Deprecated

From Kicksecure
Jump to navigation Jump to search

Full Disk Encryption encrypted /boot GRUB Keyboard Layout Issue[edit]

4 Notice for users of full disk encryption.

If you would like to use full disk encryption (FDE), it can be done in the Partition tab. Choose "Encrypt system".

If you choose full disk encryption and your keyboard is NOT en_US QWERTY, please press on 'Learn More' on the right side.

Encryption Versus Keyboard Layout

The Calamares installer will encrypt /boot but with English US QWERTY keyboard. This can be confusing. The user might type the password in their local keyboard layout while GRUB at boot time will be interpreting the password using English US QWERTY keyboard layout.

  • en_US QWERTY keyboards: This is a non-issue for users using US keyboards.
  • other keyboards: This issue exists.

Which workarounds are available to users? Choose one.

  • A) Use a separate English US QWERTY keyboard for password entry;
  • B) Avoid characters which are different on your local vs the English US QWERTY keyboard layout;
  • C) Use a different installation method. Using Distribution morphing it will be possible to avoid encrypted /boot by using Debian's old installer ("d-i"archive.org Debian's installer GUI (GTK based)archive.org);
  • D) Not using full disk encryption. Not recommended.

Less realistic workarounds, for developers only and tickets, see footnote. [1]

VirtualBox read-only mode[edit]

1. Warning.

Issue: VirtualBox might no longer support VBoxInternal/Devices/lsilogicsas/0/LUN#0/AttachedDriver/Config/ReadOnly. Settings set through VBoxManage setextradata are not officially supported and might be gone at some time such as now.

2. Set the VM disks to read-only.

Follow these steps:

  • Power off the virtual machine (VM).
  • Set the disk to read-only.
    • The name of the VM in the following example below is Kicksecure-Xfce. It could be replaced with the name of any other VM such as Kicksecure-Xfce.
    • On the host command line, run.

VBoxManage setextradata Kicksecure-Xfce "VBoxInternal/Devices/lsilogicsas/0/LUN#0/AttachedDriver/Config/ReadOnly" 1

3. Remove VirtualBox virtual DVD drive.

This is only required if the VM has a virtual DVD drive. It is not required in Kicksecure version 15.0.1.2.7 and above since it no longer comes with a virtual DVD drive by default. See footnote for a Kicksecure build version lower than 15.0.1.2.7. [2]

4. Launch the live system.

Following reboot, a second boot entry called "VM Live Mode-mode" will be visible. Select it and then press Enter to boot the live system and use it as normal.

5. Optional: Revert the read-only change.

To boot into normal mode again, run this command on the host to revert the change.

VBoxManage setextradata Kicksecure-Xfce "VBoxInternal/Devices/lsilogicsas/0/LUN#0/AttachedDriver/Config/ReadOnly"

The normal boot option can now be selected in the GRUB menu.

6. Optional: Re-add the virtual DVD.

Only when you need this; see footnotes. [3]

7. Done.

The process has been completed.

Troubleshooting: If the system does not boot, check the Recommended VirtualBox Version for Kicksecure VirtualBox is in use.

VirtualBox Generic Bug Reproduction using virtualbox-guest-additions-iso[edit]

This entry is based on Bug Report Recommendations, specifically Generic Bug Reproduction. The content is similar to the Try a non-Kicksecure VM chapter above.

A manual reproduction of the Kicksecure VirtualBox Integration.

  1. Use the recommendedarchive.org (.oniononion) Linux distribution -- Debianarchive.org bookworm -- as the host operating system. (Debian Tips)
  2. Install the recommended version of the VirtualBox host software.
  3. Installation of non-freedom software is not required, but the Debian "nonfree" (free in price but non-freedom) repository must be temporarily enabled; the reason is documented below.
  4. virtualbox-guest-additions-isoarchive.org (Freedom Software) from the Debian repository on the the Debian host operating system. Due to a Debian packaging bug the package is only available from Debian nonfree repository, but the package is not non-freedom. That package provides file /usr/share/virtualbox/VBoxGuestAdditions.iso.
  5. Install Debian bookworm inside a VirtualBox VM.
  6. Mount the VirtualBox Guest Additions CD iso file /usr/share/virtualbox/VBoxGuestAdditions.iso inside the Debian VM.
  7. Install VirtualBox Guest Additions from the virtual CD-ROM drive inside the Debian VM. Change to the directory where the CD-ROM drive is mounted and run the following command as root: sh ./VBoxLinuxAdditions.run
  8. Attempt to reproduce the original issue.

NTP[edit]

Disabling NTP[edit]

If ISP tampering with NTP is ever confirmed, users are advised to disable NTP and manually update the host clock out-of-band. For example, a watch or atomic clockarchive.org can be used for this purpose. If the tampering is targeted and not a widescale attack, then the user already has much bigger problems to worry about than NTP; see Confirmation Attacks.

If following the advice above -- disabling NTP on the host and adjusting the clock out-of-band -- be aware that clearnet traffic might be easier to fingerprint. [4] The reason is that it introduces a device issuing clearnet traffic (such as OS updates), but without the use of NTP. It is unknown how many people have NTP which is deactivated, broken, uninstalled, or never in fact installed in the first place. Also unknown is how many people are using alternative time synchronization methods such as authenticated NTP, tails_htparchive.org, tlsdatearchive.org, sdwdate or similar. However, search engine research suggests that very few people fall into both these categories.

NTP Issues[edit]

The host system clock synchronization mechanism still uses unauthenticated NTP from a single source. This is not optimal, but there is no real solution to this problem. [5] A potential attack vector is created by this NTP behavior; the ISP and/or time server could either inadvertently or maliciously introduce a significant clock skew, or the host clock could simply malfunction.

If the host clock value is grossly inaccurate -- more than one hour in the past or more than 3 hours in future -- Tor cannot connect to the Tor network. [6] This is easily solved by manually fixing the clock on the host, then powering the Kicksecure off and on again.

Another side effect of a significantly inaccurate host clock concerns operating system (OS) updates and cryptographic verification on the host. Until the host clock is manually fixed, it may no longer be possible to download updates or verify SSL certificates correctly with the host browser.

Users should always check whether a host clock defect relates to an empty battery before assuming the ISP is tampering with NTP.

???[edit]

KVM[edit]

For KVM, click on Expand on the right.

Edit the VM xml before import or edit the VM xml after import and change the following setting. <clock offset='utc'> To.

<clock offset='variable' adjustment='123456' basis='utc'>

The adjustment attribute takes any arbitrary value for seconds. The user must pick a random value that is unknown to others, ranging between 0 and 900 (a 15 minute range).

Qubes[edit]

TODO

Unfortunately, it is not yet possible to set a random clock offset for Kicksecure for Qubes VM to prevent clock correlation attacks since it is unsupported by Xenarchive.org. A related issue is denying Kicksecure for Qubes access to "clocksource=xen"archive.org, which may not be possible without Linux kernel and/or Xen patches. For a detailed discussion of these issues, see herearchive.org.

VirtualBox[edit]

For VirtualBox, click on Expand on the right.

VirtualBox has a feature to spoof the initial virtual hardware clock offset by setting the clock X milliseconds in the future or past. The syntax is outlined below.

VBoxManage modifyvm <name> --biossystemtimeoffset -<milliseconds> VBoxManage modifyvm <name> --biossystemtimeoffset +<milliseconds>

It is recommended to add a random delay within the following range.

VBoxManage modifyvm <name> --biossystemtimeoffset -60000 VBoxManage modifyvm <name> --biossystemtimeoffset +60000

A spoofing example is below. Users should select their own unique and random values for both the past (-) and future (+) within the specified range. Different values should be used for each distinct VM (on the host).

VBoxManage modifyvm "Kicksecure" --biossystemtimeoffset -35017 VBoxManage modifyvm "Kicksecure" --biossystemtimeoffset +27931 VBoxManage modifyvm "Kicksecure" --biossystemtimeoffset -35017 VBoxManage modifyvm "Kicksecure" --biossystemtimeoffset +27931

Apart from this small biossystemtimeoffset, a clock skew always degrades privacy. [7] [8]

  1. Less realistic workarounds:
    • F) Workaround the bug by patching Kicksecure Calamares installer to use unencrypted /boot;
    • G) Fix the GRUB bug.
    Tickets:
  2. Careful. If you remove the wrong drive, your VM will no longer boot. If you are worried, clone the VM first before proceeding.
    1. Power off the VM.
    2. VirtualBoxclick a VMSettingsStorageclick on DVD device symbolclick on disk removal symbol
    3. VirtualBox will ask

    Are you sure you want to delete the optical drive?

    You will not be able to insert any optical disks or ISO images or install the Guest Additions without it!

    4. click "Remove"

    https://forums.whonix.org/t/no-longer-add-virtual-dvd-drive-to-vm-by-default/9337archive.org

  3. Careful. If you remove the wrong drive, your VM will no longer boot. If you are worried, clone the VM first before proceeding.
    1. Power off the VM.
    2. VirtualBoxclick a VMSettingsStorageclick on DVD device add symbolclick Leave Emptyclick OK
    3. Usual way to add DVD's to VirtualBox VMs can now be used such as VirtualBoxclick a VMclick on [Optical Drive]
  4. See the Fingerprint page to discover what fingerprinting means in this case.
  5. See Design: Dev/TimeSync.
  6. In this case, Tor cannot verify the Tor consensus.
  7. biossystemtimeoffset is used to unlink the virtualizer's initial clock synchronization of the VM from the host clock.
  8. After powering on a VM, it initially synchronizes the VM clock with the host clock until Kicksecure Timesync adjusts it.