Key has been extended. * Aaron: ** Moved to WAITING ON for now, we should move this back to TODO once we're ready to do the actual key rotation. == trixie port - display brightness == * https://forums.kicksecure.com/t/display-brightness/1271/2 * Aaron: See notes in chat. == trixie port - Qubes R4.3 Templates == * Kicksecure, Whonix: Please bump Qubes R4.3 upstream to Kicksecure, Whonix 18 * Aaron: Waiting on input on upgrade plan. * https://github.com/QubesOS/qubes-issues/issues/10253 * Aaron: Marek seems to be doing this so far. Will watch and assist where possible. == investigate Tor Browser metadata signing and expiration == * in context of: https://github.com/QubesOS/qubes-issues/issues/9983#issuecomment-3028994433 * Tor Browser does not appear to sign metadata. Even metadata used by Tor Browser's internal updater might be relying on unsigned metadata. * Important to explain: Not only signed metadata is required, also fresh metadata is required. Therefore periodic re-signing is required. * Compare with Firefox: Does Firefox's internal updater even have this feature? If Firefox has it, making the argument for Tor Browser to enable it might be much easier. If not, it might be better to request this feature from Mozilla as well. * goal of this ticket: The only goal of this ticket is to post feature requests / bug reports on Tor Project (and Mozilla issue tracker if applicable) and to properly communicate this. * non-goal: implementation * info: ** Tor Browser uses json files: https://aus1.torproject.org/torbrowser/update_3/release/download-linux-x86_64.json ** Firefox uses xml as per https://firefox-source-docs.mozilla.org/toolkit/mozapps/update/docs/InAppUpdateProcess.html * draft:
'''Rollback Attacks Definition:''' The Update Framework (TUF) defines `rollback attacks` [x] > An attacker presents files to a software update system that are older than those the client has already seen. With no way to tell it is an obsolete version that may contain vulnerabilities, the user installs the software. Later on, the vulnerabilities can be exploited by attackers. '''Rollback Attack Protection and Valid-Until Field''' Rollback attacks attempt to trick the updater into applying an outdated (and potentially vulnerable) version of the software. One widely recommended mitigation against rollback attacks is using a "Valid-Until" field or equivalent freshness period in the signed metadata, after which a given update should no longer be accepted. Firefox's internal updater does not publicly mention using a "Valid-Until" field (or explicit expiration on update metadata) to guarantee update freshness or safeguard against replay/rollback attacks in the same way as systems like The Update Framework (TUF) or Debian's APT '''Non-solutions:''' TLS might mitigate this attack but higher security than what TLS can offer should be provided in case TLS or server compromise. '''Solution:''' Server side: Sign, automatically periodically re-sign update metadata. Client side: Accept only metadata signed up to a certain age. '''Resources:''' Mozilla has blogged about rollback attacks in the past. [x] [x] https://theupdateframework.io/docs/security/ [x] https://blog.mozilla.org/attack-and-defense/2020/10/12/guest-blog-post-rollback-attack/
* Aaron: Filed issue against Tor Browser: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44039 Also requested a Tor Project Gitlab account, which I now have. ** I did not file a report against Mozilla Firefox, because their update mechanism involves automatically generated XML created by a backend server, whereas The Tor Project's update metadata seems to be static and not nearly as complicated. == grml-debootstrap bootloader installation failure in Docker == * https://github.com/grml/grml-debootstrap/issues/348#issuecomment-3017083278 * please use discretion on how worthwhile it is to spend time on this. as in, if you think it's doable without huge effort and you like docker, please implement. Otherwise, please only provide instructions for reproduction and leave it to upstream or tableseeker to fix. ** Aaron: Ran into complications trying to fix this myself, handed off to tabletseeker for further investigation. == RPi GRUB - contribute to Debian == * Start a discussion and contribute to https://raspi.debian.net/ if accepted by upstream. * This and the above ticket might result in implementation feedback, such as for options in config.txt. * Combined this and the debian-arm notification ticket into a single email. * https://lists.debian.org/debian-arm/2025/04/msg00012.html * Found: ** https://salsa.debian.org/raspi-team ** https://salsa.debian.org/raspi-team ** Seems active as per: https://salsa.debian.org/raspi-team/image-specs/-/issues/74 ** https://salsa.debian.org/raspi-team/image-specs/-/issues *** Please consider posting a feature request there for RPi GRUB support, if that is sensible. Draft:
add support for GRUB as bootloader for RPi
I've recently succeeded in converting an existing Debian Trixie RPi image to boot using GRUB on the RPi 4B and extensively documented how to do that. [1] I also posted about this on the debian-arm mailing list. [2]

Booting in this way has several substantial advantages over the current Raspberry Pi boot process:

* The kernel command line can be modified via /etc/default/grub and files under /etc/default/grub.d. Some software requires or benefits from such modifications and leverages this mechanism in GRUB to make non-invasive changes to the command line. With direct kernel boot, these changes are silently ignored, while with U-Boot + GRUB, they are correctly applied.
* In the event of a bad kernel update, users can easily boot into older kernels as they would on a typical desktop system.
* Recovering from a broken boot without a secondary system becomes much easier, as users can use the GRUB and U-Boot consoles to debug and manually boot the system.
* Multiboot installations on the Pi become possible.

Is this a feature for which you would welcome a merge request here, either as an option or even as the default?

Obviously, at this point, RPi GRUB support could only be added to Forky and later.

(I've also recently submitted a pull request to `grml-debootstrap` (a Debian bootable image builder tool) [3] [4] implementing "basic" RPi support.)

* [1] https://www.kicksecure.com/wiki/Dev/boot#Booting_Debian_Trixie_with_GRUB_+_u-boot_on_Raspberry_Pi_4
* [2] https://lists.debian.org/debian-arm/2025/04/msg00012.html
* [3] http://packages.debian.org/grml-debootstrap
* [4] https://github.com/grml/grml-debootstrap/pull/335
* Aaron: Filed issue upstream using template: [https://salsa.debian.org/raspi-team/image-specs/-/issues/78 Support U-Boot + grub-efi boot flow] ** Also filed a bug report against raspi-firmware: [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102607 Add support for U-Boot + grub-arm64-efi boot flow] == RPi grml-debootstrap == * https://github.com/grml/grml-debootstrap/issues/114 * Draft PR at https://github.com/grml/grml-debootstrap/pull/335, needs more testing and work * Tested and polished PR and marked it as ready for review. * Added question about future support for U-Boot + grub-efi-arm64. == grml-debootstrap - EFI partition size == * https://github.com/grml/grml-debootstrap/issues/221 * zeha currently does not want to implement this until systemd-boot "happens" (I'm guessing this means until it is supported by grml-debootstrap). == GRUB - Debian packages grub-pc and grub-efi co-install-ability == * please submit a patch to Debian to make grub-pc and grub-efi co-installable * [https://bugs-devel.debian.org/cgi-bin/bugreport.cgi?bug=904062 Allow concurrent installation of grub-pc and grub-efi-amd64] * Submitted and awaiting review: [https://salsa.debian.org/grub-team/grub/-/merge_requests/76#note_590495 Remove ucf conffile conflict between grub-pc and grub-efi-{amd64,ia32}] * Unfortunately this is not going to be able to make it into Trixie, it will have to wait for Forky before it makes it into Debian Stable. == ISO - GRUB - silence cosmetic errors in live ISO GRUB == * Earlier attempts to fix cosmetic errors in GRUB failed, since they introduced bugs into the live-build-provided boot screen. * Investigate how to fix this, potentially make an upstream feature request or patch if needed * Errors include loadfont issues, Secure Boot loading issues * Sent email to grub-devel mailing list to investigate this == ISO - memtest86+ ==
error: bad shim signature
* Fixable? * Apparently requires a security review: [https://github.com/rhboot/shim-review/issues/314 Meta: Signing memtest86+ v6.10] * [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032375 memtest86+: fails to work with Secure Boot enabled] * Asked about what contributions would allow this to move forward on the debian-efi mailing list: [https://lists.debian.org/debian-efi/2024/12/msg00021.html Memtest86+ Secure Boot signing] == test SysRq keys under LXQt Wayland == * ensure SysRq+unraw, SysRq+k behave as expected in context of [[Login spoofing]] * Has issues, wlroots bug reported at https://gitlab.freedesktop.org/wlroots/wlroots/-/issues/3930 == ISO - changed files issues == (annoted)
+ debsums --silent
debsums: changed file /usr/sbin/sources-media (from calamares-settings-debian package) - issue for future verified boot
debsums: missing file /var/lib/dbus/machine-id (from dist-base-files package) - issue for Whonix-Host, non-ideal for Kicksecure but not a blocker
+ debsums --config --silent
debsums: changed file /etc/calamares/modules/unpackfs.conf (from calamares-settings-debian package) - issue for future verified boot
debsums: changed file /etc/cryptsetup-initramfs/conf-hook (from cryptsetup-initramfs package) - issue for future verified boot
debsums: changed file /etc/machine-id (from dist-base-files package) - issue for Whonix-Host, non-ideal for Kicksecure but not a blocker
* All of these are modified by live-build itself: ** /usr/sbin/sources-media is modified by live-build/share/hooks/normal/5050-dracut.hook.chroot so that it points to the proper location of the on-ISO apt repo when dracut is in use (the location is different when initramfs-tools is used). The need for this could potentially be removed by modifying the sources-media script to autodetect the correct location, though this requires upstream to be receptive to the idea. *** Please discuss upstream. Since there is already some sort of dm-verity support in upstream live-build (scripts/build/binary_dm-verity), upstream might be receiptive. **** Feature request filed: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089618 ** /var/lib/dbus/machine-id is deleted by live-build/share/hooks/normal/8020-remove-dbus-machine-id.hook.chroot, which has a note in it as follows: "This removes dbus machine id that cache that makes each system unique." This seems important and I can't think of an obvious way to avoid needing to do this. My Kicksecure VMs appear to have machine IDs, but it's unclear how they're being generated originally, so it may be worth enabling the machineid module in our Calamares configuration to ensure that the machine ID is properly generated. *** See also: https://www.whonix.org/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection#Identifiers_Design_Goals *** TODO: Discuss. **** Proposal for fixing this made. ** /etc/calamares/modules/unpackfs.conf is modified by live-build/share/hooks/normal/5050-dracut.hook.chroot so that it points to the proper location of the on-ISO squashfs containing the operating system. Again, the location is different when initramfs-tools is used. This is a "hardcoded" configuration file, there isn't a way to add autodetection logic here. It might be possible to make a pull request to Calamares that would allow it to skip squashfses that didn't exist? *** Yes, please discuss upstream. **** Feature request filed: https://github.com/calamares/calamares/issues/2409 ** /etc/cryptsetup-initramfs/conf-hook is modified by live-build/share/hooks/normal/1010-enable-cryptsetup.hook.chroot, where it is used to enable cryptsetup in initramfs-tools. Assuming this isn't legacy configuration, this seems important and I can't think of an obvious way to avoid needing to do this. Might be worth testing to see if this is still necessary though. *** Yes, please. **** Bug report made: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089624 ** /etc/machine-id is deleted by live-build/share/hooks/normal/8020-remove-dbus-machine-id.hook.chroot. Has a very similar note to the other machine ID deletion hook. Same concerns apply. *** Proposal for fixing this made. == ISO - Finish Module Action Follow-Up == * https://github.com/calamares/calamares/issues/2321 * please follow-up * Followed up on Matrix, will follow up again soon on Github if I don't get a response. * Was informed by Adriaan de Groot that the code is still unfinished, and also on his radar. == live-build - add mmdebstrap support == * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031932 * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031929 * Merge request: https://salsa.debian.org/live-team/live-build/-/merge_requests/370 == live-build - use APT with error-on-any == * use option apt --error-on=any for all invocations of apt-get (update) * only needed for apt-get update, otherwise superfluous but non-issue * this is a security feature * this is to prevent inconsistent images that succeeded connecting to the "normal" repository but failed to connect to the security repository * can be implemented using already existing live-build option --apt-options OPTION|"OPTIONS"? * Requires a patch to live-build. Using --apt-options results in a build failure with E: Command line option --error-on=any is not understood in combination with the other options * Patch written, submitted upstream as https://salsa.debian.org/live-team/live-build/-/merge_requests/371. New configuration option now used in my branch of live-build. == security-misc - investigate PAM == * there is /etc/pam.d/sudo-i for interactive and /etc/pam.d/sudo * pam has concepts of common-session-noninteractive vs common-session (non-interactive) * how could we on the PAM level notice if faillock is used interactively or non-interactively? * if non-interactive, skip faillock * if interactive, do not skip faillock * Bug reports: ** https://github.com/linux-pam/linux-pam/issues/842 ** https://github.com/sudo-project/sudo/issues/415 * Once we go sudoless, this will no longer be a concern except for VMs that aren't sudoless. == live-build - grub.cfg GRUB configuration - loopback.cfg == * add https://www.supergrubdisk.org/wiki/Loopback.cfg compatibility (as as Debian Live ISO) * Requires fixes in live-build and Dracut to make work: ** live-build is specifying the wrong kernel parameter for loopback booting when using dracut - it's using findiso when it should be using iso-scan/filename. A fix for this has been integrated into my fork of live-build. MR to upstream here: https://salsa.debian.org/live-team/live-build/-/merge_requests/376 ** dracut is failing to run udevadm trigger during its device scanning, so even when it finds the ISO and attaches it as a loopback device, it never finds it. Only appears to be a problem on Debian Bookworm, Trixie works just fine. *** Task is on hold until we migrate to Trixie. ** (Side note: At least on QEMU, loopback mounts in GRUB fail with out-of-memory errors if the system uses UEFI. With BIOS it works fine. Not quite sure why this happens, very well may be an issue with QEMU's implementation of UEFI hardware or my usage thereof.) == live-build - lb-binary should not run apt-get update == * todo * Bug filed at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087470 * Note that the use of apt-get in the binary stage appears to be very baked into live-build's logic. It's pretty unlikely this will change. == live-build - policy-rc.d handling == * https://salsa.debian.org/live-team/live-build/-/merge_requests/409 = REVIEW PLEASE = == automate detection of new tor and tor-browser versions == * We currently ship Tor in the Kicksecure repository, taking packages from deb.torproject.org for this. * We also hardcode a Tor Browser version number in tb-updater. * Create scripts for finding the latest versions of Tor and Tor Browser, and taking the necessary actions to update them
## developer-meta-files
/usr/bin/dm-virtualbox-update-local-and-wiki-links
## developer-meta-files
/usr/bin/dm-virtualbox-update-local-and-wiki-links
make_cross_build_platform_list="i386 amd64 arm64" ./build-steps.d/*_create-debian-packages --flavor internal --target root --function download_tpo_packages
./build-steps.d/*_create-debian-packages --flavor internal --target virtualbox --function download_packages_from_debian_sid
* Aaron: Implemented Tor package update script as dm-tor-update-repository, added wrapper in dm-packaging-helper-script. * Aaron: Tor Browser version updater is already implemented as pkg_tor_browser_version_update in dm-packaging-helper-script. * Aaron: Unsure where to add master wrapper to update Tor, Tor Browser, and VirtualBox all at once. Perhaps create a new shell script, dm-update-third-party-software-references or similar? == systemcheck - split log parsing code == * https://github.com/Kicksecure/security-misc/issues/253#issuecomment-3379301931 * Aaron: Implemented: https://github.com/ArrayBolt3/systemcheck/commit/b1ed7254e51423466efcdee07c8fad9839818e73 == browser-choice - better notification when action such as installation is complete == * todo * once there is a exit code of zero or non-zero, show a passive popup? change window color? animation? * Aaron: Implemented in browser-choice. Also found and fixed an unrelated bug with dist-virtual-keyboard in helper-scripts. ** Decided to use a notify-send popup because that will work in both sysmaint and user sessions and has a good chance of getting the user's attention even if the browser-choice window is hiding behind another window or is minimized. Considered using QWindow::alert but this would probably have not worked in a sysmaint session. == sysmaint - restart of greetd allows login into regular desktop ssession == * sudo systemctl restart greetd * login as sysmaint * bug: expected: sysmaint session. actual: normal desktop session * Aaron: Fixed this and a bunch of related issues that popped up when the sysmaint session had autologin disabled. Changes pushed to helper-scripts, user-sysmaint-split, and desktop-config-dist. == volume setting in sysmaint systray == * usability bug: when hovering over volume changes in sysmaint mode, the color gets darker, which implies it being clickable, but actually is not clickable * Aaron: Fixed with a commit to desktop-config-dist. == calamares - keyboard layout setting broken in Wayland == * todo * please set up for ** CLI user ** CLI sysmaint ** GUI user ** GUI sysmaint * Aaron: Moving the systemd-localed keyboard layout set disable file out of the way does not result in labwc picking up the keyboard layout settings from Calamares. Will need to create a shellprocess module or similar to hack this into working right. * Aaron: Implemented, changes pushed to helper-scripts, user-sysmaint-split, lxqt-wayland-session, and live-config-dist. All four scenarios now work as expected. == ISO - virtualbox guest additions missing == * virtualbox guest additions missing on the Kicksecure ISO ** Aaron: Fixed: https://github.com/ArrayBolt3/derivative-maker/commit/c0d7bf7a24483d5984142b8c274f1b66597935c1 == sysmaint-panel - sysmaint mode - add display settings shortcut == * add open display settings * rationale: When booting for the first time and into sysmaint mode inside a VM, the display is too big. * Aaron: Implemented in sysmaint-panel. Also pushed commits to developer-meta-files and kicksecure-meta-packages for adding kanshi. == /etc/apt/sources.list.d/debian.soures not readable by user only readable by root == * is this intended? * Aaron: Not intended. I'm unable to reproduce this issue though - neither a fresh ISO installation of Kicksecure nor Whonix-Gateway or Whonix-Workstation VirtualBox VMs have this issue. Also not seeing this issue in a Whonix-Gateway 18 sys-whonix on Qubes R4.3. ** I believe I've seen this issue occur in the past, but haven't seen it in a while. I'm happy to build new VM images and check them for this issue if desirable. = ARCHIVED = == setxkbmap replacement too for wayland == * "setxkbmap de" used to be handy. * implement * add to helper-scripts * Aaron: Implemented: https://github.com/ArrayBolt3/helper-scripts/commit/41ae1e120672b94351a4c3889181bb9be2991eb0 == calamares - language setup == * please set up for ** CLI user ** CLI sysmaint ** GUI user ** GUI sysmaint * Aaron: Setting a non-English language in Calamares already sets the language for all of these scenarios in the installed system. Tested by doing an ISO installation of Kicksecure 18 with the langauge set to Spanish (Mexico). Spanish-translated strings were visible in all four session types. Admittedly, many strings were not translated, but that is likely simply a case of missing translations. == trixie port - qubes-core-agent-pcmanfm-qt == * Aaron: Qubes templates are still referencing Xfce components, Xfce won't be installed anymore * PRs: ** https://github.com/QubesOS/qubes-core-agent-linux/pull/608 ** https://github.com/QubesOS/qubes-app-linux-img-converter/pull/24 ** https://github.com/QubesOS/qubes-app-linux-pdf-converter/pull/36 * Filed, passes CI, works on my Qubes machine. Awaiting review from upstream. ** Reviewed, merged upstream. == kloak - systemd ordering cycle == * host: trixie (non-Kicksecure)
 [SKIP} kloak.service to stop ordering cycle loop
graphical.target: Found ordering cycle on multi-user.target/start
graphical.target: Found dependency on kloak.service/start
graphical.target: Found dependency on graphical.target/start
graphical.target: Job kloak.service/start deleted to break ordering cycle starting with graphical.target/start
* wild guess: related to removal of symlinks? * no more information available. Will hopefully be posted in the forums. * Aaron: Cannot reproduce on Debian 13 with GNOME Desktop, using the pre-v2 version of kloak. User may have added a configuration rule that attempted to require kloak to start before multi-user.service. Waiting on more info. * https://forums.whonix.org/t/kloak-latest-update-is-broken/22244 == ESP - EFI system partition versus dracut generic == * we're now using /etc/dracut.conf.d/30-dist-base-files.conf
compress="xz"
hostonly="yes"
hostonly_mode="sloppy"
* Should we therefore increase the size of the ESP? * grml ** https://github.com/grml/grml-debootstrap/issues/221 * calamares * Aaron: No changes needed to EFI partition size, dracut initramfs files are stored in /boot, not /boot/efi. ** As discussed, boot partition doesn't need to be larger, it's 4 GB with Calamares and is integrated into the root partition on VM images. ** grml-debootstrap is not interested in increasing the EFI partition size at this time, so I don't believe there's any reason to do this. * Patrick: Should have said /boot partition. ** VMs: We are not using a separate /boot partition. ** Host: [https://www.phoronix.com/news/Fedora-43-Bigger-Boot-Firmware Fedora increased /boot to 2 GB] We're already using 4 GB for /boot when installing using calamares. ** This issue does not exist. == bindp - compilation warning - _GNU_SOURCE redefined ==
Setting up bindp (3:4.2-1) ...
/usr/lib/bindp.c:48:9: warning: "_GNU_SOURCE" redefined
   48 | #define _GNU_SOURCE
      |         ^~~~~~~~~~~
* : note: this is the location of the previous definition ** Aaron: This is because we have the compilation of bindp being done via a direct gcc call in the postinst. This is wrong, we should be using the Makefile in the postinst to build the library at runtime but without having to duplicate code in two locations. Will adjust postinst as appropriate to resolve this. ** Aaron: Fixed: https://github.com/ArrayBolt3/bindp/commit/c0592d2e284c7a0a6e825279c5ace87bb9a1f566 * Patrick: Merged. == install an onscreen keyboard by default == * todo * purpose: configuration a keyboard layout when not knowing how to enter some special character such as "=" on the keyboard using the local keyboard * related: [[Software#On-Screen_Keyboard|On-Screen Keyboard]] * Aaron: Done, new commits pushed to developer-meta-files, kicksecure-meta-packages, and usability-misc for this. * Patrick: Merged. == trixie port - Whonix update failure if sys-whonix isn't already running == * https://github.com/QubesOS/qubes-issues/issues/4096 has come back * Probably related to delaying Tor's startup to accomodate IPv6 changes * Possible ways of fixing the issue listed at https://github.com/QubesOS/qubes-issues/issues/4096#issuecomment-3383779544. * Marek suggested a good fix, which works in testing. Implementation: https://github.com/ArrayBolt3/qubes-whonix/commit/34418e335c6ea8d09d018ebda871a2ead4f392c1 == change keyboard layout versus ISO == * currently, change keyboard layout required reboot but that is a contradiction on the ISO which cannot be rebooted ** Aaron: I don't think keyboard layout changes require a reboot - if kloak isn't running, they take effect immediately after running labwc --reconfigure (which is automatically done by the newly created set-labwc-keymap script). If kloak is running, they take effect after kloak is restarted (which can be done even from a user session with Right Shift + Escape). ** In the event a full compositor restart was needed to make a settings change take effect, logging out and logging back in would be sufficient to restart the compositor, even on the ISO. * https://github.com/labwc/labwc/issues/1407 ** Aaron: This bug appears fixed in Trixie. == sysmaint-panel - new shortcuts == * add onscreen keyboard shortcut * add open display settings or open lxqt settings shortcut * Aaron: Implemented, pushed commits to usability-misc, helper-scripts, sysmaint-panel. ** LXQt settings button will only appear in non-sysmaint sessions, as it is not useful and possibly misleading in sysmaint sessions. * Patrick: Merged. == sdwdate-gui - add left click menu == * usability bug: currently left click on sdwdate-gui does nothing ** Aaron: Unfixable or at least extremely difficult to fix due to a combination of Wayland and Qt limitations. ** Qt does not expose any API for popping up the menu the way a right-click pops it up. The only way to pop up a menu on a left-click is by using one of the exec() or popup() functions on the menu itself, which causes them to appear as a window in the middle of the screen under Wayland rather than them appearing as a popup menu. ** Both Qt5 and Qt6 behave in the same way. ** ChatGPT recommended using Gtk to create the context menu instead. A quick test revealed that Gtk has similar issues as Qt in this regard. I did not discover how to get a left-click to be registered by Gtk, documentation appears to be sparse and ChatGPT was not able to offer a functional suggestion. ** I tried to see if it would be possible to use D-Bus to trigger the StatusNotifierItem associated with the QSystemTrayIcon to pop up a menu. The closest I was able to get to making this work simply popped up a window containing the menu in the middle of the screen. ** The removable media and sound application icons seem to be left-clickable, but these are LXQt Panel plugins, not system tray icons. I suspect that's why they work, in which case that isn't a suitable solution for us. ** It might be possible in the future to create an LXQt panel plugin for sdwdate_gui_server, but this would most likely require rewriting sdwdate_gui_server in C++, which I do not believe is practical at the moment. ** For now, probably best to live with the issue, and make the time synchronization monitor popup specify "Right-click for menu" rather than "Click for menu". ** Commit pushed to sdwdate-gui to change wording as described above. == labwc environment default configuration file == * if file ~/.config/labwc/environment does not exist, pre populate it with XKB_DEFAULT_LAYOUT= (and other useful settings?) * might not be needed if the tool below gets implemented * Aaron: Ignoring in favor of setxkbmap replacement tool, as suggested. == compiled code - remove unsafe sanitizers == * All sanitizers except minimal UBSan are unsafe to use in production, they may result in security vulnerabilities. * LSan is causing sclockadj to go into an infinite loop on exit for Marek. * Leave minimal UBSan runtime enabled, remove full UBSan and ASan from all code. ** As it turns out, only Clang supports the minimal UBSan runtime, but we use GCC, so this is not possible. Just disable all sanitizers. * Adjust sanitizer flags in compiler flags wiki page. * Done, changed sdwdate, bindp, kloak, and security-misc to remove all sanitizers. == trixie port - misc remaining issues == * Aaron: ** swaylock is configured to show a solid black screen. We may want to show something else so that the user knows the system isn't broken and is awaiting a password. *** Turns out telling the user that the system is awaiting a password is impossible with Swaylock's current feature set. See https://github.com/swaywm/swaylock/issues/100. *** Asked Debian if they would be interested in us providing a patch to them, will likely contact the swaylock maintainer if that is confirmed as the correct next step. *** Added background color / image configuration for now. *** Swaylock has rejected further requests to allow displaying user-defined text on the lock screen, because they consider it an aesthetic feature and do not target a userbase that needs to be told that the lockscreen is waiting for them to type their password. *** Debian has rejected an offer of a patch because the maintainer wants to stick with Swaylock upstream. *** For now, we will likely just document how to unlock the screen and hope users don't get confused. *** Documented: https://www.kicksecure.com/wiki/Protection_Against_Physical_Attacks#Screen_Lock ** some systemcheck gripes need to be silenced, mostly just journal check stuff, but also the virtualizer check is "failing" on physical hardware because systemd-detect-virt returns non-zero if running on physical hardware. We probably shouldn't interpret that as failure. *** Silenced a lot of these, but still have to build new VBox and KVM VMs to ensure all of them are silenced if possible. *** Also fixed the virtualizer check. ** Need to build the Qubes templates and make sure they actually work. I haven't tried to build a Qubes template even once so far. That's probably what I'm going to do now. *** Kicksecure template built after some effort. **** Need to submit changes to qubes-builderv2 so this works out of the box. ***** Somewhat done; Marek has changes in-flight that will do this for us. **** Need to modify qubes-template-kicksecure to point to kicksecure-qubes-gui-lxqt package. ***** Done. **** Need to modify qubes-template-kicksecure to point to trixie-developers repository. ***** Done. **** Need to update template build documentation. ***** Done. *** Whonix templates still need built. **** Whonix-Workstation cannot be built due to curl being unable to resolve www.torproject.org. Most likely an issue with our uwt curl wrapper. Created a commit that should fix this: https://github.com/ArrayBolt3/uwt/commit/13984371a370ec330c25b721a48c24f25034ddc2 **** Got Whonix-Workstation to build. Both it and the Whonix-Gateway template seem to work well so far. ** Might be good to launch Flameshot on login, make it not show a "welcome" message when launched, and bind the Print Screen key so that it triggers the screenshot UI when pressed. *** We've decided to simply document this for now, since Flameshot consumes 80+ MB memory at idle. TODO: Where should we document this? **** Patrick: [[Software]]? **** Aaron: Good, let's just stick with the existing documentation there. ** We should be configuring PCManFM-Qt to not show graphical thumbnails. (PCManFM-Qt is also missing some of our distribution-specific configuration because of some odd behavior with configuration profiles, a symlink should be enough to solve that.) *** Done, tested, works on physical hardware and Qubes OS. ** In the sysmaint session, the battery status notification takes a long time to notice if AC power is plugged in or unplugged. Should be pretty easy to solve by just shortening the check interval to 5 seconds rather than the default of 60. *** Done, tested, works on physical hardware. ** We need to document how to configure the keyboard layout using labwc. At some point we may want to write a tool for this, it's just a matter of modifying a configuration file written in XML, and Python has built-in XML manipulation capabilities. They can't be used on untrusted XML, but the labwc configuration won't be untrusted. *** Done. ** CLI builds don't have enhanced zsh configuration yet. Not sure if we figured out what to do with that, I think we wanted to create a new package for this but haven't actually done so yet. *** Fixed by Patrick. == browser-choice - consider using --no-install-recommends == * bug: Installing chromium from Debian package sources results in installing avahi and cups. Better sudo apt install --no-install-recommends chromium chromium-sandbox? * use --no-install-recommends whenever applicable * Patrick: Done. == kloak - core versus adapter split == * https://forums.whonix.org/t/better-mouse-obfuscation/21445/18 * Aaron: Abandoned for the time being, rationale documented at https://forums.whonix.org/t/better-mouse-obfuscation/21445/19 == screenlocker backdoors == * https://forums.whonix.org/t/screen-locker-in-security-can-we-disable-these-at-least-4-backdoors/8128 * please check, confirm, reply if this issue is now resolved thanks to Wayland (and our disabling of SysRq by default) * Aaron: Replied, there a hardening option we might consider enabling (panic_on_oom). == trixie port - anon-ws-disable-stacked-tor apparmor issues == * apparmor fails to start if /etc/apparmor.d/abstractions/tor does not exist, but shipping this file in anon-ws-disable-stacked-tor results in upgrade problems because Tor is being installed by default on Whonix-Workstation 17 ** Fix: https://github.com/ArrayBolt3/anon-ws-disable-stacked-tor/commit/a9a0ac9db25fa1f00985a585193e109dc51fb5b4 * Patrick: Merged. * Aaron: Ended up removing this fix and replacing it with an if exists fix instead as discussed. Commits pushed to helper-scripts, systemcheck, and anon-ws-disable-stacked-tor for this. * Patrick: Merged. == privleap comment == * https://forums.whonix.org/t/replace-sudo-with-doas/17482/35 * Aaron: Replied while waiting for Whonix templates to build. == kloak - natural scrolling == * https://github.com/Whonix/kloak/issues/8 * Aaron: To enable natural scrolling: https://wayland.freedesktop.org/libinput/doc/latest/api/group__config.html#ga958b67193c3948b59add719a68f1b948 This will need to be a configurable option within kloak itself. * Aaron: Implemented: https://github.com/ArrayBolt3/kloak/commit/c881c666ac8af47fbc334dd41acec12323c1bcfe * Patrick: Merged. == trixie port - browser-choice versus user-sysmaint-split == * user-sysmaint-split installed * Qubes Template * Kicksecure trixie based * Qubes R4.2 ** This may not be applicable to Qubes R4.3. * Also reproducible in Qubes R4.2 + bookworm based Kicksecure. * The following error message is not applicable:
You are currently running Browser Choice inside a user session. You will be unable to install most browsers from here; only browsers that install into the current user account will be installable. To install a browser, reboot, select PERSISTENT Mode| SYSMAINT Session | system maintenance tasks from the boot menu, and click Install a Browser in the System Maintenance Panel. See Sysmaint for more information.
* What should the user do? ** Aaron: Open a Qubes Root Console, then run browser-choice as root. Ugly, but should work. Will work on messaging for Qubes. ** Aaron: Fix created, untested: https://github.com/ArrayBolt3/browser-choice/commit/41ced11b9a77abfb58d2d7f616563625d70d9363 * Patrick: ** Qubes R4.2 + trixie: Opened a root terminal. Bug: No installation (such as chromium from Debian) possible.
You are currently running Browser Choice as a normal user. You will be unable to install most browsers from here; only browsers that install into the current user account will be installable. To install a browser, open a terminal in dom0, run qvm-run -u root VMNAME xfce4-terminal, then run browser-choice from that terminal. See Sysmaint for more information.
* Aaron: Second attempted fix, untested: https://github.com/ArrayBolt3/browser-choice/commit/f1331432b649fb636f7516617fc3df98692e90af * Patrick: Merged. == trixie port - adjust Qubes templates for LXQt == * Aaron: Attempted to fix https://github.com/QubesOS/qubes-issues/issues/10253#issuecomment-3333503493 ** qubes-template-kicksecure: https://github.com/ArrayBolt3/qubes-template-kicksecure/commit/36a2bd4ad9d0648650fdc50df71fc30384dc350e *** Patrick: Merged. ** qubes-template-whonix: https://github.com/ArrayBolt3/qubes-template-whonix/commit/db004332a67a82e2b956174fbc76678c9f1ddc98 *** Patrick: Merged. * Aaron: Also make a fix for a Qt theming issue: https://github.com/ArrayBolt3/desktop-config-dist/commit/e37430be671458e7fb6f61eb306e3d5e032eb3aa ** Patrick: Merged. As a side effect, the default font in KDE konsole now looks weird. There is too much space between letters. But probably not important as there are other terminal emulators to choose from. *** Aaron: The default terminal in LXQt is QTerminal, so this should be fine. Might be worth adding support for components of other desktops as a future task? * Aaron: Please move to "WAITING ON" if this looks good. Feedback on qubes-core-agent-pcmanfm-qt would also be appreciated. ** Patrick: Looks good. * Patrick: Best to split this ticket into general Qubes build issues for trixie and qubes-core-agent-pcmanfm-qt? ** Aaron: Sure. == unshare vs. ptrace == * https://github.com/Kicksecure/security-misc/issues/321 * Can unshare be used to bypass ptrace restrictions? Create sample code and test. ** Aaron: Tested, could not circumvent ptrace restrictions by leveraging unshare. Unshare actually made the restrictions tighter. == trixie port - FDE systemcheck test passing incorrectly == * freshly installed Kicksecure 18 system on physical hardware: ** INFO: Full Disk Encryption (FDE): Enabled. ** This is incorrect, the system has other operating systems on it that do use FDE, but the Kicksecure installation is not one of them. ** Only report FDE enabled if root (/) and home (/home) are both located on encrypted volumes ** Done: https://github.com/ArrayBolt3/systemcheck/commit/488aabfd69e039eb89a3a7d66e89f5400d2992d2 *** Patrick: Merged. == trixie port - wl-clipboard == * install by default, if sensible ** Aaron: Would recommend against it for now, it's not critical and most users should likely not be using clipboard sharing anyway. * document usage * {{whonix_wiki |wikipage=KVM#Clipboard_Sharing |text=KVM, Clipboard Sharing }} * [[VirtualBox/Guest_Additions#Clipboard_Sharing|Clipboard Sharing]] (Mention it does not work.) ** Aaron: Documented in both places. * https://forums.whonix.org/t/whonix-18-wayland-based-virtualbox-clipboard-sharing-broken/22213 * https://forums.whonix.org/t/whonix-18-wayland-based-kvm-clipboard-sharing-broken/22212 == browser-choice - inside Qubes Template - prohibit starting browsers == * if file /var/run/qubes/this-is-templatevm exists, do not allow to start browsers ** Aaron: Done: https://github.com/ArrayBolt3/browser-choice/commit/845946c344c4917afbb765a7c322e6ac3e955e28 *** Patrick: Merged. Tested. == tirdad - improvements == * review, discuss upstream: https://github.com/assisted-by-ai/tirdad/pulls * https://github.com/0xsirus/tirdad/issues/29 * Aaron: Done, see Github comments on PRs and the compiler hardening flags issue. == trixie port - usbguard - IPC connection failure == * Happening inside Qubes (R4.2) Template
IPC connection failure!IPC connect: service=usbguard: Operation not permitted
* Aaron: Reproduced on R4.3. Added additional USBGuard configuration to allow members of the qubes group access to USBGuard IPC. ** security-misc: https://github.com/ArrayBolt3/security-misc/commit/7e016b563239e31c650aece115bb19af0395ec52 * Patrick: Merged. == trixie port - KVM shared clipboard == * Requires clipboard sync between X11 and Wayland clipboards * Make spice-vdagent start properly and ensure clipboard sync allows two-way clipboard transfer * spice-vdagent: Upstream is waiting for Wayland support to be contributed. See https://gitlab.freedesktop.org/spice/linux/vd_agent/-/issues/26. ** Worth attempting to contribute? * Virtual Machine Manager (virt-manager): https://github.com/virt-manager/virt-manager/issues/918 * Patrick has documented using a shared folder as a workaround for now: [[KVM#Clipboard_Sharing|KVM, Clipboard Sharing]] * We might not want clipboard sharing anyway to prevent a compromised VM from sniffing secrets that are present in the host clipboard. == trixie port - VirtualBox shared clipboard == * Broken with Wayland upstream: https://github.com/VirtualBox/virtualbox/issues/33 * Oracle apparently intends to fix this: https://github.com/VirtualBox/virtualbox/issues/33#issuecomment-3253257020 * Aaron: Probably better to leave alone for now, document the issue and let Oracle fix it eventually? If so, this should be moved to "WAITING ON". * We might not want clipboard sharing anyway to prevent a compromised VM from sniffing secrets that are present in the host clipboard. * Patrick has documented using a shared folder as a workaround for now: [[VirtualBox/Guest_Additions#Clipboard_Sharing|VirtualBox Clipboard Sharing]] == remove unnecessary dependencies from arc-theme == * https://github.com/UbuntuBudgie/arc-theme/pull/2 * since upstream is unlikely to react, could you please send a patch to Debian instead if that seems possible/useful? * or perhaps a different, better theme? separate ticket: [[#desktop theme improvements]] * Aaron: Pinged Ubuntu Budgie upstream via Matrix, got a response, waiting to see how (or if) that develops. Debian is likely not the right place to override this unless we absolutely have to do that. In either event, the dependencies won't be removed until Forky at best. * Cancelled, we are not using the arc theme any longer. == qubes boot modes - GRUB in-vm kernel support == * todo * Submitted to Qubes: https://github.com/QubesOS/qubes-linux-pvgrub2/pull/16 * Submitted to FSF: https://lists.gnu.org/archive/html/grub-devel/2025-04/msg00050.html ** Attempt to get attention for the patch again on April 11, try to smooth out some of the possible issues with the patch before sending if at all possible. ** If a second attempt at submitting the patch results in complete silence, return to Qubes and explain that attempts to upstream the patch weren't acknowledged. * Aaron: Accepted by FSF, merged by Qubes. Will resume work on this for Qubes R4.4/R5.0. == trixie port - desktop theme improvements == * suggestions from https://forums.whonix.org/t/xfce-theming-a-few-suggestions/7205/82 valid? * useful to change the desktop theme? * Might be useful to postpone after port to trixie. After the first trixie based release. Because by that time, desktop environment choice (Xfce vs LXqt) and wayland should be settled. No point in improving Xfce based style in case of porting to LXQt. * Provided suggestions for improving Xfce theming and attempted to port the theming to LXQt. Should defer to Trixie. * Can be postponed after the first trixie based release. * Aaron: Mostly implemented as part of the port to LXQt, but we should entirely remote MATE's notification daemon in favor of LXQt's (this hasn't been done yet). * Aaron: This is now done and has been merged for a while. == trixie port - check compiled code == * does our compiled code still compile on trixie? * and compile time warnings to fix? * any new compile time hardening flags that should be used? ** Perhaps our own compilation hardening wrapper would be useful? * this is mostly about kloak but may affect other compiled code * use -fanalyzer, where sensible. * For high effort, lower gain items, please create lower priority follow-up issues for post trixie. ** Aaron: Documented compilation flags at [[Dev/compiler hardening]] *** I seem to have messed up the page title... it says "compiler_hardening" rather than "compiler hardening" in the navbar. Is there a way to fix it? **** Patrick: Fixed. ** Aaron: Hardened sclockadj, bindp, and emerg-shutdown. kloak was hardened in earlier tasks. Did not harden tirdad yet, unsure if it's possible / safe to do so. *** Patrick: Follow-up ticket created. * Patrick: All merged. * Patrick: Please try hardening-check and address, if applicable.
hardening-check /usr/libexec/sdwdate/sclockadj
/usr/libexec/sdwdate/sclockadj:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: unknown, no protectable libc functions used
 Read-only relocations: yes
 Immediate binding: yes
 Stack clash protection: unknown, no -fstack-clash-protection instructions found
 Control flow integrity: no, not found!
 Branch Protection: no, not found!
== trixie port - switch image viewer to loupe == * current default image viewer is Tor Browser, which is non-ideal * lximage-qt is potentially dangerous * loupe uses Glycin to load images, which is sandboxed and written in Rust, thus likely less vulnerable * Done, made changes to tb-starter, developer-meta-files, kicksecure-meta-packages, and anon-meta-packages to change this. * Patrick: Merged. == trixie port - physical hardware installation uses /dev path in grub.cfg == * in boot menu, if pressing e on a boot entry: ** linux ... root=/dev/nvme1n1p6 ** this should be something like linux ... root=UUID=... * Aaron: Discovered we were explicitly turning UUIDs off. Fixes: ** dist-base-files: https://github.com/ArrayBolt3/dist-base-files/commit/50405851087c08a5ec60fe83944fa1298266613b ** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/commit/4d453cda101d40536ab3831ee222a5057fc025f0 * Patrick: Merged. == trixie port - wlgreet autologin for sysmaint session broken on ISO == * Booting into a sysmaint session from a Kicksecure 18 ISO results in a login screen rather than an automatic sysmaint session. Logging in at this screen as "sysmaint" presents a full desktop, not a normal sysmaint session. * Manually executing /usr/libexec/user-sysmaint-split/sysmaint-session-wayland works fine * Aaron: Found root cause and fixed it: https://github.com/ArrayBolt3/user-sysmaint-split/commit/8a9586f5cf4a3977e6ee06b78738cad322bd066b * Patrick: Merged. == trixie port - Kicksecure Qubes test == * install firmware-nonfree in Kicksecure Qubes. It's also default in Debian Qubes default Template. ** Aaron: Package wpasupplicant also had to be installed to get Wi-Fi to work. * Does DNS work when using a Kicksecure 18 based sys-net? ** Aaron: Yes, DNS seems fine. Was able to reach Google, Bing, Reddit, speedtest.net, and qubes-os.org at least. * sys-firewall ok? ** Aaron: Yes, all connectivity from the AppVM used for testing went through sys-firewall and encountered no issues. Reconfiguring sys-firewall to block connections to everything except Wikipedia resulted in Wikipedia working but all other outgoing connectivity breaking, as expected. Undoing that configuration restored outgoing connectivity, as expected. Works both with WiFi and Ethernet. * Kicksecure Qubes internet speed versus Debian Internet speed? ** Aaron: WiFi test results (using a Fedora 42 AppVM with Firefox): *** With sys-net based on Kicksecure 18: **** Test 1: 55.58 Mbps down, 2.08 Mbps up **** Test 2: 54.86 Mbps down, 2.20 Mbps up **** Test 3: 62.13 Mbps down, 2.25 Mbps up *** With sys-net based on Debian 13: **** Test 1: 51.89 Mbps down, 2.61 Mbps up **** Test 2: 50.06 Mbps down, 2.68 Mbps up **** Test 3: 45.32 Mbps down, 2.11 Mbps up *** Conclusion: Likely no difference. Debian 13 appears slower than Kicksecure 18 in testing, but that is most likely due to speed fluctuations with my cellular Internet connectivity. Speeds seem coherent with the speeds I usually see with Ubuntu. ** Aaron: Ethernet test results (using a Fedora 42 AppVM with Firefox): *** With sys-net based on Kicksecure 18: **** 18.59 Mbps down, 1.89 Mbps up **** 19.91 Mbps down, 2.07 Mbps up **** 18.39 Mbps down, 1.97 Mbps up *** With sys-net based on Debian 13: **** 20.58 Mbps down, 2.01 Mbps up **** 20.95 Mbps down, 1.83 Mbps up **** 20.29 Mbps down, 1.90 Mbps up *** Conclusion: Likely no or relatively negligible difference. Debian 13 appears faster than Kicksecure 18 in testing, but again, this is probably because of network speed fluctuations on my end, and this is as good or better than speeds I was seeing using this link previously. (Note that because my hotspot's Ethernet support is buggy, I used NetworkManager internet connection sharing from another laptop with Ethernet, which is probably why this is so much slower than WiFi.) * Aaron: Should we be pre-installing wpasupplicant in some instances? It appears to be preinstalled in the Debian 13 template. ** Patrick: Please install. * Patrick: Please look for other missing packages. * Aaron: Added wpasupplicant to Kicksecure for Qubes and baremetal. * Aaron: No additional packages were needed for wired networking to function properly. == trixie port - decrease touchpad sensitivity == * on Aaron's test laptop, the mouse pointer moves far too quickly when using the built-in touchpad. * same issue as https://github.com/Whonix/kloak/issues/8 ? ** Aaron: No, separate issue, this is not kloak-related. * Aaron: Fix created: https://github.com/ArrayBolt3/desktop-config-dist/commit/3f9570a5f2e9b732c3ecbf0ee694d44600b98da2 == trixie port - systemd unit file issue ==
Processing triggers for libglib2.0-0t64:amd64 (2.84.4-3~deb13u1) ...
Setting up systemcheck (3:42.0-1) ...
Installing new version of config file /etc/systemcheck.d/30_default.conf ...
warn: The user `canary' is already a member of `debian-tor'.
warn: The user `systemcheck' is already a member of `debian-tor'.
warn: The user `systemcheck' is already a member of `systemd-journal'.
The unit files have no installation config (WantedBy=, RequiredBy=, UpheldBy=,
Also=, or Alias= settings in the [Install] section, and DefaultInstance= for
template units). This means they are not meant to be enabled or disabled using systemctl.

Possible reasons for having these kinds of units are:
• A unit may be statically enabled by being symlinked from another unit's
  .wants/, .requires/, or .upholds/ directory.
• A unit's purpose may be to act as a helper for some other unit which has
  a requirement dependency on it.
• A unit may be started when needed via activation (socket, path, timer,
  D-Bus, udev, scripted systemctl call, ...).
• In case of template units, the unit is meant to be enabled with some
  instance name specified.
Processing triggers for qubes-core-agent (4.2.43-1+deb13u1) ..
* /usr/lib/systemd/user/updatecheck.service lacks the following?
[Install]
WantedBy=multi-user.target
* Aaron: No, this is expected behavior. updatecheck is started on login by /etc/xdg/autostart/updatecheck.desktop using systemctl --user start updatecheck.service. This is because (if I remember correctly) graphical-session.target isn't ever reached when using a sysmaint session, and we don't have a specific user unit that is reached when the graphical session of sysmaint mode comes up, so triggering this via systemd alone is somewhat hard. I've seen many packages display these sort of "unit cannot be enabled" warnings during installation in the past, so I don't think this is an issue. I've definitely seen updatecheck working with this setup. * Patrick: fixed ** (systemctl --global disable updatecheck.service >/dev/null || true) == mouse fingerprinting == * todo * https://forums.whonix.org/t/better-mouse-obfuscation/21445 * notify https://github.com/QubesOS/qubes-gui-daemon/pull/149#issuecomment-2477848847 if fixed * update https://www.whonix.org/wiki/Keystroke_and_Mouse_Deanonymization * Current implementation: https://github.com/ArrayBolt3/kloak/tree/arraybolt3/anon-mouse ** Left some notes on the Whonix forums about this implementation's effects and shortcomings. ** Currently have prototype mouse implementation working and published, and prototype touchpad implementation kind of working, but this is not suitable for final release. ** Remaining work: *** Hook all pointing devices and handle them with libinput (do NOT try to use evdev directly here) *** Translate all movements into absolute coordinates that can be reported to the kernel (note: relative coordinates might also be acceptable as long as we can perfectly predict where the pointer is going to end up) *** Use normal kloak buffering to obfuscate mouse movements and timings *** Display a virtual pointer instead of (or in addition to) the real pointer that shows where the mouse actually is so the user can control it smoothly * research reading list: ** https://www.mimic.sbs/ ** https://github.com/MIMIC-LOGICS/Mouse-Synthesizer/blob/main/MIMIC%20A%20Kinematic%20Theory-Based%20Synthesizer-Alessandro%20Nicola%20Capriati.pdf ** https://www.mimic.sbs/antibot/On-Anti-Bot-Biometric-Protections.md/ *** Aaron: These look potentially useful, but I'm not experienced enough with the math being used here to really understand how this works. Given the final equations and a sufficiently powerful math library however, it might be possible to wrap the algorithms into a library which could then be made part of an application, where the user could define where to click, what area to move the mouse in, and the time period during which the mouse should move, then click a "play" button that would move the mouse and execute the clicks using these synthesized movements. It might even be possible to somehow integrate this into kloak, though I'm unsure if that would actually be advantageous or not. * test page: ** http://jcarlosnorte.com/assets/fingerprint/ *** please document, if useful **** Aaron: Does not appear particularly useful, only runs tests on scroll wheel behavior. * Aaron: Current alpha-quality implementation: https://github.com/ArrayBolt3/kloak-v2 * Patrick: Please create a branch for Whonix/kloak * check gcc -fsyntax-only, if sensible
gcc -fsyntax-only src/kloak.h
gcc -fsyntax-only src/kloak.c
gcc -fsyntax-only src/kloak.c src/xdg-shell-protocol.c src/xdg-output-protocol.c src/wlr-layer-shell.c src/wlr-virtual-pointer.c src/virtual-keyboard.c $(pkg-config --cflags libinput libevdev wayland-client xkbcommon
* review https://github.com/assisted-by-ai/kloak/pulls * Aaron: Finished beta-quality monolithic implementation of kloak v2. Requested review from vmonaco: https://forums.whonix.org/t/better-mouse-obfuscation/21445/18 == trixie port - Qubes-Whonix meta packages review == * during release upgrade, some packages might be superfluous * gateway
codecrypt # Aaron: currently intentional, but could be moved to Kicksecure and workstation only if considered undesirable
cryptsetup # Aaron: intentional, likely useful
diceware # Aaron: currently intentional, but could be moved to Kicksecure and workstation only if considered undesirable
discover # Aaron: currently intentional, possibly useful, if not it should be dropped entirely most likely
exim4-base # Aaron: Unexpected, apparently being pulled in as a "Recommends" of cron?
exim4-config # Aaron: Unexpected, apparently being pulled in as a "Recommends" of cron?
exim4-daemon-light # Aaron: Unexpected, apparently being pulled in as a "Recommends" of cron?
extrepo # Aaron: currently intentional, but could be moved to Kicksecure and workstation only if considered undesirable
gparted # Aaron: currently intentional, but could be moved to Kicksecure and workstation only if considered undesirable
makepasswd # Aaron: currently intentional, but could be moved to Kicksecure and workstation only if considered undesirable
mesa-vulkan-driver # Aaron: currently intentional, likely useful
network-manager # Aaron: Unexpected, most likely caused by pulling in qubes-core-agent-network-manager in dist-qubes-cli. Will fix.
network-manager-applet # Aaron: Unexpected, most likely caused by pulling in qubes-core-agent-network-manager in dist-qubes-cli. Will fix.
network-manager-gnome # Aaron: Unexpected, most likely caused by pulling in qubes-core-agent-network-manager in dist-qubes-cli. Will fix.
nm-connection-editor # Aaron: Unexpected, most likely caused by pulling in qubes-core-agent-network-manager in dist-qubes-cli. Will fix.
psensor # Aaron: Should be moved to baremetal only. Will fix.
psensor-common # Aaron: Should be moved to baremetal only. Will fix.
pwgen # Aaron: currently intentional, but could be moved to Kicksecure and workstation only if considered undesirable
qubes-core-agent-network-manager # Aaron: Unexpected, metapackage bug, will fix.
smart-notifier # Aaron: currently intentional, but could be moved to baremetal only if considered undesirable
smartmontools # Aaron: currently intentional, but could be moved to baremetal only if considered undesirable
systemd-repart # Aaron: expected, but probably not useful in Qubes. Will move to non-qubes.
tzdata-legacy # Aaron: expected, pulled in by unar (The Unarchiver). We aren't intentionally installing unar anymore, but it will still be present on Whonix 17 and thus upgraded to Trixie's version during the update.
upower # Aaron: currently intentional, but could be moved to non-qubes only if considered undesirable.
usbguard # Aaron: intentional, useful.
usbguard-notifier # Aaron: intentional, useful.
* workstation
cryptsetup # Aaron: intentional, likely useful
ddrescueview # Aaron: intentional, for if someone uses a Whonix-Workstation VM for disk recovery. Could be moved elsewhere if undesirable.
discover # Aaron: currently intentional, possibly useful, if not it should be dropped entirely most likely
exim4-base # Aaron: Unexpected, apparently being pulled in as a "Recommends" of cron?
exim4-config # Aaron: Unexpected, apparently being pulled in as a "Recommends" of cron?
exim4-daemon-light # Aaron: Unexpected, apparently being pulled in as a "Recommends" of cron?
gddrescue # Aaron: intentional, for if someone uses a Whonix-Workstation VM for disk recovery. Could be moved elsewhere if undesirable.
gparted # Aaron: intentional, likely useful
gtk2-engines-pixbuf # Aaron: intentional, but maybe we can live without it? does anything still use this?
htop # Aaron: intentional, almost certainly useful
hwinfo # Aaron: currently intentional, but could be moved to baremetal only if considered undesirable
keepassxc-full # Aaron: intentioal, likely useful
lm-sensors # Aaron: currently intentional, but could be moved to baremetal only if considered undesirable
lshw # Aaron: currently intentional, but could be moved to baremetal only if considered undesirable
lvm2 # Aaron: intentional, necessary to work with some external disks
lximage-qt # Aaron: intentional, almost certainly useful
lxqt-about # Aaron: intentional, almost certainly useful
lxqt-admin # Aaron: intentional, almost certainly useful
lxqt-archiver # Aaron: intentional, almost certainly useful
lxqt-config # Aaron: intentional, almost certainly useful
lxqt-globalkeys # Aaron: intentional, almost certainly useful
lxqt-menu-data # Aaron: intentional, almost certainly useful
lxqt-notificationd # Aaron: intentional, essential system component
mate-polkit # Aaron: intentional, essential system component
mesa-libgallium # Aaron: intentional, probably useful
mesa-vulkan-drivers # Aaron: intentional, probably useful
network-manager # Aaron: Unexpected, most likely caused by pulling in qubes-core-agent-network-manager in dist-qubes-cli. Will fix.
network-manager-applet # Aaron: Unexpected, most likely caused by pulling in qubes-core-agent-network-manager in dist-qubes-cli. Will fix.
network-manager-gnome # Aaron: Unexpected, most likely caused by pulling in qubes-core-agent-network-manager in dist-qubes-cli. Will fix.
nm-connection-editor # Aaron: Unexpected, most likely caused by pulling in qubes-core-agent-network-manager in dist-qubes-cli. Will fix.
ntfs-3g # Aaron: intentional, likely useful
psensor # Aaron: Should be moved to baremetal only. Will fix.
qubes-core-agent-network-manager # Aaron: Unexpected, metapackage bug, will fix.
smart-notifier # Aaron: currently intentional, but could be moved to baremetal only if considered undesirable
smartmontools # Aaron: currently intentional, but could be moved to baremetal only if considered undesirable
systemd-repart # Aaron: expected, but probably not useful in Qubes. Will move to non-qubes.
tzdata-legacy # Aaron: expected, pulled in by unar (The Unarchiver). We aren't intentionally installing unar anymore, but it will still be present on Whonix 17 and thus upgraded to Trixie's version during the update.
upower # Aaron: currently intentional, but could be moved to non-qubes only if considered undesirable.
usbguard # Aaron: intentional, useful.
usbguard-notifier # Aaron: intentional, useful.
* Aaron: Created fixes for issues found above. Further discussion may be needed for many of the packages. == trixie port - package refactoring - kicksecure-meta-packages vs qubes-whonix - #2 == * TODO: Reduce packages in https://github.com/Whonix/qubes-whonix/blob/master/debian/control thanks to the improved Qubes support by kicksecure-meta-packages, if applicable. ** Aaron: Attempted to merge metapackages from qubes-whonix into main metapackages. Seems to work, made changes qubes-whonix, anon-meta-packages, kicksecure-meta-packages, and developer-meta-files. * Older attempt: ** Patrick: merged, tested and reverted ** Gateway:
sudo apt dist-upgrade --no-install-recommends
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following package was automatically installed and is no longer required:
  qubes-core-agent-passwordless-root
Use 'sudo apt autoremove' to remove it.
The following NEW packages will be installed:
  codecrypt cython3 diceware dmeventd dosfstools extrepo fuse3 geoip-database kicksecure-cli kicksecure-default-applications-cli
  kicksecure-qubes-cli libaio1 libbytes-random-secure-perl libclone-perl libcrypt-passwdmd5-perl libcrypt-random-seed-perl
  libcrypto++8 libcryptx-perl libdevmapper-event1.02.1 libfftw3-double3 libfile-listing-perl libfuse3-3 libgeoip1 libhtml-parser-perl
  libhtml-tagset-perl libhtml-tree-perl libhttp-cookies-perl libhttp-date-perl libhttp-message-perl libhttp-negotiate-perl
  libio-html-perl libio-socket-ssl-perl liblvm2cmd2.03 liblwp-mediatypes-perl liblwp-protocol-https-perl libmath-random-isaac-perl
  libnet-http-perl libnet-ssleay-perl libntfs-3g89 libsnappy1v5 libtry-tiny-perl libwww-perl libwww-robotrules-perl
  libyaml-libyaml-perl lvm2 magic-wormhole makepasswd ntfs-3g perl-openssl-defaults pwgen python3-attr python3-autobahn
  python3-automat python3-base58 python3-bcrypt python3-cbor python3-click python3-colorama python3-constantly python3-cryptography
  python3-ecdsa python3-flatbuffers python3-geoip python3-hamcrest python3-hkdf python3-humanize python3-hyperlink
  python3-incremental python3-lz4 python3-mnemonic python3-msgpack python3-nacl python3-openssl python3-packaging python3-passlib
  python3-pyasn1 python3-pyasn1-modules python3-pyqrcode python3-service-identity python3-setuptools python3-snappy
  python3-sortedcontainers python3-spake2 python3-tqdm python3-trie python3-twisted python3-txaio python3-txtorcon python3-u-msgpack
  python3-ubjson python3-ujson python3-wsaccel python3-zope.interface
** Workstation:
sudo apt dist-upgrade --no-install-recommends
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following package was automatically installed and is no longer required:
  qubes-core-agent-passwordless-root
Use 'sudo apt autoremove' to remove it.
The following NEW packages will be installed:
  dmeventd dosfstools firefox-esr kicksecure-cli kicksecure-desktop-applications-recommended kicksecure-qubes-cli kicksecure-qubes-gui libaio1 libdevmapper-event1.02.1 libgarcon-1-0
  libgarcon-common liblvm2cmd2.03 libntfs-3g89 libupower-glib3 libxklavier16 lvm2 ntfs-3g xfce4-helpers xfce4-settings
** Patrick: is there anything else to do here? == trixie port - split the security-misc into security-misc-shared, security-misc-desktop and security-misc-server == * {{Github_link|repo=security-misc|path=/issues/187}} * This is in preparation for the next task. * Discussion on how best to do this posted at https://forums.kicksecure.com/t/splitting-security-misc-into-shared-desktop-and-server-packages/674 * keep {{Github_link|repo=security-misc|path=/issues/184}} in mind * Patrick: Implemented. Please review. ** Aaron: Reviewed, didn't see anything obviously wrong. Went through all source code and fixed references to "security-misc" where appropriate. == trixie port - Whonix-Workstation template unable to download updates == * may be a transient issue? * No, not a transient issue. Present in newly created Whonix 18 VMs in Qubes OS. * This is because of the uwt curl wrapper. It can't handle loopback addresses properly, thus the torified updates check fails. * Fix: https://github.com/ArrayBolt3/uwt/commit/ae6fbbd03e23403a5ed44b0bea7559e0284ffba7 == review and test IPv6 support pull requests == * https://forums.whonix.org/t/add-ipv6-support/19893 * https://www.whonix.org/wiki/Dev/ipv6 * please review for Non-Qubes-Whonix, Qubes-Whonix * goal: merge as much as doable/possible without breaking networking * enabling IPv6 support in Qubes-Whonix might only be possible during release upgrade to trixie based and orchestration with Qubes * Waiting for planned fixes to land in PRs. * Update 1: ** Please recheck. ** Notes: *** square brackets aren't supported in systemd: https://github.com/systemd/systemd/issues/35621 *** quote "The only issue is that VirtualBox only supports IPv6 if we switch to bridged interface, which exposes whonix gateway to the network. libvirt requires adding custom NAT rules for IPv6, which are only automatically managed for IPv4. If we want to add this, we'd need to add a static IP configuration and give the user instructions on how to add NAT rules on the host. So for now only Qubes will have direct support for IPv6 for outgoing transactions, without further instructions a user needs to do on the host." **** VirtualBox nowadays supports IPv6 NAT. We can easily reconfigure KVM to have IPv6 NAT also. Qubes OS supports it as well, but allows toggling it on or off. * Can't get it working in VBox (even with bridged networking), libvirt (even with a custom network interface), or Qubes (apparent bug in Qubes R4.3 prevents me from making a new network-providing qube). See https://forum.qubes-os.org/t/qubes-4-3-cannot-create-a-new-appvm-that-provides-network-to-other-qubes/30906/2. * Update 2: ** https://github.com/Whonix/whonix-gw-network-conf/pull/1#discussion_r1903385107 ** https://github.com/Whonix/whonix-gw-network-conf/pull/1#discussion_r1903385335 ** please direct questions, issues to Daniel (such as by adding these to https://www.whonix.org/wiki/Dev/ipv6 or commenting on a pull request) * Aaron: Left Daniel some feedback on things that didn't work. If not fixed in a week (so around April 4th), our plan is to merge as-is and fix bugs after. * Patrick: All merged. * Patrick: Please go through all pull requests and notes. Add fixes. Comment on closed pull requests for resolved items. * Patrick: Coordinate enabling of IPv6 with Qubes for R4.3. ** Aaron: Will require global IPv6 support in Qubes OS for this to work, which is too late to land in R4.3: https://github.com/QubesOS/qubes-issues/issues/10232#issuecomment-3301165088 Probably better to document the instructions for enabling it for now. * Patrick: Ideally, whether IPv6 is enabled or disabled, VM networking shouldn't break. ** Aaron: I believe the current code will work whether IPv6 is ''available'' or not. This means that if the network just doesn't support it, or the user has turned off IPv6 support in Qubes OS, networking should still work. However, if IPv6 is turned off on the kernel level, it will break things (in particular listening on the loopback IPv6 address will fail in Tor, and ifupdown will complain about there being IPv6 network configuration present). Is it a feature goal to allow disabling IPv6 on the kernel level? If so, more work will be needed here, some of which may be messy. * Patrick: Please review my replace-ips changes. ** Aaron: Reviewed, did cleanup, hardened using black/mypy/pylint * Patrick: Please fix replace-ips overzealous IP replacement, if sensible. shell:
echo 'DNS=10.152.152.100' > /tmp/test.conf
python:
    ips=['10.152.152.10']
    current_ip='10.0.0.1'
    files=['/tmp/test.conf']
    ip_file='/tmp/ip'
    protocol='IPv4'
    replace_ip(ips, current_ip, files, ip_file, protocol)
/tmp/test.conf content: * expected: 10.0.0.1 * actual: 10.0.0.10 issues: * Substring hit: 10.152.152.10 inside 10.152.152.100 gets changed ** Aaron: Fixed. * replaces all whether comments or non-comments ** Aaron: Fixed. * Fix Tor startup when IPv6 is disabled, use replace-ips-like code to comment out HTTPTunnelPort lines that listen on IPv6 addresses ** Aaron: Implemented, though I ended up using a shell script (which mostly was a wrapper around a sed command) for this because it was much easier to do so and didn't require mass refactoring. * Attempt to make network-online.target actually useful by waiting for a particular IPv6 address to become available before declaring the network "up", then use that to delay tor startup instead of a hardcoded delay ** Aaron: After further thought, decided this was a bad idea. Details shared in chat for further discussion. * Aaron: It appears IPv6 is generally working well now. Further bugs may need to be worked out, but so far it seems to work relatively well. Moved IPv6 DNS support in Qubes OS to a new task. * Patrick: ** start tor-whonix-gw-setup.service also in sysmaint mode? *** Aaron: tor-whonix-gw-setup.service was able to be fully merged into anon-gw-anonymizer-config.service, so the unit no longer exists now. anon-gw-anonymizer-config.service is depended on by sysmaint-boot.target already. ** /usr/libexec/anon-gw-anonymizer-config/generate-tor-service-defaults-torrc-anondist might get started by /usr/libexec/anon-gw-anonymizer-config/tor-config-sane *** Aaron: Done. ** While we're at it, the following trigger seems no longer required or if required should be done inside whonix-firewall package instead? *** Aaron: Looks obsolete indeed, dh_installsystemd should automatically restart whonix-firewall.service when whonix-firewall is upgraded.
                ## Restart firewall
                /usr/bin/whonix_firewall | \
                /usr/bin/whonix-gateway-firewall | \
                /usr/bin/whonix-workstation-firewall)
                    /usr/libexec/whonix-firewall/enable-firewall || true
                    ;;
== trixie port - document enabling IPv6 on Whonix 18 == * for Qubes: set ipv6 feature to 1 on sys-net to allow IPv6 connectivity to work at all, then disable IPv6 on individual VMs you want to remain IPv4-only, ensure that sys-whonix and sys-firewall do NOT have IPv6 disabled * for KVM: remove from external network configuration * for VirtualBox: no additional steps needed, works out of the box ** Aaron: Useful to create a new Whonix wiki page specifically for IPv6? We don't have a page intended for end users to read yet. ** Aaron: Updated https://www.whonix.org/w/index.php?title=Dev/ipv6. ** Aaron: Created new wiki page: https://www.whonix.org/w/index.php?title=IPv6&stable=0 == kicksecure Qubes Template - sdwdate qrexec Denied message == * [https://github.com/QubesOS/qubes-issues/issues/7447 Kicksecure inside Debian Template sdwdate qrexec Denied message] * Rewrote sdwdate-gui to function better under Qubes. '''NOT READY FOR MERGE, REQUIRES CHANGES ON THE QUBES OS SIDE ALSO.''' ** sdwdate-gui: https://github.com/ArrayBolt3/sdwdate-gui/tree/arraybolt3/qubes-redesign ** anon-gw-base-files: https://github.com/ArrayBolt3/anon-gw-base-files/tree/arraybolt3/sdwdate-gui ** kicksecure-base-files: https://github.com/ArrayBolt3/kicksecure-base-files/tree/arraybolt3/sdwdate-gui * Qubes side: ** https://github.com/QubesOS/qubes-issues/issues/10020 ** https://github.com/QubesOS/qubes-core-admin-addon-whonix/pull/21 * pending questions by Patrick on migration path ** Aaron: Absent rm_conffile commands were an oversight. Corrected now. * Qubes OS side changes merged, waiting to merge sdwdate-gui changes until Trixie port. * issue: Kicksecure 18 (trixie based) + Qubes R4.2 - as discussed * https://github.com/QubesOS/qubes-issues/issues/10219 * Aaron: Current plan is to maintain Kicksecure/Whonix 17 support for the remainder of Qubes R4.2's lifespan. sdwdate fix will be present in R4.3+ only. == trixie port - meta packages fixes - #1 == * bug: package kicksecure-desktop-applications-xfce is still installed after release-upgrade ** this was prior review and merge of [[Dev/todo#trixie_port_-_fix_incorrect_dependency_resolution|trixie port - fix incorrect dependency resolution]] - so this may or may not be fixed already ** Aaron: Should be fixed now, accidentally only had Breaks/Replaces against LXQt-related packages that only existed for a short time during the Trixie port and didn't add Breaks/Replaces against Xfce-related packages. == trixie port - fix incorrect dependency resolution == * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113744 * apt solver issues are resulting in Pulseaudio being installed rather than Pipewire in some situations * Remove the pipe character from our dependencies wherever possible, we should not have either/or dependencies any longer unless we're ready to take special steps to ensure the right dependencies are resolved * Change how our dummy-dependency packages work so they can still replace unwanted packages but don't require an either/or dependency to function properly * Aaron: Reworked the metapackages substantially, built a Kicksecure VirtualBox image, and compared its installed packages with the Kickescure Xfce VirtualBox Bookworm iamge. Looks like the changes are working. == trixie port - usbguard-notifier == * please try * install by default if sensible * https://forums.kicksecure.com/t/usbguard-what-should-we-allow-or-disallow-by-default/1248/29 * add usbguard-notifier to recommends * move usbguard to recommends * Aaron: Implemented: ** developer-meta-files (master metapackage change): https://github.com/ArrayBolt3/developer-meta-files/tree/arraybolt3/trixie ** kicksecure-meta-packages: https://github.com/ArrayBolt3/kicksecure-meta-packages/tree/arraybolt3/trixie ** security-misc: https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/trixie == sysmaint panel items == * https://forums.kicksecure.com/t/panel-items-missing-feedback/1108/ * please reply * please implement, if sane * could also defer to Debian trixie if/when we port to Wayland / LXQt * Power manager applet issue fixed: ** desktop-config-dist: https://github.com/ArrayBolt3/desktop-config-dist/tree/arraybolt3/power-manager ** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/systray * Clock applet awaiting input from Patrick. ** Patrick: Clock applet: Can be done when porting to Debian 13 / trixie or Wayland. Preferably not inventing a clock/date widget. *** Aaron: Moved to "WAITING ON" since the clock is the last part of this that needs implemented, and we don't intend on doing that until the Trixie port is done. *** Aaron: Implemented in Kicksecure 18. == trixie port - Qubes meta packages == * Qubes * apt install --no-install-recommends kicksecure-qubes-gui-lxqt
snip
Unwanted in Qubes:
dracut (not yet supported by Qubes unfortunately at time of writing) # Aaron: Moved to dist-nonqubes-cli.
# Aaron: How is it unsupported? Is there qubes-specific code that doesn't work with it, or is it just memory consumption as mentioned at https://github.com/QubesOS/qubes-issues/issues/8649#issuecomment-1781341921 ?
Potentially unwanted Qubes:
accountsservice # Aaron: Cannot be removed, dependency of mate-polkit.
arc-theme # Aaron: Removed it and its dependencies from desktop-config-dist.
ddrescueview # Aaron: Left this here since I thought it might be useful for people using Kicksecure on Qubes for working with disk images from dying hard drives. Better to leave out?
gddrescue # Aaron: See ddrescueview notes above.
lxqt-config # Aaron: Essential for Qubes. This is the equivalent of xfce4-settings.
lxqt-panel # Aaron: Moved to dist-nonqubes-gui-lxqt.
xdg-desktop-portal-lxqt # Aaron: Essential for Qubes. Provides a file selection dialog.
wlgreet # Aaron: Moved this and greetd to dist-nonqubes-gui-lxqt.
Probably unwanted in Qubes:
desktop-config-dist-dependencies # Aaron: Moved to dist-nonqubes-gui-all.
discover # Hardware discovery unnecessary under Qubes? Could be moved or even removed entirely if nothing uses it. It can be removed cleanly, it appears.
grub-live # Aaron: Moved to dist-nonqubes-cli.
laptop-detect # Aaron: Unsure on this one, it doesn't just detect if running on a laptop, it also detects if *not* running on a laptop, which is the case on Qubes, thus could be valuable?
lxqt-openssh-askpass # Aaron: Useful for Qubes, this is a more-or-less general purpose authorization prompt, used sometimes by SSH
lxqt-policykit # Aaron: Removed universally via dummy-dependency, as it cannot normally be removed without removing other important LXQt components.
lxqt-powermanagement # Aaron: Moved to dist-nonqubes-gui-lxqt.
lxqt-qtplugin # Aaron: Essential LXQt component, needed to theme applications.
lxqt-runner # Aaron: Moved to dist-nonqubes-gui-lxqt.
lxqt-session # Aaron: Moved to dist-nonqubes-gui-lxqt.
lxqt-system-theme # Aaron: Essential LXQt theming component.
lxqt-themes # Aaron: Also an essential LXQt theming component.
lxqt-wayland-session # Aaron: Moved to dist-nonqubes-gui-lxqt.
screengrab # Aaron: Still useful for taking screenshots of windows within the qube in question?
## Aaron: Side-note, we need a different screen capture application for Wayland as it turns out the version of Screengrab in Debian Trixie is one version too old to have Wayland screen capture support.
smart-notifier # Aaron: Left because someone might attach a physical disk to a VM to check its SMART data in theory. Better to remove?
smartmontools # Aaron: See above for smart-notifier.
swaybg # Aaron: Moved to dist-nonqubes-gui-lxqt.
systemd-cryptsetup # Aaron: Essential for Qubes, used by swap-file-creator.
wdisplays # Aaron: Moved to dist-nonqubes-gui-lxqt.
Questionable:
hwinfo # Aaron: Left because it seemed potentially useful, but we might be able to remove it if nothing uses it? It can be removed cleanly it appears.
pavucontrol-qt # Aaron: I guess Qubes has their own Pipewire control so this isn't essential. Moved to the appropriate nonqubes metapackages.
pipewire-alsa # Aaron: Necessary for applications that are stuck using ALSA to record and play back sound.
pipewire-audio # Aaron: This is a metapackage that depends on things that don't conflict with Qubes and that look important.
psensor # Aaron: Potentially useful if someone passes a physical disk through to a VM. Better to leave out?
usbguard # Aaron: Discussed with Qubes OS upstream, seems useful to have, current configuration takes into account many of the concerns brought up in the discussion.
== trixie port - fully disable lxqt-policykit == * lxqt-policykit is buggy, we want to use mate-polkit instead * Aaron: Done, created a new dummy metapackage for this. == trixie-port - Wayland screenshot tool == * screengrab is incapable of taking screenshots under Wayland, it will be capable in Forky. * Find a stop-gap solution for now. * Aaron: Got Flameshot working well. Uploaded needed code changes to the arraybolt3/trixie branches. == trixie-port - meta packages issues == * (weird terminal symbols because it is sudo xl console)
apt install kicksecure-qubes-gui-lxqt
Solving dependencies... Error!
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

Unsatisfied dependencies:
 dist-general-gui-lxqt : Depends: lxqt-wayland-session but it is not installable
.[1;31mError: .[0m.[1mUnable to correct problems, you have held broken packages..[0m
.[1;31mError: .[0m.[1mThe following information from --solver 3.0 may provide additional context:
   Unable to satisfy dependencies. Reached two conflicting decisions:
   1. dist-general-gui-lxqt:amd64 is selected for install because:
      1. kicksecure-qubes-gui-lxqt:amd64=3:32.6-1 is selected for install
      2. kicksecure-qubes-gui-lxqt:amd64 Depends dist-general-gui-lxqt
   2. dist-general-gui-lxqt:amd64 Depends lxqt-wayland-session
      but none of the choices are installable:
      [no choices].[0m
* Aaron: lxqt-wayland-session is required by our Wayland session because it is essential to getting labwc and LXQt to work together. I have a Kicksecure-ready package for this at https://github.com/ArrayBolt3/lxqt-wayland-session, the original upstream to compare it to is at https://github.com/lxqt/lxqt-wayland-session. Upstream signs their releases. *** Patrick: Merged. * Proper build artifact cleanup requires a change to genmkfile, see https://github.com/ArrayBolt3/genmkfile/commit/6e223ae9de25ff8fb4e4fb3253921c9ee225f7ff. Needs review due to execution of arbitrary code from working directory, I believe this is safe in this instance. ** Patrick: Merged. * labwc is being depended on by dist-general-gui-all which means it will get installed on Qubes. That's an error from during the porting process. ** Aaron: Moved to dist-nonqubes-gui-all. *** Patrick: Merged. ** Aaron: Ready to generate Qubes OS templates and do package comparisons? *** Patrick: Ready. See also next task. This task can probably be moved to archived and use the next task. == Ubuntu KVM versus VirtualBox Bug == * https://forums.whonix.org/t/cannot-start-whonix-imported-vms-verr-hgcm-service-not-found/22102/10 ** KVM is enabled by default on Ubuntu? In that case... * manual installation: ** document this issue on [[VirtualBox]] (to be found here: [[Template:VirtualBox_Host_Software_Installation]]) * dist-installer-cli: ** dist-installer-cli: disable KVM - if kernel module is automatically load by default - if installing Kicksecure (or Whonix) with VirtualBox using the installer *** Probably unspecific to Ubuntu. Can be a general check in case other host operating systems do similar things. *** Probably "notice" level for output. *** If disabling by default is not sane, a "warning" (or even "error") level output would be good. *** document the feature on [[Template:Linux_installer_features]] * Aaron: ** Implemented for Bookworm: https://github.com/ArrayBolt3/usability-misc/commit/ab18a9cbbe3680a3de0dcba0e75c84ba577377c6 *** Also implemented for Trixie. *** Also automatically disabled KVM virt_at_load in usability-misc for Kicksecure and Whonix systems. ** Documentation written. ** Filed a bug report against VirtualBox for fixing this upstream: https://github.com/VirtualBox/virtualbox/issues/188 * Patrick: Merged. == trixie port - misc - #2 == * 1) release-upgrade should honor DEBIAN_FRONTEND="noninteractive" ** all interactive questions should honor this environment variable (or another suitable) ** this is about the new interactive SSH question * 2) move dpkg-noninteractive from usability-misc to helper-scripts * Aaron: Both are now done. *** Patrick: Merged. ** Bear in mind that helper-scripts will have to Breaks/Replaces whatever the last version of usability-misc to have dpkg-noninteractive was in order to avoid upgrade failure. *** Patrick: Done. == polish release-upgrade script == * see todo comments (related to meta packages) * /etc/apt/sources.list.d/extrepo_kicksecure.sources can cause issues * /etc/apt/sources.list.d/extrepo_whonix.sources can probably also cause issues * Aaron: Done in https://github.com/ArrayBolt3/legacy-dist/commit/000d2db8cd1c20aa156568aed9fb007062083a0a, ** Patrick: Merged. * however this is untested as the Breaks/Replaces in helper-scripts against usability-misc prevents me from upgrading. usability-misc's next upload should be bumped to have the same version as that specified by helper-scripts' Breaks/Replaces. ** Patrick: Fixed. == images packages diff == * build trixie based images (maybe non-qubes based only for now until trixie repository is ready) * compare list of installed Debian packages with bookworm based images * in Qubes Kicksecure, during release-upgrade, packages sysmaint-panel usability-misc are unexpectedly removed * Aaron: Finished comparison, changed several dependencies in the process. See arraybolt3/trixie branches of kicksecure-meta-packages, anon-meta-packages, and developer-meta-files. ** Patrick: All merged. == trixie port - meta packages == * implement [[Dev/Metapackages]] when porting to trixie * make sure xscreensaver no longer gets installed by default in Qubes VMs * Do not create complex interdependencies among metapackages. Define a set of "master" metapackages, have them only depend on individual sub-metapackages that provide groups of shared software, use scripting to help autogenerate things as needed * Patrick: script auto generation features - proposal: ** 1 or w scripts doesn't matter ** create main structure (all the nodes) ** create "main" meta packages including dependencies * Aaron: Implemented and pushed. Some minor issues may be present that we can work out as we go along, I audited the metapackages to fix as many of these as I reasonably could. * Patrick: Merged. == trixie port - port to Wayland == * LXQt - maybe: ** {{Github_link|repo=kicksecure-meta-packages|path=/pull/2}} ** Avoidable? * Xfce: ** Preferable? ** https://alexxcons.github.io/blogpost_14.html ** https://forums.whonix.org/t/whonix-xfce-development/6213/106 * Aaron: Investigation with LXQt vs. Xfce complete, we chose to go with LXQt. Initial porting effort complete, there is likely more we can do to polish the experience but basic functionality is now there. * Patrick: All trixie branches merged. == trixie port - misc #3 == * greetd builder: do not run inside Qubes? ** Aaron: Fixed. * wayland https://www.kicksecure.com/wiki/Keyboard_Layout documentation * sdwdate-gui-qubes do it only in Qubes? ** Aaron: Fixed. * sdwdate-gui: please also parse /usr/local/etc/sdwdate-gui.d (this is by convention and to better support App Qubes) ** Aaron: Implemented. * sdwdate-gui: please only parse files ending with ".conf". This is to avoid parsing files such as ".dpkg" or ending with "~" (backup files by some editors). ** Aaron: Implemented. * sdwdate-gui: the following was good in the past.
shopt -s nullglob
for i in \
   /etc/sdwdate-gui.d/*.conf \
   /usr/local/etc/sdwdate-gui.d/*.conf \
   ; do
      bash -n "$i"
      source "$i"
done
* reasons: ** This is because nullglob avoid parsing "/etc/sdwdate-gui.d/*.conf" if there are no files. *** Aaron: Added where appropriate. ** Absence of dotglob avoids parsing files starting with a dot. *** Aaron: Added where appropriate. ** bash syntax check (bash -n) *** Aaron: The configuration files are no longer Bash scripts and are parsed by string manipulation. This was necessary to parse the configuration in Python. * sdwdate-gui: Supports sigterm? Useful for manual testing on the command line. ** Aaron: Already supported, signal handlers are set up and the appropriate QTimers are used to allow them to be triggered. * desktop-config-dist: ensure qterminal uses unlimited scrollback ** Aaron: Confirmed that this is enabled by default. * Patrick: All merged. == trixie port - polish default browser handling == * open-link-confirmation should be the canonical default browser in all instances * merge the functionality of tb-default-browser into open-link-confirmation ** Aaron: Done. * (maybe?) configure all browsers offered by Browser Choice to not request to be made the default browser, since the typical default browser controls will override open-link-confirmation and reduce security ** Aaron: Done for Firefox, unnecessary for Chromium, Tor Browser, and Mullvad Browser. ** For Brave, could not figure out how to configure it appopriately. Asked upstream for help: https://community.brave.app/t/is-there-a-way-to-disable-set-as-default-browser-prompts-before-launching-brave/640667 * Whonix: open-link-confirmation should only consider torbrowser ** Aaron: Done. * uninstall tb-default-browser inside release-upgrade (if useful) ** Aaron: Done. * Changes: ** open-link-confirmation: https://github.com/ArrayBolt3/open-link-confirmation/commit/f1707c4a0bf72b3188a015f41d007a51fbc57ee3 *** and https://github.com/ArrayBolt3/open-link-confirmation/commit/a23b1f7eb5def6b85e5570dd0a93dc531cb2ac67 ** Patrick: Merged. ** legacy-dist: https://github.com/ArrayBolt3/legacy-dist/commit/d8943bfe2cd8660c8bd19ebaadfb9ffa801031ae *** Patrick: Merged. * Patrick: Please change tb-default-browser into a lintian clean transitional package. And/or make open-link-confirmation use Replaces: tb-default-browser. This is to avoid package conflicts when upgrading and still having the old package around. I could also delete the package from the source tree and then use Replace and Provides tb-default-browser within open-link-confirmation? ** Aaron: Done in https://github.com/ArrayBolt3/open-link-confirmation/commit/a09dc42708350c3713789c4423a6cfe66dd044a0, note that this adds a tb-default-browser transitional package ''to open-link-confirmation''. This is intentional, following the documentation at https://wiki.debian.org/RenamingPackages. *** Patrick: Merged. ** As part of the transition, removing the original tb-default-browser source package from our archives would be a good idea. *** Patrick: Done. Removed from git submodules. Trixie repository will be re-created without tb-default-browser. == bookworm - fix live-hardener == * https://forums.kicksecure.com/t/question-about-grub-live-and-writable-file-system/1221/3 * Aaron: Bugfix created: https://github.com/ArrayBolt3/grub-live/tree/arraybolt3/live-hardener-fix ** Test thoroughly and release to Bookworm? Necessary for live mode to function fully under Bookworm on EFI hardware. * Patrick: Not for bookworm. * Patrick: Merged. == trixie port - derivative-maker == * branch looks good, but not mergeable due to git submodules * Aaron: Should hopefully be fixed now. * Patrick: Merged. == investigate Qubes memory issue == * https://forums.whonix.org/t/increased-memory-usage/22092 * fixed probably for trixie and above only * Aaron: Added several new optimizations and researched other possible optimizations: ** Disabled emerg-shutdown and ensure-shutdown on Qubes OS: https://github.com/ArrayBolt3/security-misc/commit/28f44d2e1d54da990cf203d2965431bc12a5d008 *** ensure-shutdown has to be disabled as well because it depends on emerg-shutdown. ensure-shutdown will be replaced anyway because systemd has a native implementation of this already. ** Disabled memlockd by default, and fixed the way emerg-shutdown uses it: https://github.com/ArrayBolt3/security-misc/commit/cd44a7e1369cd798b06595fdb118e0c7bea52194 ** Discovered that sleep consumes a non-negligible amount of non-shared memory (somewhere between 150 KiB and 1.7 MiB depending on what tool you use to measure it), thus attempted to optimize some sleep calls out of our codebase: *** Native Bash implementation of sleep: https://github.com/ArrayBolt3/helper-scripts/commit/81d8eb6d502c80f089637a9dfd75f26db004a45e *** Added to anon-ws-disable-stacked-tor: https://github.com/ArrayBolt3/anon-ws-disable-stacked-tor/commit/6e55d22731a32e11d65b188ba18fb70f9be92463 *** Added to canary-daemon in systemcheck: https://github.com/ArrayBolt3/systemcheck/commit/0febf95bc78a6a0097e52f7435152c4dd1783a33 *** Added to msgdispatcher in msgcollector: https://github.com/ArrayBolt3/msgcollector/commit/e4de3f75aba852440d3e414f626acd12f06249bd *** Discovered sdwdate did not need to call out to the sleep binary anymore to withstand time jumps, so switched back to Python time.sleep: https://github.com/ArrayBolt3/sdwdate/commit/963203c7196789c56303cce8a365e0f40b91180b * Patrick: All merged. ** sdwdate-gui-client)is hard to optimize, it needs Qt to be implemented safely and effectively in Python, to my awareness. ** privleapd is using quite a bit of memory (almost 10 MB), unsure if there's any good way to reduce it == trixie port - deprecate initramfs-tools support - consider making dracut a dependency == * todo * hard depend on dracut? * if so, must also hard depend on systemd-cryptsetup * do this during release-upgrade * related: [[dracut]] * Aaron: Implemented in my arraybolt3/trixie branches. ** Special support in the release-upgrade script might not be needed, I believe dracut will replace initramfs-tools cleanly. == trixie port - USB Guard == * {{Github_link|repo=security-misc|path=/pull/166}} * merge locally * apply fixes on top * Aaron: Done: https://github.com/ArrayBolt3/security-misc/commit/cba16879eff9d3d998c127e41c38d2067cdf04cc == trixie port - misc == * might need to split this into multiple tasks * waiting for trixie to get frozen and stable enough * 1) SSH configurations ** move configuration snippets from [[SSH]] wiki page to security-misc [not completed at time of writing in end of 2024 but should be early next year] *** Aaron: Implemented: https://github.com/ArrayBolt3/security-misc/commit/2ada07cf66727ea66283c55c0ba078489b3db94e ** {{Github_link|repo=legacy-dist|path=/blob/master/usr/sbin/release-upgrade}} *** add ominous message to release-upgrade script if SSH client or server is installed **** Aaron: Implemented: https://github.com/ArrayBolt3/legacy-dist/commit/fbeee3a3e6d64fa88f94fbcf1d4a37d9648c6248 *** point out in distribution morphing instructions **** Aaron: Added a warnings section for this and similar warnings we may add in the future. Did the edit without being logged in so as to make it a "draft for review". * 2) repository codename split project names ** update repository origin value as per https://www.kicksecure.com/wiki/Dev/APT#changed_its_'Origin'_value_from_'whonix'_to_'kicksecure' ** (revert the revert of {{Github_link|repo=derivative-maker|path=/commit/25f5c7e11afd23f58f40286be1fd9097c31a705e)}} ** Aaron: Done, and added (untested) code to legacy-dist for coping with the change. * 3) move from usability-misc and security-misc to to helper-scripts ** upgrade-nonroot ** other APT related scripts ** this will allow sysmaint-panel to remove dependency on usability-misc and security-misc ** Aaron: Done. * 4) convert user-sysmaint-split and sysmaint-panel from "loose packages" to dependencies of the respective meta packages ** add ominous message to release-upgrade script ** Aaron: Discussed via chat, decided to not do this after all. * 5) Check if /etc/grub.d/10_linux was updated in Debian. If so, update our fork in dist-base-files. ** Aaron: Checked, changes did exist. Synced our fork with upstream. * 6) https://www.whonix.org/wiki/Dev/Redistribution#Major_Upgrade ** Aaron: Updated appropriate values. * 7) port all sources.list files to DEB822-Style Format (can be postponed if needed) ** Aaron: Done, however live-build and grml-debootstrap need not-yet-integrated-upstream changes for this to work. *** live-build: https://salsa.debian.org/ArrayBolt3/live-build/-/tree/arraybolt3/lb-dracut?ref_type=heads *** grml-debootstrap: https://github.com/ArrayBolt3/grml-debootstrap/tree/arraybolt3/deb822 * 8) ram-wipe: re-add Depends: systemd-cryptsetup ** Aaron: Done. * 9) review and merge various trixie related improvements to security-misc {{Github_link|repo=security-misc|path=/pulls}} ** Aaron: Done, almost all merged. *** One PR for Thunderbird prefs should probably be closed without merging. I've deleted Thunderbird prefs from the arraybolt3/trixie branch of security-misc. *** One PR from raja-grewal (https://github.com/Kicksecure/security-misc/pull/313) I requested changes on and am awaiting a reply. * 10) debug-misc: {{Github_link|repo=debug-misc|path=/pulls}} ** Aaron: Blocked on raja-grewal's response to my review on https://github.com/Kicksecure/debug-misc/pull/4. == trixie port - document disabling USBGuard == * USBGuard will likely interfere with users who either use special input devices (touchscreens, possibly some types of mice and keyboard), and may interfere with Framework 16 users' ability to use external keyboards and mice. ** document how to disable in the wiki once we are sure we are shipping USBGuard in Trixie * USBGuard documented: https://www.kicksecure.com/wiki/USBGuard == trixie port - GRUB_DEVICE vs dracut vs initramfs-tools == * The following is required for initramfs-tools only:
GRUB_DEVICE="/dev/disk/by-uuid/${GRUB_DEVICE_UUID}"
unset GRUB_DEVICE_UUID
* grep the source code for this and move it below the following condition because it is not required by dracut:
if pkg_installed initramfs-tools ; then?
* related: [[dracut]] * Aaron: Done: ** dist-base-files: https://github.com/ArrayBolt3/dist-base-files/commit/1b485087f33b9f4131bf89473144e7fbef77dc0a ** grub-live: https://github.com/ArrayBolt3/grub-live/commit/685d1d676aed78ce4da1aa75c6a6c6da3c2d5c1a ** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/commit/a94203791ddab06ed2cf6f2d201029d291687cef * Patrick: Merged. (As part of the trixie branches) == trixie port - dracut - hostonly yes versus no == * after Dracut fixes... should Kicksecure images (in trixie) use a different hostonly mode? * Yes, we should switch to hostonly sloppy mode, which is now being substantially improved to be a lot more generic upstream. * Done: https://github.com/ArrayBolt3/dist-base-files/commit/1b485087f33b9f4131bf89473144e7fbef77dc0a ** Note that the enhanced hostonly sloppy mode changes may not be in Trixie itself yet, we may have to pull Dracut from debian-backports to get the good changes in the future. I think this is still a good change for now though, users who need a portable USB flash drive can turn this off if it causes problems (which it probably won't anyway). * Patrick: Merged. == trixie port - live mode notification == * inform the user what mode they've booted in via an ephemeral desktop notification shown on login * reason: https://forums.kicksecure.com/t/live-mode-option-boots-into-persistent-sysmaint/1216 ** Aaron: Implemented: https://github.com/ArrayBolt3/desktop-config-dist/commit/03aa359bc5d54958a1e6f4edd29b2c79610c7668 * Patrick: Merged. == begin Trixie port == * immediate goal - rebase Kicksecure as-is ontfo Trixie * further enhancements are in other tickets under WAITING ON * Aaron: Current progress can be seen in the arraybolt3/trixie branches of all repos in my account * Ready for review, some issues still remain that will need worked out prior to a beta or stable release: ** systemd-remount-fs.service and systemd-growfs-root.service are failing when booted in live mode ** privleap autopkgtest is broken * Patrick: merged all trixie branches - except derivative-maker (separate ticket) == trixie port - remaining known alpha issues == * systemd-remount-fs.service and systemd-growfs-root.service are failing when booted in live mode ** May affect Bookworm also. Fix: https://github.com/ArrayBolt3/grub-live/tree/arraybolt3/live-improvements *** Already merged into arraybolt3/trixie as well. *** Patrick: Merged. (bookwork + trixie) * privleap autopkgtest is broken ** Fixed, along with other code quality tests: https://github.com/ArrayBolt3/privleap/commit/6e81f2112b5be0a0f5ad1f78b4732d082ea67f00 *** Patrick: Bookworm - not merged (because in trixie branch) *** Patrick: all trixie branches merged == bookworm - 17.4.4.6 bug reports == * https://forums.whonix.org/t/shared-folder-blank-running-in-live-mode-after-update/22056 ** Aaron: Intentional but somewhat unexpected behavior. Ideas for improvement shared on forums. * https://forums.kicksecure.com/t/live-mode-option-boots-into-persistent-sysmaint/1216 ** Aaron: Likely a user misunderstanding. == VirtualBox restart bug == * https://forums.whonix.org/t/whonix-only-starts-after-several-attempt/22032 * issue:
rcpu_preempt self-detected stall on CPU
* looks similar like this screenshot: https://community-assets.home-assistant.io/original/4X/7/5/4/754bdc85b2c7c449b16f3413288efcf7911b02fd.png * environment ** Windows (latest) - if available - preferably - can be a different operating system if that is an issue ** VirtualBox (latest) ** run multiple VMs at the same time (3 or more) * keep restarting 1 VM such as Kicksecure Xfce * does any restart hang? if so, please investigate. * maybe [[Recovery#Kicksecure_specific|Kicksecure specific]] will be helpful * windows only: this very post might be helpful (disable hyper-v): https://community.home-assistant.io/t/daily-crash-with-virtualbox-rcu-preempt-self-detected-stall-on-cpu/709041/4 * try to boot with and without mouse focus inside the VM versus mouse outside the VM. The system might boot more reliably with mouse focus inside the VM, which might be the same or another bug. * Aaron: Debugged, posted results on forum. Determined that the current documented fix does not work, found a fix that did work and a workaround that works well enough. == Kicksecure installer versus live-hardener bug == * Environment: ** VirtualBox ** EFI ** btrfs
    ERROR: Installation failed: "Bootloader installation error"
    .. - message: "Bootloader installation error"
    .. - details: The bootloader could not be installed. The installation command grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Kicksecure --force returned error code 1.
Attempting to run this command manually inside the /tmp calamares chroot for purpose of debugging.
Installing for x86_64-efi platform.
grub-install: warning: Cannot set EFI variable Boot0003.
grub-install: warning: efivarfs_set_variable: failed to create /sys/firmware/efi/efivars/Boot0003-8be4df61-93ca-11d2-aa0d-00e098032b8c for writing: Read-only file system.
grub-install: warning: _efi_set_variable_mode: ops->set_variable() failed: Read-only file system.
grub-install: error: failed to register the EFI boot entry: Read-only file system.
zsh: exit 1     grub-install --target=x86_64-efi --efi-directory=/boot/efi  --force
Potentially related:
sudo journalctl -u live-hardener.service
Aug 09 06:34:08 localhost systemd[1]: Starting live-hardener.service - Remounts auxiliary writable filesystems as read-only and applies a tmpfs overlay on them...
Aug 09 06:34:09 localhost live-hardener[940]: mount: /sys/firmware/efi/efivars: wrong fs type, bad option, bad superblock on overlay, missing codepage or helper program, or other error.
Aug 09 06:34:09 localhost live-hardener[940]:        dmesg(1) may have more information after failed mount system call.
Aug 09 06:34:09 localhost systemd[1]: Finished live-hardener.service - Remounts auxiliary writable filesystems as read-only and applies a tmpfs overlay on them.
* Note: Patrick adding refactoring and debugging to live-hardener since. * What might be happening: live-hardener remounts something as read-only which is incompatible with Calamares. ** Calamares might fail to re-mount as read-write. If so, please create a ticket for later to report this upstream. * Aaron: Found and fixed issue, live-hardener shouldn't run in ISO Live mode at all. https://github.com/ArrayBolt3/grub-live/tree/arraybolt3/live-hardener-fix ** Also fully disabled emerg-shutdown under Bookworm, and attempted to fix the bug resulting in shutdown during installation. *** security-misc: https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/emerg-shutdown *** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/emerg-shutdown * Patrick: All merged. == emerg-shutdown #3 == * paranoid mode - shut down when any removable device (USB drive, keyboard, mouse, etc.) is removed from the system * Integrate into initramfs so the panic key works on the LUKS prompt * useful to use the same hardened gcc compile time options as we use for sclockadj? * do we really want three finger salute to emergency shutdown? ** https://forums.kicksecure.com/t/emergency-key-press-shutdown-sequence/1199 ** emerg-shutdown --countdown 10 ** emerg-shutdown --cancel ** no cancel = proceed with emergency shutdown ** if confirmed: emerg-shutdown --instant-shutdown * Aaron: Implemented most suggested features: https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/emerg-shutdown Also merged to arraybolt3/trixie. ** Did not implement the --countdown and --cancel features. These seem more appropriate for the three finger salute task. The panic key should be an unconditional and immediate shutdown where speed is important above all else. A three finger salute on the other hand is where other features like delayed emergency shutdown may make sense. * Patrick: Merged. == docker inside whonix-workstation versus whonix-workstation-firewall == * please comment: https://forums.whonix.org/t/how-can-you-make-a-docker-container-inside-whonix-workstation-connect-to-the-internet/21772/5 == emergency shutdown - #2 == * /usr/lib/systemd/system/emerg-shutdown.service and /usr/lib/systemd/system/ensure-shutdown.service ** possible to run earlier then multi-user.target? ** purpose: reliable shutdown in cases for example where the boot process is broken for other reasons or wrong FDE password entry * add a shutdown breaking systemd unit ** add a systemd unit to security-misc by default that breaks shutdown on purpose ** commented out by default ** purpose: to be easily able to the force shutdown * Aaron: Implemented: ** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/emerg-shutdown ** security-misc: https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/emerg-shutdown * Patrick: All merged. == emergency shutdown implementation == * when the boot USB drive is removed * when panic key is pressed (most obviously probably the power button) * https://github.com/NobodySpecial256/panic-wipe/blob/main/panic.c * Aaron: Implemented ** security-misc: https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/emerg-shutdown ** helper-scripts: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/emerg-shutdown ** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/emerg-shutdown * Patrick: All merged. == display manager selection == * What is "the best" display manager? * please read history: https://forums.whonix.org/t/display-manager-lightdm-gdm3-sddm-or-no-display-manager-startx/12457 * in preparation for the next task * might resolve the verified boot issue for lightdm requiring read-write access to /var/lib/lightdm * can be refereed until after Debian trixie or during port to Debian trixie * Aaron: greetd is looking relatively promising. Commented about it in the linked forum post. * Patrick: Replied. * Aaron: Replied back in chat. Possible issues with LightDM not considered blockers, but greetd may still be more desirable. == dracut size parameter improvement == * please comment, if applicable * https://forums.whonix.org/t/grub-live-improvement-overlay-mount-sh-add-increase-size-mount-command-parameter/21998 * Aaron: Commented and filed feature request. == improve systemd shutdown reliability == * this is required for effective ram-wipe - hung at shutdown would be adverse for security as the system keeps running and ram does not get wiped * add a systemd unit to some kicksecure package that will result in breaking the shutdown on purpose (ExitStop taking forever) ** use: KillMode=none ** use other settings coming to mind making the systemd unit harder to kill ** this is for testing purposes only ** once this ticket is done, we will comment it out by default and keep it as comments-only for reference, future testing * check, adjust global values such as: ** timeout is mentioned in /etc/systemd/system.conf logind.conf user.conf
DefaultTimeoutStopSec=30s
DefaultTimeoutStartSec=30s
DefaultTimeoutAbortSec=30s
* investigate if there is any other ways to make the systemd force shutdown * investigate if there is any other ways to make the system force shutdown * Aaron: systemd doesn't appear to have this feature, filed a request: https://github.com/systemd/systemd/issues/38261 ** In the mean time, a unit with something similar to ExecStop=bash -c -- 'sleep 15; echo "o" > /proc/sysrq-trigger might work. *** Actually, this won't work, systemd will hang waiting for the sleep 15 to finish, then the system will forcibly power down. * Patrick: Please consider a small custom (C) program to run kernel call reboot or poweroff in case that is more reliable than sysrq. ** Aaron: Continuing to investigate the cause of shutdown failure - C programs are no more reliable than using SysRq in my testing. *** So far I have been able to determine that removing i915 (Intel graphics) firmware from /lib/firmware is enough to resolve the issue. However, this shouldn't be needed because vanilla Debian 12 is able to emergency shut down properly with i915 firmware present. Therefore a Kicksecure configuration change is likely interacting poorly with the firmware or driver. * Aaron: I believe this is currently impossible to implement, see https://github.com/systemd/systemd/issues/38261#issuecomment-3130259046. However, I was able to finally implement emergency shutdown. ** Patrick brought up the possibility of using KillMode=none to keep the shutdown "unstick" mechanism from being killed prematurely. I ended up using KillMode=process instead. I was able to implement this after all, however it may require some tuning by the end user and so is disabled by default. Notes documented in code and left in chat. == permanent shortcut to VM shared folder == * for easy access of shared files via Thunar * Implemented: https://github.com/ArrayBolt3/vm-config-dist/tree/arraybolt3/shared-folder-readme * Patrick: Merged. == calamares - unmount issues == * Calamares is not unmounting an encrypted filesystem after installation is complete, thus making livecheck warn about an "unsafe" live state. * Investigate, determine if this is already fixed in Trixie or in newer versions of Calamares, or if a bugfix needs to be made. * Aaron: During Trixie porting work, it appears this is already solved in Trixie. == emergent shutdown discussion == * please read, comment if applicable * https://forums.kicksecure.com/t/unplugging-external-drive-doesnt-trigger-a-shutdown/994 * https://forums.whonix.org/t/panic-button-panic-shutdown-buskill-the-usb-kill-cord-for-your-laptop/13755 * Implemented, but may need further polish: ** security-misc: https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/emerg-shutdown *** On my test system, this reliably causes the screen to black out and the OS to become inaccessible when I unplug the root filesystem device, but sometimes the power LED will remain lit and the fans will keep running. This happens about 50% of the time, the other 50% of the time a proper shutdown is done. Because of the shutdown method being used, I currently suspect this is the fault of my hardware and not of the implementation, but further testing will be needed to confirm that and documentation should indicate that users must test this feature thoroughly before relying on it in a security-sensitive situation. *** This is supposed to work even if Kicksecure is burned to an optical disc and that disc is ejected, but I believe is currently will not work. I believe the kernel sends a different event for an ejected optical disc than for a removed USB drive. *** Panic button support not yet implemented. ** helper-scripts: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/emerg-shutdown *** The root device finding script could use more thorough testing and could be expanded to support more scenarios. ** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/emerg-shutdown * Left comments documenting that this is now on hold until the Trixie port is done. ** Decided to finish work on this for Bookworm anyway as it was needed for a desired feature, and the work done will be useful for Trixie and higher. ** Discussion is over, implementation is in progress, thus this task is archived. == review login security == * account user without a password might be an issue? Yes, but we have these under control: ** sudo - either unavailable in user session, unavailable for accounts other than account user and/or password protected ** su - nosuid ** login - requires root ** ssh - not installed by default ** loginctl? ** anything else? * please document * Aaron: Skimmed Strong User Account Isolation page, didn't see anything missing. Did see that a note about SSH not being installed on Kicksecure by default was missing from the SSH wiki page, added it. == browser choice - bugs == * bug: user session -> chromium -> install as flatpak -> fails at pkexec. Should not be allowed to reach that point. * Aaron: Fixed (along with a few other bugs): https://github.com/ArrayBolt3/browser-choice/commit/fc37dfb44af5ce47fb550515e3070ed4900addcf ** Patrick: Merged. == autostart system-maintenance-panel on Whonix-Gateway == * https://forums.whonix.org/t/autostart-system-maintenance-panel-on-whonix-gateway/21928 * Aaron: Implemented: https://github.com/ArrayBolt3/anon-gw-base-files/tree/arraybolt3/sysmaint-panel ** Patrick: Merged. == system-maintenance-panel - improvements == * Whonix-Gateway: "network connections" tries to start nmtui which isn't installed by design on Whonix-Gateway ** Aaron: "Install a Browser" shouldn't be displayed in Whonix-Gateway or Whonix-Workstation either. Hid both buttons when running on Whonix. * Whonix-Gateway: should other utilities be added such as onioncircuits, tor-control-panel, anon-connection-wizard or best avoided to avoid overloading and code complexity? ** Aaron: Fine to add those tools, doesn't add much complexity. Added all three of these to Whonix-Gateway, plus Tor Status Monitor (Nyx) to keep the button panel well-balanced. * lock screen: If no password is set, this does not actually lock the screen. Should show an error popup that suggests to set a password and run login security check? ** Aaron: Good idea. We should also refuse to lock the screen if the password is locked or "restricted" since it will be impossible to unlock in those situations. * Aaron: Implemented all requested enhancements: ** systemcheck needed to be changed since the get-password-status-list script had to move to helper-scripts: https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/move-password-list-script *** Patrick: Merged. ** helper-scripts (enhanced the actual lock script, also moved get-password-status-list into this): https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/screen-locking *** Patrick: Merged. ** sysmaint-panel: https://github.com/ArrayBolt3/sysmaint-panel/commit/76366bab51e3614e70739a539da79ba65a13e1b3 *** Patrick: Merged. == review /etc/zsh configuration == * https://forums.whonix.org/t/change-default-shell-from-bash-to-zsh-by-default/14792 * {{Github_link|repo=desktop-config-dist|path=/tree/master/etc/zsh}} * security review * please suggest other useful changes, if applicable * Aaron: Audited, added suggested security and usability enhancements in https://github.com/ArrayBolt3/desktop-config-dist/tree/arraybolt3/zsh-harden ** Note, one of the changes is to remove the -N option from the default ls alias - this aids usability in my opinion, but might not be desirable? Would be happy to undo that if this is considered too much of a change. *** Patrick: Should be ok. ** Patrick: Merged. == systemcheck login security check == * systemcheck run in user session shows password for account "user" as "Absent" and account "sysmaint" as "Locked" * however, sysmaint does not really have a password set. * Should be "Locked (Absent)" in orange color instead? * Aaron: Good idea, implemented. ** helper-scripts: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/login-locked-absent *** Patrick: Merged. ** systemcheck: https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/login-locked-absent *** Patrick: Merged. == add prevent login test to systemcheck == * add a new test to systemcheck?
sudo -u nobody su user
sudo: unable to execute /usr/bin/su: Permission denied
* Aaron: Implemented using stat rather than a direct execution attempt to make the results independent of the executing user account: https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/su-test * Patrick: Merged. == reconsider qubes login security == * reconsider running systemcheck function check_login_security also inside Qubes * at time of writing:
[INFO] [systemcheck] Kicksecure Login Security Check:
+----------+--------------------------------------+
| Users    | Password               GUI Autologin |
+----------+--------------------------------------+
| root     | Locked (Present)       Enabled       |
| user     | Absent                 Enabled       |
| sysmaint | Locked                 Enabled       |
+----------+--------------------------------------+
* root account locked: important to check * gui autologin: in user session, disable for root, sysmaint? * Aaron: Implemented Qubes support: https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/qubes-login-security ** For GUI autologin, I chose to mimic the behavior of the tool on non-Qubes platforms as much as possible by making it clear that both the default user *and* the sysmaint account were considered as having "autologin" enabled. This isn't totally identical to display manager autologin, so I didn't implement this in helper-scripts /usr/sbin/autologinchange, but instead implemented it directly in systemcheck since applications should be using separate handlers for Qubes "autologin" and lightdm/sddm autologin. ** Patrick: Merged. == Qubes-Whonix qrexec review == * threat model: compromised workstation * please review all qrexec services and see if these could be used to produce an IP leak from Whonix-Workstation * check for privacy issues * fix in case issues are found * Aaron: Audited, could not find any way to cause an IP leak without lots of user interaction. Did find at least one possible way to cause one with user interaction. ** Filed feature request: https://github.com/QubesOS/qubes-issues/issues/10051 ** Patch to implement: https://github.com/QubesOS/qubes-core-admin-addon-whonix/pull/22 *** Patrick: Please implement as suggested by Marek. **** Aaron: Implemented, left some notes about shortcomings of the current implementation and suggestions for how to further improve things. Waiting on further discussion. **** Aaron: Awaiting merge, this will be able to be moved to archived once done. ***** Merged. == Debian on true read-only filesystem without ephemeral overlay == * in preparation for verified boot implementation * research * investigate, document which locations require ephemeral overlays * investigate, document which locations are useful to persist even when booting with verified boot such as logs * report bugs or missing features upstream (so we have something to point to to justify our implementation) * Aaron: Got vanilla Debian 12 Xfce to get to a functional GUI with a read-only root filesystem. ** Needed to mount a tmpfs to the following directories: *** /tmp *** /var/tmp *** Both of these are simply expected to be world-writable by systemd, see https://systemd.io/TEMPORARY_DIRECTORIES/ and https://github.com/systemd/systemd/issues/17701#issuecomment-734302274 ** Needed to mount tmpfs overlays to the following directories: *** /var/lib/lightdm *** /home ** In actual use, /home would probably be on a separate partition, as would /var unless aiming for it to be non-persistent. Note that Fedora Silverblue operates in a similar fashion - /var is a separate partition, and /home is mounted from it. ** exim4 and anacron failed to start. anacron complains that it cannot open the timestamp file for job cron.daily, while exim4 complains it cannot touch /var/lib/exim4/config.autogenerated.tmp. Having /var writable would resolve this. ** Once the GUI came up, LibreOffice and Firefox ESR both were able to launch. Web browsing in Firefox seemed to operate normally. ** Should repeat this test, but with Kicksecure 17 rather than a plain Debian VM. * Aaron: Got Kicksecure 17 to boot directly to a GUI using a read-only root filesystem. ** Reused same mounts as above, except I overlaid all of /var with a tmpfs, and also used a systemd unit to automate the overlay setup process. ** sdwdate-pre.service fails because it is unable to write /usr/libexec/sdwdate/sclockadj. Could be easily ported to drop the file under /run instead. ** swap-file-creator.service fails for obvious reasons ** sysmaint boot malfunctions, at least in part because /etc/passwd can no longer be written to in order to unlock the sysmaint account ** Firefox ESR works when booted into a user session == investigate networkmanager issue == * Kicksecure
Mar 25 10:11:41 localhost NetworkManager[990]:   [1742911901.7721] failed to open /run/network/ifstate
* issue or safely ignored? ** Aaron: I believe this can be safely ignored, /run/network is an ifupdown thing that (to my awareness) we don't use in Kicksecure. Added a line to systemcheck to silence the warning. == browser-choice - improvements == * Should use && instead of ;?
usr/share/browser-choice/plugins/chromium.txt:update-and-install-script=pkexec bash -c -- 'apt-get update; apt-get-noninteractive -y install chromium'
usr/share/browser-choice/plugins/firefox.txt:update-and-install-script=pkexec bash -c -- 'apt-get update; apt-get-noninteractive -y install firefox-esr'
usr/share/browser-choice/plugins/firefox.txt:install-script=pkexec bash -c -- 'extrepo enable mozilla; apt-get update; apt-get-noninteractive -y install firefox'
* There might be more such cases. (I did only grep for update;.) ** Aaron: Fixed. * always "set -x" for transparency ** Aaron: Done, except in places where command output is invisible or would cause confusion. (All installation and removal routines have "set -x" enabled.) * feature request: Please make text copy/pasteable (useful for users so they can ask for support). ** Aaron: Done for labels, Qt doesn't appear to allow me to do this for radio buttons and checkboxes. * feature request: always show commands executed in browser choice's console window (this is for transparency - user should be able to follow that's happening under the hood. this enables more users to follow what is going on, debug, etc.) ** Aaron: We get this for free by using "set -x", which is now done. * feature request: allow maximzing browser choice console window ** Aaron: Implemented. * bug: after installing Brave Browser using APT using Browser Choice, clicking the browser icon in Xfce (quick start menu), Browser Choice reports that no browser is installed - even though Brave Browser has been installed. ** Aaron: open-link-confirmation issue, fixed here: https://github.com/ArrayBolt3/open-link-confirmation/tree/arraybolt3/default-browser * Tor Browser installation: failed - because package tb-updater is not installed. Solution? Install tb-updater, tb-starter using APT first if not yet installed. But this is a problem. Because tb-updater/tb-starter installation requires root. running update-torbrowser does not. Perhaps we should install tb-updater/tb-starter by default? ** Aaron: Installing tb-updater and tb-starter by default sounds like a good idea. Implemented. ** tb-starter by default might add a confusing start menu entry. Perhaps acceptable. *** Aaron: It does, but it's not horrible. ** Should tb-default-browser be installed? *** Aaron: No, this overrides open-link-confirmation. ** Best to add support for running update-torbrowser in sysmaint session for simplicity? *** Aaron: Requires enumerating users on the system, presenting them to the user to ask them which one to install Tor Browser as, then it would need to do that. Would be complicated to implement in tb-updater itself most likely, as we would need the UI and backend layers to be separate so the backend could run as the target user while the frontend operated as the sysmaint user, but the two sides would need to be able to communicate. This preferably would be avoided as tb-updater is already very complicated. This could potentially be hacked around with a "helper" that would simply run sudo -E -u user update-torbrowser (replacing "user" as appropriate). This trick would break under Wayland though due to Wayland socket permissions and would require potentially dangerous "opening up" of security to overcome. *** Similar to running dist-installer-cli in sysmaint but installing to account "user". *** Security impact? *** Then all actions could be run from within sysmaint session. Less exceptions. Less user confusion. **** Aaron: Having to pick which user to install the browser as, might be more confusing? "Install system wide" is easy to understand, "install as current user" is easy to understand, "pick the user to install as" is a weird concept not usually encountered. * "click done to exit this wizard" -> Please expand "You can restart this wizard any time by ..." ** Aaron: Implemented. * feature request: advice user on how to start the installed browser ** Aaron: Implemented. * feature request: ask to start the browser after installation (will be limited due to sysmaint versus user session - but useful for browsers such as Tor Browser) ** Aaron: This was already implemented and works in my testing. * feature request: ability to start an already installed browser from browser choice? ** Aaron: Implemented. Also made it so that if browser-choice is called as browser-choice https://example.com, launching a browser from within browser-choice will also pass the URL to it so that it immediately opens in the chosen browser (this enhances integration with open-link-confirmation). * feature request: in user session, some options are not possible. The window the is grayed out. This is good. Please add a sysmaint notice. (I am sure users will ignore the sysmaint popup or not understand it, then post a screenshot of the grayed out window and ask how. This is a feature request to prevent that.) ** Aaron: Implemented sorta, I had to change how the option restriction mechanism worked in order to add a working launch feature, and in so doing added "(Sysmaint mode required)" strings to options that aren't available in sysmaint mode. This should serve a similar purpose. * feature request: clarify "system-wide". Users will have trouble to understand which options are available in user session (Tor Browser) versus ** Aaron: Done. * feature request: increase default size of screen so all browsers are visible by default? ** Aaron: Implemented. * feature request: allow all screens to maximize? ** Aaron: Not sure how you mean - popup dialogs probably shouldn't be maximizable? All wizard screens can be maximized now though. * Aaron: browser-choice overhaul: https://github.com/ArrayBolt3/browser-choice/commit/2a54e9011e4ad55448c76e3a2433a496ad419c17 == browser-choice - integrations == * Kicksecure: no longer install firefox, thunderbird by default * make browser-choice the default browser? (lowest priority so it does not take effect over other installed browsers) * other required or useful integrations? * Aaron: Implemented: ** browser-choice: https://github.com/ArrayBolt3/browser-choice/commit/8498e02b0afa5e3c107877d057c849e12cc76514 Code and UX improvements, including better guidance about what to do if you're trying to install browsers in a user session. ** open-link-confirmation: https://github.com/ArrayBolt3/open-link-confirmation/tree/arraybolt3/default-browser Adds browser-choice as a low-priority default browser. *** Should we be adding other browsers that we advertise in browser-choice here, i.e Mullvad and Brave? Mullvad's "set as default" feature fails silently, so this may be the only way for some users to get a default browser if they choose something non-standard. ** sysmaint-panel: https://github.com/ArrayBolt3/sysmaint-panel/tree/arraybolt3/default-browser Added a button for launching Browser Choice, since this is going to be vitally necessary. ** kicksecure-meta-packages: https://github.com/ArrayBolt3/kicksecure-meta-packages/tree/arraybolt3/default-browser Removed firefox-esr from dependencies, added browser-choice. (Note that dummy-dependency still provides firefox-esr, I wasn't sure whether I should remove that or not. I'd argue it should not be removed, if the user has some other package that "requires" firefox-esr and we remove dummy-dependency's "provides firefox-esr", it may result in the user's package manager getting stuck or trying to force installation of firefox-esr.) ** anon-meta-packages: https://github.com/ArrayBolt3/anon-meta-packages/tree/arraybolt3/default-browser Removed thunderbird from dependencies, added browser-choice. ** Unrelated, but I also ended up reviewing derivative-maker changes and did some fixes to derivative-update and approx caching while I was there: https://github.com/ArrayBolt3/derivative-maker/commit/58ed8b162dcc868ff8d5e5d57f0066b8a42b82c5 * Patrick: All merged. == browser-choice - integrations - #2 == * add to Qubes Kicksecure Template default Qubes app menu ** Aaron: Added. * integration with setup-wizard-dist? ** mention Browser Choice in setup-wizard-dist? *** Aaron: Good idea, added. ** add a button to start Browser Choice from setup-wizard-dist? *** Aaron: This may not be helpful - both Whonix-Workstation and Kicksecure come with user-sysmaint-split by default, so launching Browser Choice on first user session boot could be confusing. ** port setup-wizard-dist to designer for prettification? *** Aaron: I don't think this is necessary, the application seems to be "pretty" enough and it isn't complicated enough for the extra abstraction of using Designer to be useful IMO. * open-link-confirmation: If no browser is installed yet in sysmaint mode, it advises the user "boot into user session" but that would be not of much help, because no browser is installed yet. Please add a message in such cases "open-link-confirmation could not detect an installed browser yet. Consider using a different device or VM to open the link or install a browser." (Needs polishing.) ** Aaron: This is a bit tricky to do for multiple reasons: *** We'd have to load the install-status snippets from browser-choice and execute them in open-link-confirmation in order to check for the existence of a web browser. This is technically feasible (the install-status snippets are simply Bash code), but complicated and makes me a bit nervous. *** User-specific browsers can fool a naive approach that simply runs the install-status snippets - if the user has installed Tor Browser in a sysmaint session, the torbrowser check will pass. *** Ignoring user-specific browsers will result in some users being told they have no browser installed when they do have a browser installed. *** Checking for user-specific browsers isn't possible because we don't know which user account the user will log into ahead of time. *** The best way of doing this autodetection I can see is to look for system-wide browsers using browser-choice's plugin code, and suggest the user install a browser if no system-wide browsers are found (noting that this may not be necessary if the user has a user-specific browser installed). *** A simpler solution, and the one I started out with to avoid overcomplicating things, is to change the last line of the message to say "Ensure a suitable web browser is installed, then reboot into...". This leaves it to the user to decide whether a suitable browser is actually installed or not, something they are better-equipped to do than the program is. * Aaron: Implemented: ** qubes-template-kicksecure: https://github.com/ArrayBolt3/qubes-template-kicksecure ** setup-wizard-dist: https://github.com/ArrayBolt3/setup-wizard-dist/tree/arraybolt3/browser-choice ** open-link-confirmation: https://github.com/ArrayBolt3/open-link-confirmation/tree/arraybolt3/default-browser * Patrick: All merged. == livecheck - improvements == * bug: clicking on "persistent mode" link bug: nothing happens (also no error when run from terminal) * feature request: make text copy/pasteable * feature request: improve the right click menu a bit. (show the name of the application "livecheck" to have some context what it is about) * Aaron: Implemented, but wasn't sure about the UX for adding the Livecheck name to the applet, so I made two different implementations. '''Only one should be merged,''' pick whichever one you like more (screenshots shared in chat). Both variants have the link bug fixed and the text copy-pastable. ** Applet name under exit button: https://github.com/ArrayBolt3/desktop-config-dist/tree/arraybolt3/livecheck-enhance *** Patrick: Merged. ** Applet name as part of exit button: https://github.com/ArrayBolt3/desktop-config-dist/tree/arraybolt3/livecheck-enhance-alt *** Patrick: Ignored. == test all vms - systemcheck --verbose --leak-tests == * KS, GW, WS: ** systemcheck --verbose --leak-tests * some new issues: apparmor, erst disable * please investigate * maybe unfixable: ** Aaron: Very likely unfixable or too difficult to fix, as we'd have to somehow request info from the vboxsf driver about what mount tags are available. Silenced via /etc/systemcheck.d/30_default.conf.
Jul 18 06:31:08 localhost mount-shared[855]: /sbin/mount.vboxsf: mounting failed with the error: No such file or directory
Jul 18 06:31:08 localhost kernel: vboxsf: Host rejected mount of 'shared' with error -2
* only inside KVM, do not run in VBox (spice-vdagentd.service systemd drop-in file required in vm-config-dist probably: ** Aaron: Cannot reproduce with virt-manager or with bare QEMU+KVM, did not attempt to mitigate.
Jul 18 06:31:08 localhost systemd[1]: spice-vdagentd.service: Failed to parse PID from file /run/spice-vdagentd/spice-vdagentd.pid: Invalid argument
* fixable: ** Aaron: Fixed.
Jul 22 10:15:47 host mount-shared[815]: accountctl: [ERROR]: User does not exist: 'sysmaint'
* apparmor: ** Aaron: fixed.
/usr/libexec/systemcheck/check_tor_socks_or_trans_port.bsh: line 116: /usr/bin/curl.anondist-orig: Permission denied
* Aaron: Fixes and workarounds implemented: ** systemcheck: https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/warn-fix ** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/systemcheck-warn-fix ** vm-config-dist: https://github.com/ArrayBolt3/vm-config-dist/tree/arraybolt3/enhance ** sdwdate: https://github.com/ArrayBolt3/sdwdate/tree/arraybolt3/qubes * Patrick: All merged. == document debian versus read-only root file system without overlay issues == * document on [[Verified Boot]] * mention on [[Dev/user-sysmaint-split]] * Aaron: Added documentation. == user-sysmaint-split: fix Whonix-Workstation StandaloneVM breakage == * newly created Whonix-Workstation StandaloneVM suffers from a number of issues: ** default NetVM is sys-firewall, not sys-whonix ** /dev/xvdb is unformatted and blank, resulting in mount failure, which ends up preventing the VM from booting to the point where graphical windows can be displayed ** apt still attempts to use the TemplateVM proxy for downloads * fedora-41-xfce and debian-12-xfce both work without issues * we're likely failing to pull in a necessary service in sysmaint sessions * Aaron: Fixes for most issues: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/qubes-standalone ** Patrick: Merged. ** Issue filed for the NetVM problem: https://github.com/QubesOS/qubes-issues/issues/10067 *** PR: https://github.com/QubesOS/qubes-core-admin-addon-whonix/pull/23 **** Merged. Can this be archived? == stable vs rolling - create ticket == * mention efforts towards Debian rolling and its failure * mention rolling not necessarily more secure * link the to the wiki https://www.kicksecure.com/wiki/Dev/Stable_vs_Rolling_Distributions * purpose of ticket: to get the discussion started with the purpose of improving our developer documentation, problems and future solution tickets * Aaron: Ticket created: https://forums.kicksecure.com/t/rolling-vs-stable-release-brainstorming/1139 == browser choice - #3 == * bug: mozilla repository warning gone? please re-add * Please add third-party APT repository warning and link to the wiki where applicable. * Perhaps some repetitive warnings should be declarative and a special box? ** such as: https://www.kicksecure.com/wiki/Install_Software#Third_Party_Repository_Warning ** and: https://www.kicksecure.com/wiki/Install_Software#Programs_in_Home_Folder * Aaron: Added additional warnings for third-party APT repositories, plus a general warning for software installation risks. ** Also created https://www.kicksecure.com/wiki/Install_Software#Trust_Considerations to link to in the general risks warning. == browser choice - #2 == * simplify mozilla stable helper: simply ship/hardcode/add the key or better use extrepo (already installed by default) * Check for network access and warn the user if it is not available ** implement as global "plug-in"? (or hardcoded for Kicksecure) ** do it similar as in /usr/libexec/systemcheck/updatecheck ** convert the "am I online" / "do i have internet access" check in /usr/libexec/systemcheck/updatecheck into a helper-script shell library * Don't show the launch checkbox when running in sysmaint sessions * Naming considerations? Right now the program calls itself "Application Chooser" in the window titlebar, but "Browser Choice" in the application menu (since "Application Chooser" sounds very generic). -> let's settle on Browser Choice (as long as we don't implement a full blown app store) * add browser plugins: ** Mullvad Browser ** Brave Browser * Test on Qubes OS * Test on Whonix-Workstation * Add warning popup when run in a Qubes OS AppVM (this is mentioned in the spec but not yet implemented) * remove /home/aaron string from applyingchangespage.ui * Implementation (mostly tested, could use one more thorough methodical test but should be merge-ready) ** browser-choice: https://github.com/ArrayBolt3/browser-choice/tree/master *** Patrick: Merged. ** helper-scripts: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/network-check *** Patrick: Merged. ** systemcheck: https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/refactor-network-check *** Patrick: Merged. == sysmaint-panel and browser-choice - build improvements == * implement "make" and "make clean" as discussed * run build-ui.sh from an override_dh_build section in debian/rules * no longer add autogenerated files to git source code folder * improve name of "core" files * Aaron: Implemented: ** browser-choice: https://github.com/ArrayBolt3/browser-choice/commit/14e029beca186de22bc4c82c184c14a1a769272d ** sysmaint-panel: https://github.com/ArrayBolt3/sysmaint-panel/tree/arraybolt3/ui-refactor == browser choice == * [[Dev/browser-choice]] * please implement * Alpha-quality implementation: https://github.com/ArrayBolt3/browser-choice * Known issues: ** The last page of the wizard has a ridiculous amount of empty space in it, the wizard window needs to resize itself on the last step to fix this. *** Fixed. ** The precheck and postcheck scripts aren't being run at all. *** Precheck and postcheck scripts removed, they are difficult to implement as a separate field if the check scripts require privileges without resulting in multiple password prompts. Moreover, apt does package consistency checks before installing or removing software and will error out if things are problematic. If a particular installation or removal routine does require consistency checks, those can be built directly into the install/remove/purge command lines. ** Quite a bit of variable naming could stand to be better. *** Renamed a bunch of things for clarity. ** Chromium Flatpak doesn't install for reasons discussed in chat. *** Fixed, unverified flatpak warning added. ** Tor Browser won't launch in sysmaint mode due to (I think) a particular systemd unit not being started. Unsure if we want to do anything about that. *** Changed handling mechanism so that whether a browser can be managed in user mode or not is up to capability scripts. Also allowed user-sysmaint-split to be run in a user session. ** Logging is ephemeral and all logs are lost as soon as you continue past the "Applying Software Changes" screen. We need to be logging to a file, not just to the display. *** Real logging is now implemented. ** The Mozilla apt repository version of Firefox cannot be installed, as the helper script needed for it hasn't been written yet. *** Script is now written and appears to be functional when tested. * Further ideas for consideration: ** Check for network access and warn the user if it is not available? ** Don't show the launch checkbox when running in sysmaint sessions? That checkbox makes it worryingly easy to launch a web browser in a sysmaint session, something we've worked to avoid. ** Naming considerations? Right now the program calls itself "Application Chooser" in the window titlebar, but "Browser Choice" in the application menu (since "Application Chooser" sounds very generic). ** Add Mullvad Browser plugin? ** Add plugins for email clients and ensure the application works in that scenario? Maybe chat clients too? *** (Tabs currently don't have special considerations made for them as far as alphabetizing, so there probably is some additional work needed to make the experience perfect in that regard.) * Further TODOs: ** Test on Qubes OS ** Test on Whonix-Workstation ** Add warning popup when run in a Qubes OS AppVM (this is mentioned in the spec but not yet implemented) == user-sysmaint-split - Whonix-Gateway == * think through what verified_boot=on versus verified_boot=off should do on Whonix-Gateway * document on [[Dev/user-sysmaint-split]] ** Create a new "VERIFIED Mode | USER Session | daily activities" that is essentially live mode but with /home persistent and dm-verity enabled. ** This should be used for verified boot in general most likely. ** Patrick: Any immediate changes useful on Whonix-Gateway long as verified boot does not get implemented? *** Aaron: Not that I'm aware of. ** Patrick: If verified boot gets enabled on Whonix-Gateway, how the user would modify system Tor configuration? Use /usr/local similar as it is done in Qubes-Whonix? *** Aaron: Users could apply Tor configuration the same way as they always would, it would simply be reset on reboot. For persistent changes, users would boot into PERSISTENT Mode | USER Session | power user activities, and make their changes. This is somewhat similar to sysmaint mode, but not as restrictive. A better way to do this could be to allow the user to store their Tor (and maybe specific other system wide) configuration files somewhere that requires admin permissions to modify, but that is not protected by verified boot - perhaps we need to add the concept of a "configuration volume" to our verified boot documentation? **** Patrick: Yes, we might need something similar to Qubes bind-dirs. In case of Tor, we do already support /usr/local/etc/torrc'''.d''' as documented in https://www.whonix.org/wiki/Tor#Edit_Tor_Configuration ** Patrick: If "PERSISTENT Mode | USER Session" gets renamed to verified mode, that seems to blurry the boundary between persistent mode and live mode? Maybe we don't need to rename any boot modes but implement verified boot invisible to the user? Because if we s/persistent/verified, how would we rename live mode? *** Aaron: Verified mode won't replace persistent mode unless user-sysmaint-split is installed. Persistent mode will still have a use. **** Patrick: What is the use case of unverified persistent mode if verified persistent mode is available? **** Aaron: Necessary to do things like updating software or making persistent configuration changes. Software updates and reconfiguration can be done in verified mode but those changes will be lost upon reboot. **** Patrick: In case unverified vs verified persistent mode has a use case that we want to support, how would we name unverified live mode versus verified live mode? (That is, in case if there is a use case for unverified live mode that we want to support.) **** Aaron: Current suggested naming is "VERIFIED Mode" and "PERSISTENT Mode", but maybe "VERIFIED Mode" and "UNVERIFIED Mode" or "VERIFIED Mode" and "UPDATE Mode" would be better? Should discuss in chat. == dracut initrd compression == * research compression options * probably use zstd * Done: https://forums.kicksecure.com/t/dracut-compression-research/1131 ** Would suggest using xz, but zstd is quite good also. * Patrick: See forum thread. * Patrick: Please investigate why our initrd is uncompressed by default since dracut allegedly uses zstd by default. * Patrick: Please test Fedora's configuration snippet (linked in above forum thread). * Aaron: Our initrd is gzip-compressed by default. The note about zstd compression defaults in Fedora CoreOS's configuration is not saying that the dracut default is zstd to my awareness, it's saying they're resuing the default settings dracut uses for zstd when zstd is used. From the Dracut manual, "If you pass it just the name of a compression program, it will call that program with known-working arguments." * Aaron: Tested configuration snippet, performed worse than xz in all metrics. * Patrick: Please implement xz. * Aaron: Done: https://github.com/ArrayBolt3/dist-base-files/tree/arraybolt3/initrd-compress ** Implemented as a file directly in /etc/dracut.conf.d, since if the user chooses to modify this file, I believe this ''should'' trigger a conffile prompt if we ever modify this again. ** Tested in a VM, appears to work. It does ''not'' immediately regenerate the initramfs, but it will have an effect the next time the initramfs is regenerated. I believe this is the desired behavior (making the initramfs be regenerated every time dist-base-files is updated would be excessive). == qubes integration - missing default start menu entry == * missing by default: ** Qubes App Launcher (blue/grey "Q") → Whonix-Gateway App Qube (commonly called sys-whonix) → User Firewall Settings ** Qubes App Launcher (blue/grey "Q") → Whonix-Gateway App Qube (commonly called sys-whonix) → Global Firewall Settings * please do a full review for all of Qubes-Whonix for which other default start menu entries could/should be added where appropriate * please do a full review for all of Kicksecure for which other default start menu entries could/should be added where appropriate * Aaron: Made the following changes: ** Kicksecure AppVM: Include Settings Manager, for better feature parity with the Debian 12 AppVM ** Kicksecure TemplateVM: Remove thunar and add = backlog - one day = == calamares - make 3.3.12 available in Bookworm == * necessary to fix bugs related to the disk encryption user interface * Sid and Trixie are still at 3.3.9, does maintainer need help packaging 3.3.12? ** Maintainer uploaded 3.3.12 to Sid, should migrate to Testing relatively soon. ** 3.3.11 was hung up on calamares-extensions 3.3.1, and while calamares-extensions 3.3.11 is technically available, a real release of it hasn't been made. Pinged the Calamares devs to see if they could do that, after than I'll ping the Debian Qt/KDE team to get them to package it and that should release calamares into Trixie. ** 3.3.12 was uploaded but was slightly wonky, wasn't migrating, maintainer wasn't fixing the issue yet. Got a DD friend to sponsor an NMU to fix the problem, should hopefully migrate on December 22nd if all goes well. (Thanks to Simon Quigley for sponsorship!) * Backport 3.3.12 after it is available in Trixie ** Backport submitted to Debian Mentors, review requested from maintainer. ** Moving to backlog because the maintainer ultimately did not appear willing to help with this. We're porting to Trixie now, so this is probably no longer necessary. == lightdm ssdm == * bug report: https://forums.kicksecure.com/t/kicksecure-inside-lmde-5/46/11 * cause of bug could be in rads or security-misc * Unable to reproduce bug, request for more information at https://forums.kicksecure.com/t/kicksecure-inside-lmde-5/46/13 * More information received, need to retry this one more time * Tested, finally managed to partially reproduce. Issue appears to be in SDDM. * Aaron: Debugging complete, bug report with fix filed. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089004 ** Moving to backlog because of no response to report. Due to Debian policy for stable releases this bug will most likely never be fixed in Bookworm. == fix Qubes OS kloak implementation behavior with XFCE apps == * When dragging XFCE applications in Whonix-Workstation by their menu bar (directly underneath the title bar), the window moves erratically across the screen * Hover is silently failing to function properly in XFCE application menus * Hover seems to work just fine in Tor Browser * May have been a random bug, cannot reproduce now. Bring back from backlog if a way to reproduce this is discovered. == calamares - enable GRUB force_efi_extra_removable == * todo * if applicable * PR: https://github.com/calamares/calamares/pull/2446 * Pending discussion. * Unlikely to be implemented, the current "workaround" appears to be the intended way to implement this sort of thing. == apt-get - implement --restrict-install-recommends proof of concept == * todo == Debian Installer Verification == * after live-build review queue made progress maybe == Qubes doas ticket == * feature request doas support for Qubes * ask if Qubes would accept doas configuration snippets * https://forums.whonix.org/t/replace-sudo-with-doas/17482/22 * Ticket filed as an enhancement request: https://github.com/QubesOS/qubes-issues/issues/9599 * Backlogged, we're going sudoless rather than porting to doas for now. == Qubes umask ticket == * /etc/sudoers.d/umask * https://forums.whonix.org/t/replace-sudo-with-doas/17482/22 * This was only needed if migrating to doas. Superceded by sudoless mode, moved to backlog == investigate porting from sudo to doas == * https://forums.whonix.org/t/replace-sudo-with-doas/17482 * can our /etc/sudoers.d snippets be ported to doas? is doas powerful enough for our requirements based on our already existing /etc/sudoers.d snippets? * could we have a system that no longer requires sudo or would we end up with a system that comes with both, sudo and doas? ("double" attack surface) * use ReplaceText as a wiki search engine to find our current uses of sudo because these would need to be ported to doas ** https://www.kicksecure.com/wiki/Special:ReplaceText ** https://www.whonix.org/wiki/Special:ReplaceText ** search terms: ** sudo ** lxsudo * Ensure sudoers.d config files used in Kicksecure and Whonix on Qubes OS can be ported to doas * Did an audit of all uses of sudo in kickseure and whonix codebases, and how difficult they should be to port to doas. Results: https://gist.github.com/ArrayBolt3/6699ec4c631fec28e1f4c0a2e657fcd7 * Superceded by sudoless mode, moved to backlog == doas - send pull requests to Qubes == * [[Dev/todo#Qubes_doas_ticket|Qubes doas ticket]] might be unlikely to get rejected. But replies could take a while. * Please send a pull requests. Since it is only 2 packages, 3 files the wasted effort if this gets rejected might be low enough?
qubes-core-agent: /etc/sudoers.d/qt_x11_no_mitshm
qubes-core-agent: /etc/sudoers.d/umask

qubes-input-proxy-sender: /etc/sudoers.d/qubes-input-trigger
* Superceded by sudoless mode, moved to backlog == create /usr/local/etc/doas.d /etc/doas.d parser and /etc/doas.conf configuration file creator == * parse /usr/local/etc/doas.d * parse /etc/doas.d * parse only configuration files ending with .conf * do not overwrite a file that does not contain our auto generated configuration file (could be user custom file) ** echo a warning in that case * atomic, create variable then use sponge * add to security-misc * add a dpkg trigger * /etc/doas.conf would require a header pointing out it is auto-generated.
## Do not edit this file!
## Please create and add modifications to the following file instead:
## /usr/local/etc/torrc.d/50_user.conf

## This file was auto generated by '$BASH_SOURCE' at APT package installation time (a dpkg trigger).
* Superceded by sudoless mode, moved to backlog == doas - add to security-misc permission hardener whitelist == * todo * Superceded by sudoless mode, moved to backlog == doas - create /etc/doas.d configuration snippets == * add /etc/doas.d configuration snippets to the various packages needing these * if possible, pending discussion in https://forums.whonix.org/t/replace-sudo-with-doas/17482/19 for review of sudoers.d snippets by upstream * Superceded by sudoless mode, moved to backlog == bootloader password == * https://forums.kicksecure.com/t/harden-grub-bootloader-using-bootloader-password/723 == vm-config-dist re-installs same version == * Why a freshly built ova image attempts to upgrade vm-config-dist, even though it is already the latest version? * https://download.kicksecure.com/ova/17.2.7.8/ * please investigate
[user ~]% dpkg -l | grep vm-config
ii  vm-config-dist                                3:10.5-1                        all          usability enhancements inside virtual machines
[user ~]% upgrade-nonroot
Get:1 tor+https://deb.debian.org/debian bookworm InRelease [151 kB]
Get:2 tor+https://fasttrack.debian.net/debian bookworm-fasttrack InRelease [12.9 kB]
Get:3 tor+https://fasttrack.debian.net/debian bookworm-fasttrack/main amd64 Packages [5296 B]
Get:4 tor+https://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
Get:5 tor+https://fasttrack.debian.net/debian bookworm-fasttrack/non-free amd64 Packages [492 B]
Get:6 tor+https://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Get:7 tor+https://fasttrack.debian.net/debian bookworm-fasttrack/contrib amd64 Packages [7332 B]
Get:8 tor+https://deb.kicksecure.com bookworm InRelease [62.0 kB]
Get:9 tor+https://deb.debian.org/debian bookworm-backports InRelease [59.0 kB]
Get:10 tor+https://deb.kicksecure.com bookworm/non-free amd64 Packages [913 B]
Get:11 tor+https://deb.debian.org/debian bookworm/non-free amd64 Packages [97.3 kB]
Get:12 tor+https://deb.debian.org/debian bookworm/non-free-firmware amd64 Packages [6236 B]
Get:13 tor+https://deb.debian.org/debian bookworm/contrib amd64 Packages [54.1 kB]
Get:14 tor+https://deb.debian.org/debian bookworm/main amd64 Packages [8789 kB]
Get:15 tor+https://deb.kicksecure.com bookworm/main amd64 Packages [33.7 kB]
Get:16 tor+https://deb.kicksecure.com bookworm/contrib amd64 Packages [509 B]
Get:17 tor+https://deb.debian.org/debian bookworm-updates/non-free-firmware amd64 Packages [616 B]
Get:18 tor+https://deb.debian.org/debian bookworm-updates/main amd64 Packages [2712 B]
Get:19 tor+https://deb.debian.org/debian bookworm-updates/non-free amd64 Packages [12.8 kB]
Get:20 tor+https://deb.debian.org/debian bookworm-updates/contrib amd64 Packages [768 B]
Get:21 tor+https://deb.debian.org/debian-security bookworm-security/contrib amd64 Packages [644 B]
Get:22 tor+https://deb.debian.org/debian-security bookworm-security/non-free-firmware amd64 Packages [688 B]
Get:23 tor+https://deb.debian.org/debian-security bookworm-security/main amd64 Packages [206 kB]
Get:24 tor+https://deb.debian.org/debian bookworm-backports/main amd64 Packages [264 kB]
Get:25 tor+https://deb.debian.org/debian bookworm-backports/contrib amd64 Packages [5624 B]
Get:26 tor+https://deb.debian.org/debian bookworm-backports/non-free-firmware amd64 Packages [3852 B]
Get:27 tor+https://deb.debian.org/debian bookworm-backports/non-free amd64 Packages [11.1 kB]
Fetched 9891 kB in 8s (1227 kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  vm-config-dist
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 40.2 kB of archives.
After this operation, 2048 B of additional disk space will be used.
Do you want to continue? [Y/n] ^Czsh: exit 130   upgrade-nonroot
[user ~]% apt-cache show vm-config-dist
Package: vm-config-dist
Version: 3:10.5-1
Architecture: all
Maintainer: Patrick Schleizer 
Installed-Size: 135
Depends: sudo, adduser, p7zip-full
Replaces: power-savings-disable-in-vms, shared-folder-help
Homepage: {{Github_link|repo=vm-config-dist
Priority: optional
Section: misc
Filename: pool|path=/main/v/vm-config-dist/vm-config-dist_10.5-1_all.deb}}
Size: 40244
SHA256: 41fc4cd7e2f97bdcf23ff80b91cbbc339aca3c60445ffaa4725147e4e28d048a
SHA1: d150305c67a4d3949c714c4b16a6a2c1ebe63353
MD5sum: 471286ecd49b36d287b50f807685036b
Description: usability enhancements inside virtual machines
 Sets environment variable `QMLSCENE_DEVICE=softwarecontext` as workaround for
 "Automatic fallback to softwarecontext renderer".
 .
 It is not useful to open a screensaver or to power down the desktop for
 operating systems that are run inside VMs. There is no real display that could
 be saved and no real power that could be saved. From usability perspective it
 also is counter intuitive when looking at the VM window and only seeing a
 black screen. Therefore it makes sense to disable power savings in VMs.
 `/etc/X11/Xsession.d/20_kde_screen_locker_disable_in_vms.sh`
 `/etc/profile.d/20_power_savings_disable_in_vms.sh`
 `/etc/X11/Xsession.d/20_software_rendering_in_vms.sh`
 `/usr/share/kde-power-savings-disable-in-vms/kdedrc`
 `/usr/share/kde-screen-locker-disable-in-vms/kscreenlockerrc`
 .
 Disables screen locker when running in VMs because that is not useful either.
 .
 Makes setting up a shared folder for virtual machines a bit easier.
 .
  * Creates a folder `/mnt/shared` with `chmod 777`, adds a group
 "vboxsf", adds user "user" to group "vboxsf". Facilitates auto-mounting of
 shared folders.
 .
  * Helps using shared folders with VirtualBox and KVM a bit
 easier (as in requiring fewer manual steps from the user).
 .
  * `/lib/systemd/system/mnt-shared-vbox.service`
  * `/lib/systemd/system/mnt-shared-kvm.service`
 .
 Set screen resolution 1920x1080 by default for VM in VirtualBox and KVM.
 Workaround for low screen resolution 1024x768 at first boot. When using lower
 screen resolutions, Xfce will automatically scale down.
 `/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/displays.xml`
 .
 Installs VirtualBox guest additions if package
 `virtualbox-guest-additions-iso` is installed if environment variable
 `dist_build_virtualbox=true` or if running inside VirtualBox.
 (`systemd-detect-virt` returning `oracle`)
 `/usr/bin/vbox-guest-installer`
Description-md5: 09e095e928a4c962e728f72d712b4c34

Package: vm-config-dist
Status: install ok installed
Priority: optional
Section: misc
Installed-Size: 133
Maintainer: Patrick Schleizer 
Architecture: all
Version: 3:10.5-1
Replaces: power-savings-disable-in-vms, shared-folder-help
Depends: sudo, adduser, p7zip-full
Conffiles:
 /etc/dracut.conf.d/30-vm-config-dist.conf 4b17a68bed81773993a0c46d79148986
 /etc/gdm3/daemon.conf.dist b1f35c9655abcc3171af5c10ce4d8292
 /etc/profile.d/20_kde_screen_locker_disable_in_vms.sh e45dd471bc555b906c6c04b208f4066b
 /etc/profile.d/20_power_savings_disable_in_vms.sh bfef62e0edc770197204884b9fc3baea
 /etc/profile.d/20_software_rendering_in_vms.sh 32d99ab4948878c5c790145bdafa88ea
 /etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/displays.xml 573a4880ca28e8e094ea78fa76fb875e
Description: usability enhancements inside virtual machines
 Sets environment variable `QMLSCENE_DEVICE=softwarecontext` as workaround for
 "Automatic fallback to softwarecontext renderer".
 .
 It is not useful to open a screensaver or to power down the desktop for
 operating systems that are run inside VMs. There is no real display that could
 be saved and no real power that could be saved. From usability perspective it
 also is counter intuitive when looking at the VM window and only seeing a
 black screen. Therefore it makes sense to disable power savings in VMs.
 `/etc/X11/Xsession.d/20_kde_screen_locker_disable_in_vms.sh`
 `/etc/profile.d/20_power_savings_disable_in_vms.sh`
 `/etc/X11/Xsession.d/20_software_rendering_in_vms.sh`
 `/usr/share/kde-power-savings-disable-in-vms/kdedrc`
 `/usr/share/kde-screen-locker-disable-in-vms/kscreenlockerrc`
 .
 Disables screen locker when running in VMs because that is not useful either.
 .
 Makes setting up a shared folder for virtual machines a bit easier.
 .
  * Creates a folder `/mnt/shared` with `chmod 777`, adds a group
 "vboxsf", adds user "user" to group "vboxsf". Facilitates auto-mounting of
 shared folders.
 .
  * Helps using shared folders with VirtualBox and KVM a bit
 easier (as in requiring fewer manual steps from the user).
 .
  * `/lib/systemd/system/mnt-shared-vbox.service`
  * `/lib/systemd/system/mnt-shared-kvm.service`
 .
 Set screen resolution 1920x1080 by default for VM in VirtualBox and KVM.
 Workaround for low screen resolution 1024x768 at first boot. When using lower
 screen resolutions, Xfce will automatically scale down.
 `/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/displays.xml`
 .
 Installs VirtualBox guest additions if package
 `virtualbox-guest-additions-iso` is installed if environment variable
 `dist_build_virtualbox=true` or if running inside VirtualBox.
 (`systemd-detect-virt` returning `oracle`)
 `/usr/bin/vbox-guest-installer`
Description-md5: 09e095e928a4c962e728f72d712b4c34
Homepage: {{Github_link|repo=vm-config-dist

[user ~]%
<|path=/pre}}>

* SHA256 is OK and matches my locally built package.

myfind . | grep vm-config-dist | grep '.deb$' | xargs sha256sum
+ set -e
+ find . -type f -not -iwholename '*.git*'
41fc4cd7e2f97bdcf23ff80b91cbbc339aca3c60445ffaa4725147e4e28d048a  ./genmkfile-packages-result/vm-config-dist_10.5-1_all.deb
41fc4cd7e2f97bdcf23ff80b91cbbc339aca3c60445ffaa4725147e4e28d048a  ./aptrepo_local/kicksecure/pool/main/v/vm-config-dist/vm-config-dist_10.5-1_all.deb
41fc4cd7e2f97bdcf23ff80b91cbbc339aca3c60445ffaa4725147e4e28d048a  ./aptrepo_remote/kicksecure/pool/main/v/vm-config-dist/vm-config-dist_10.5-1_all.deb
* The Installed-Size of the package on the VM is listed as one size, but the Packages file in Kicksecure's remote repo lists a different Installed-Size. Thus even though the debs are identical, apt believes the packages are different and wants to update to the remote version of the package as a result. See https://unix.stackexchange.com/questions/581291/why-apt-wants-to-upgrade-already-up-to-date-package. Why this is happening is unclear. Perhaps something is going wrong with using reprepro? See below.
# From https://deb.kicksecure.com/dists/bookworm/main/binary-amd64/Packages:
Package: vm-config-dist
...
Installed-Size: 135
...

# From /var/lib/dpkg/status from the linked OVA file:
Package: vm-config-dist
...
Installed-Size: 133
...
* I did an OVA build in the background to see what Installed-Size it resulted in, but then accidentally deleted it, I can do redo the build and check it if desired. == str_replace utf-8 bug ==
str_replace %%replace-me-clearnet-replace-me%% kicksecure.com /etc/postfix/header_checks.db
Traceback (most recent call last):
  File "/usr/bin/str_replace", line 49, in 
    main()
  File "/usr/bin/str_replace", line 26, in main
    file_data = source_fh.read()
                ^^^^^^^^^^^^^^^^
  File "", line 322, in decode
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x8e in position 54: invalid start byte
* Low-priority, could be difficult to fix. == Qubes graphical-session.target missing bug == * Which source code file does enable systemd graphical-session.target target on Debian? * https://github.com/QubesOS/qubes-issues/issues/9576 * Patrick: msgcollector now starts the systemd unit from /etc/xdg/autostart, that is good enough. == add date and time detection to archive.today frontend == * This is necessary for the next task. * If a link has been archived once in the past, but is severely outdated, we should probably request that archive.today rearchive it. This requires that we know when archive.today archived each page. * (It might be worthwhile to detect when a link was added to the Wiki and use that as a deciding factor as to whether or not we should archive the link again. Might be doable by using the archive.today backups from Github.) * We decided to not attempt re-archiving already archived content, thus this is no longer needed for now. == mediawiki bot setup == * no wiki mass editing required for now * will be required for mediawiki mass editing * https://www.kicksecure.com/wiki/Special:BotPasswords * https://www.kicksecure.com/wiki/Special:BotPasswords/botname * https://www.whonix.org/wiki/Special:BotPasswords * https://www.whonix.org/wiki/Special:BotPasswords/botname * note: replace botname with actual name of bot == rootless X11 == * only if doable with low effort such as just changing some configs (such as in lightdm config) or changing some installed packages * Would require switching away from LightDM or enabling rootless X11 support in LightDM, thus moving to backlog. == power9 RAM encryption research == * todo == auto-detect, prompt for potential root devices in case the root= device is misconfigured or missing == * https://github.com/dracutdevs/dracut/issues/2589 * if doable with reasonable effort please send a pull request to dracut-'''ng''' * Pull request: https://github.com/dracut-ng/dracut-ng/pull/694 * update: as discussed, low priority if effort is too high == dracut add support for undeclared CDLABEL == as discussed == live-build - Retry button in derivative-maker doesn't work == * low priority, move to backlog please == live-build - remove trailing spaces == * can be done when upstream review queue of live-build has more room = Footnotes = {{Footer}}