Kicksecure ™

Download

On Computer USB Installation Debian morph to Kicksecure Windows (VM) Linux (VM) Mac (VM) VirtualBox (VM) KVM (VM) Qubes (VM) More options Source Code

About

Overview Features Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

The grub-live package offers an additional "LIVE mode" boot menu entry for the GNU GRUB boot loader.

This package is compatible with many Linux distributions, including Debian and Ubuntu. In Kicksecure and Whonix^®, it is installed by default. Grub-live can be applied to a host operating system (OS) as well as to a guest OS on a virtual machine.

Compatibility[edit]

grub-live is compatible and tested with Debian, Kicksecure, and Whonix. In Kicksecure and Whonix, it is installed by default. It should also run without any problems on Ubuntu and other Linux distributions that implement Debian live-boot. However, due to little user adoption and testing at this point in time, grub-live for those distributions is still labeled untested.

Installation / Getting started[edit]

The grub-live package is hosted under the grub-live GitHub repository. There you will also find the installation guide.

After the installation, you can instantly use the Live Mode in your operating system. Simply boot/reboot your system and choose the new "LIVE mode" option in the boot menu. For Kicksecure specifically, read: Detailed documentation for using the live mode for Kicksecure.

Set grub-live as Default in GRUB boot menu[edit]

Optional.

If you have installed grub-live and want the "LIVE mode" option to be the default selected option in your GRUB menu, please follow the instructions below. Be aware, however, that due to little user adoption and testing, this option is still labeled untested.

1. Do a grub-live package installation check

By default, the grub-live package is installed in Kicksecure. If you boot your system and a boot menu entry "LIVE mode" is already available, then grub-live is already installed.

Alternatively, you can make sure the grub-live package is installed. The following command can be used to check on the command line if the package is already installed by default.

dpkg -l | grep grub-live

2. Set LIVE mode as the default boot menu entry

There are two ways to accomplish this. Choose one of these options:

Option (A) - symlink method

• Advantage: This is easier because updates to grub-live will be automatically applied.
• Disadvantage: There will be a duplicate live boot menu entry.
• Copy and execute the following command:

sudo ln -s /etc/grub.d/11_linux_live /etc/grub.d/09_linux_live

Option (B) - moving method

• Advantage: No duplicate live boot menu entry.
• Disadvantage: Updates to grub-live will NOT be automatically applied.
• Copy and execute the following command:

sudo mv /etc/grub.d/11_linux_live /etc/grub.d/09_linux_live

3. Re-generate GRUB boot menu

The GRUB boot menu needs to be regenerated for the changes to be applied. Copy and execute the following command:

sudo update-grub

4. DONE

The process of changing from "live mode opt-in through GRUB boot menu" to "live boot by default" has been completed.

5. Updates

If in step 2, "option (B)" was chosen, then this process might need to be repeated from time to time if there have been updates to GRUB or to your system. The need to repeat this process from step 1 to step 4 will be indicated as soon as the "LIVE mode" entry is no longer the default entry in the GRUB boot menu.

If in step 2, "option (A)" was chosen, then this step is not needed. Updates will be applied automatically.

Get GRUB to remember your last choice (e.g., Live mode)[edit]

Optional.

If you don't want to set Live Mode as your permanent default boot option but still want the comfort of having GRUB remember your last choice, e.g., "Live mode," then follow these instructions. ^[1]

1. Open file /etc/default/grub.d/50_user.conf in an editor with root rights.

Kicksecure

See Open File with Root Rights for detailed instructions on why to use sudoedit for better security and how to use it.

sudoedit /etc/default/grub.d/50_user.conf

Kicksecure for Qubes

NOTES:

• When using Kicksecure-Qubes, this needs to be done inside the Template.

sudoedit /etc/default/grub.d/50_user.conf

• After applying this change, shutdown the Template.
• All App Qubes based on the Template need to be restarted if they were already running.
• This is a general procedure required for Qubes and unspecific to Kicksecure for Qubes.

Others and Alternatives

• This is just an example. Other tools could achieve the same goal.
• If this example does not work for you or if you are not using Kicksecure, please refer to this link.

sudoedit /etc/default/grub.d/50_user.conf

2. Now add these two lines to this file: GRUB_DEFAULT=saved GRUB_SAVEDEFAULT=true

3. Finally, execute this command: sudo update-grub

4. Done.

Your boot menu now remembers your last choice.

Alternative to grub-live[edit]

As an alternative to grub-live, it is also possible to automatically detect if the disk is set to read-only and enable live mode automatically using the ro-mode-init package. Read VM Live Mode - Alternative ro-mode-init Configuration for further instructions.

ro-mode-init is currently less tested than grub-live.

Comparison between grub-live and Tails[edit]

Tails is its own operating system, whereas grub-live is a package enabling Live Mode on different Linux distributions. The following table will show the advantages and disadvantages of grub-live in regard to Tails. It should be noted, however, that while Tails is optimized for Live mode, grub-live is vastly more compatible with other systems.

Table: Comparison of grub-live and Tails

Security Considerations[edit]

How secure and reliable is any live mode?

Computers typically default to data persistence rather than amnesia. Coupled with widespread computer security vulnerabilities (see About Computer (In)Security), implementing a secure system is challenging.

grub-live is relatively straightforward. It primarily involves installing necessary dependencies and setting kernel parameters (details in Implementation). However, the software it is based on, such as dracut (or initramfs-tools/Debian's live-tools), mount, and overlayfs, are complex. Sparse developer documentation in this area makes this difficult. There is also an increased risk of failures post Release Upgrade or after installing new major versions of Kicksecure or Debian, due to the generic nature of the solution.

There is a potential risk that malware could remount a read-only disk as read-write. While no confirmed cases exist, theoretically, even legitimate software could inadvertently perform such actions. To mitigate this risk, it's advisable to use grub-live in conjunction with a physical read-only mode for hard drives, where feasible. See read-only.

Using grub-live on the host operating system, combined with virtual machines (VMs), is a safer configuration. In this setup, any disk remounting as read-write within a VM would be negated upon rebooting the host. VMs, in this context, are unaware of the host's live mode status and cannot directly alter it.

Would using an ISO image be safer? Generally, yes. Because ISOs commonly aren't modified. It seems unlikely that an ISO would be inadvertently remounted as read-write, unless targeted specifically by malware.

Tools like growisofs can append data to an ISO, but it's more complex than a simple remount command. Even without growisofs, malware could potentially repack and rewrite an ISO, but it is an even more complicated process. Not something that can happen by accident.

What about read-only media, like a DVD-R (not DVD-RW)? This is indeed a safer option, but less practical. It requires burning the DVD, then using it in a read-only DVD reader, which is not a common practice. Such devices are not popular anymore nowadays.

Combining physical write protection switches with grub-live would further enhance security. However, even this is not foolproof due to potential hardware vulnerabilities or defects. Thus, it should be considered an additional layer of defense rather than a complete solution.

Reflecting on these aspects, we can categorize security configurations from least to most secure, as follows:

Notes:

• This list, created in December 2023, might have minor inaccuracies but generally represents the correct security hierarchy.
• ISO HDD: It is possible to boot an ISO located on the hard drive. This is unspecific to Kicksecure and out of scope for this documentation.

1. VM live mode HDD boot without read-only VM HDD ("least secure")
2. VM live mode HDD boot with read-only VM hard drive
3. VM live mode ISO boot without VM HDDs connected
4. host live mode HDD without read-only HDD
5. host live mode HDD without read-only HDD + using VMs
6. host live mode HDD with read-only HDD
7. host live mode HDD with read-only HDD + using VMs
8. host live mode ISO HDD with read-only HDD
9. host live mode ISO HDD with read-only HDD + using VMs
10. same as above but with Full Disk Encryption as an additional safety layer
11. same as above but hardware write protection switches enabled
12. host live mode ISO DVD-RW with
13. host live mode ISO DVD-RW with + using VMs
14. host live mode ISO DVD-R with
15. host live mode ISO DVD-R with + using VMs
16. same as above but with all other storage devices disconnected ("most secure")

Additional steps users can take to improve the security of live mode:

• Avoiding the installation of additional software, especially more complex software that uses mount/loop devices or breaks the live indicator, such as, for example, snapd.
• Prevention of Malware Sniffing the Root Password, because remount read-write requires root.

See also Whonix technical design documentation on forensics .

In summary, while striving for maximum security, absolute guarantees are unattainable. Users seeking higher data amnesia assurances should consider becoming developers or auditors, or sponsoring focused development and review in the realm of anti-forensics, including the development of comprehensive automated testing frameworks.

Remount Disk as Read-Write after booting into Live Mode[edit]

This chapter is more of developer documentation, proof of concept, and curiosity rather than something that users should do.

1. Create a mount folder /mnt/disk.

sudo mkdir /mnt/disk

2. Mount.

Note: /dev/sda3 applies to VirtualBox VMs. It needs to be replaced with the actual hard drive device name.

sudo mount /dev/sda3 /mnt/disk

3. Remount as read-write.

sudo mount -o remount,rw /dev/sda3 /mnt/disk

4. Make persistent modifications.

For example, create a file /home/test-file.

touch /mnt/disk/home/test-file

It is unclear if the disk could even be remounted to / but that is left as a sysadmin exercise for the reader.

5. When done, unmount.

sudo umount /mnt/disk

6. Remove the mount point.

Optional.

sudo rmdir /mnt/disk

7. Done.

The process has been completed.

Questions and answers:

• Is this a security issue? Yes.
• Is this issue specific to, or caused by, grub-live or Kicksecure? No, unspecific to Kicksecure.
• Is this issue reproducible on other live systems, i.e., without grub-live or Kicksecure being involved? Yes.
• Are similar live systems also affected? Yes, see Security Considerations.
• What can users do to improve their security? See the same link as above.

Troubleshooting[edit]

Here are some problems you might encounter and their possible solutions.

Missing grub-live boot menu entry[edit]

Please check your local file /etc/grub.d/11_linux_live to ensure it looks exactly the same as /etc/grub.d/11_linux_live on GitHub. This will verify that you have the latest version of the grub-live package. Note that the stable version might look slightly different from the developer's or tester's version on GitHub.

Please run the following commands for debugging/information gathering and post them when creating any support requests.

dpkg-query -W -f='${db:Status-Status}' initramfs-tools

dpkg-query -W -f='${db:Status-Status}' dracut

Live Check Systray Issues[edit]

The live mode is indicated by a Live Check Systray icon. It can happen that this icon has issues. If so, here's what you can do.

First of all, this is NOT an indication of compromise by malware. The real issue is as simple as: The Live Check Systray is broken.

Known issues:

• 1) As mentioned in chapter Combine Kicksecure Live VMs with Read-only Mode for Virtual Hard Drives chapter VirtualBox.

If this is not an already known issue, please follow these steps:

1. Is livecheck.sh showing an error?

If livecheck is showing an error, it might be the following issue. Live check runs the command sudo --non-interactive /bin/lsblk --noheadings --raw --output RO as the current unprivileged user. You can test this for yourself with the following command. If this is working, then this is NOT the issue.

sudo --non-interactive /bin/lsblk --noheadings --raw --output RO

If this is not working, the problem might be that this will only work by default for the user user, and no other user. For example, it will not work by default for the Linux user account user2 or any other than user.

If the problem is that a user other than user is the logged-in subject, then

• option (A) the current user, for example, user2 needs an exception in /etc/sudoers.d. For comparison, see file /etc/sudoers.d/desktop-config-dist.
• option (B) the current user, for example, user2 needs to be or become a member of any of the following Linux user groups:

users staff adm sudo root wheel console console-unrestricted

2. Try lsblk

If the above method does not work, try also this:

sudo /bin/lsblk

3. If nothing works, report the bug

If you are still having issues, you can report a bug with the output from the two lsblk commands included above.

Technical Details of livecheck.sh[edit]

This chapter is for advanced users only.

Most users can skip this chapter. See livecheck.sh for further script details.

• The meaning of 0 in lsblk output is read-write.
• The meaning of 1 in lsblk output is read-only.

If anything in the column RO is set to 0, then it is not blessed with read-only hard drive mode.

Example lsblk without any snapd installed, Kicksecure, live mode, and read-only hard drive mode enabled.

sudo lsblk

NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda      8:0    0  100G  1 disk
└─sda1   8:1    0  100G  1 part /lib/live/mount/medium

Example lsblk without any snapd installed, Kicksecure, live mode, and read-only hard drive mode disabled.

sudo lsblk

NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda      8:0    0  100G  0 disk
└─sda1   8:1    0  100G  0 part /lib/live/mount/medium

Example lsblk with snapd and WickrMe installed, Kicksecure, persistent mode, and read-only hard drive mode disabled.

sudo lsblk

NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
loop0    7:0    0 62.1M  1 loop /snap/gtk-common-themes/1506
loop1    7:1    0  446M  1 loop /snap/wickrme/352
loop2    7:2    0   55M  1 loop /snap/core18/1754
sda      8:0    0  100G  0 disk
└─sda1   8:1    0  100G  0 part /lib/live/mount/medium
sr0     11:0    1 1024M  0 rom

Developer Information[edit]

Users can skip this chapter and below.

Implementation[edit]

This is based on dracut module 90overlay-root which gets enabled when kernel parameter rootovl is set. 90overlay-root is only available in the Debian fork of dracut.

• dracut module source file: /usr/lib/dracut/modules.d/90overlay-root/overlay-mount.sh
• grub-live source code
• main file: /etc/grub.d/11_linux_live
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017039
• https://github.com/dracutdevs/dracut/issues/1565

Simplified Summary[edit]

grub-live is a "simple" implementation. It was certainly not simple to invent and document, but when looking at the actual source code, it is now rather simple to review.

The main source file is this one: /etc/grub.d/11_linux_live

The most relevant parts...

## initramfs support GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX boot=live plainroot union=overlay ip=frommedia noeject nopersistence"

(But Kicksecure at the time of writing uses initramfs generator "dracut" by default, so "initramfs-tools" support is legacy.)

## dracut support ## https://www.kicksecure.com/wiki/Grub-live#Developer_Information ## ## using Debian forked upstream module 90overlay-root (tested) GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX rootovl" ## using dracut upstream module 90overlayfs (untested) #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX rd.live.overlay.overlayfs=1 rd.live.overlay.readonly=1"

Therefore, as of August 2024, technically all grub-live does is provide a convenient way (the grub boot menu entry) to easily set kernel parameter rootovl, which is a feature provided by Debian's forked version of dracut, module 90overlay-root. In the future, dracut upstream module 90overlayfs should be used instead. See also Development. These dracut modules in turn make use of Linux kernel features.

In summary, the most heavy lifting is done by the initramfs generator (initramfs-tools or dracut) and the Linux kernel. grub-live only implements usability (grub boot menu entry) and documentation.

Development[edit]

Should port to 90overlayfs

rd.live.overlay.overlayfs=1 rd.live.overlay.readonly=1

While Debian did not merge overlayfs with nfs for Debian bookworm the module will be updated in the next major version of Debian as per usual as Debian receives newer dracut versions from dracut upstream.

Porting grub-live to other Linux Distributions[edit]

This is an informational chapter for developers. Users can skip this chapter.

Porting grub-live to other Linux Distributions might be rather simple in comparison to other packages.

grub-live should already be compatible with any Debian based distribution as mentioned on top of this wiki page. Testing is very limited.

What grub-live technically in essence does:

• 1) The grub-live is just shipping 1 grub config file /etc/grub.d/11_linux_live.
• 2) Pull required dependencies in debian/control
• 3) Postinst runs: "sudo update-grub"

Qubes support:

• Might be harder.
• That would require packaging grub-live for Fedora.
• Or as a first step copying over the config files.
• https://github.com/QubesOS/qubes-issues/issues/1018
• https://github.com/QubesOS/qubes-issues/issues/4982

Footnotes[edit]

Kicksecure A secure by default operating system with the latest security research in place.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Kicksecure is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2024 ENCRYPTED SUPPORT LP

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!