Whonix KVM / Kicksecure Released! – A Qunatum Leap Forward

Download the release of Whonix KVM:

Download Kicksecure KVM:

Alternatively, in-place release upgrade is possible upgrade using Whonix testers repository.

This release would not have been possible without the numerous supporters of Whonix!

Please Donate!

Please Contribute!

  • Add vanguards – protects against guard discovery and related traffic analysis attacks.
  • Implement TCP ISN CPU Information Leak Protection.
    • TCP ISN CPU Information Leaks can be used de-anonymize Tor onion services. tirdad fixes that.
    • Install tirdad by default.
  • security-misc – Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings
    • add security-misc documentation of stable security features, testing security features and experimental security features
    • experimental SUID Disabling and Permission Hardening
      • A systemd service removes SUID / GUID from non-essential binaries as these are often used in privilege escalation attacks. It is disabled by default for now during testing and can optionally be enabled by running systemctl enable permission-hardening.service as root.
      • Disable SUID Binaries
      • harden ping
    • git diff a99dfd067ac8a43bdcd779cf57b3533bdaa404fb 163e20b886f298cb9d3aca54c14f66991001b396 (diff to huge for github)
    • Enables mitigations for the L1TF (L1 Terminal Fault) vulnerability. (This is interesting when using security-misc or Kicksecure.)
    • unconditionally enable all CPU bugs (spectre, meltdown, L1TF, …) this might reduce performance (This is interesting when using security-misc on the host or using Kicksecure as host operating system.)
    • The MSR kernel module is blacklisted to prevent CPU MSRs from being abused to write to arbitrary memory.
    • Vsyscalls are disabled as they are obsolete, are at fixed addresses and are a target for ROP.
    • Page allocator freelist randomization is enabled.
    • The vivid kernel module is blacklisted as it’s only required for testing and has been the cause of multiple vulnerabilities.
    • An initramfs hook sets the sysctl values in /etc/sysctl.conf and /etc/sysctl.d before init is executed so sysctl hardening is enabled as early as possible.
    • The kernel panics on oopses to prevent it from continuing to run a flawed process and to deter brute forcing.
    • Improve Entropy Collection
      • Load jitterentropy_rng kernel module.
      • Distrusts the CPU for initial entropy at boot as it is not possible to audit, may contain weaknesses or a backdoor.
    • remount /home, /tmp, /dev/shm and /run with nosuid,nodev (default) and noexec (opt-in). To disable this, run “sudo touch /etc/remount-disable”. To opt-in noexec, run “sudo touch /etc/noexec” and reboot (easiest). Alternatively file /usr/local/etc/remount-disable or file /usr/local/etc/noexec could be used.
    • fix pam tally2 check when read-only disk boot without ro-mode-init or grub-live
    • fix xfce4-power-manager xfpm-power-backlight-helper pkexec lxsudo popup
    • do show lxqt-sudo password prompt if there is a sudoers exception
    • improved pkexec wrapper logging
    • installation fix in case when user “user” does not exists
    • better output if trying to login with non-existing user
    • add user “user” to group “console” in Whonix and Kicksecure
    • Lock user accounts after 50 rather than 100 failed login attempts.
  • Linux Kernel Runtime Guard (LKRG)
  • console lockdown
    • Allow members of group ‘console’ to use console. Everyone else except members of group ‘console-unrestricted’ are restricted from using console using ancient, unpopular login methods such as using /bin/login over networks, which might be exploitable. (CVE-2001-0797) Using pam_access.
  • Protect Linux user accounts against brute force attacks.
    • Lock user accounts after 50 failed login attempts using pam_tally2.
  • update Tor to version
  • full /etc/torrc.d/*.conf configuration snippet drop-in folder support
  • update Tor Browser to version 9.0.4
  • work on hardened Linux kernel for VMs and hosts
  • VirtualBox
    • upgrade VirtualBox to 6.1.2
    • revert to vmsvga grapics controller settings due to issues
  • work on fixing arm64 / RPi builds but not finished. Help welcome!
  • Onion Services Authentication
  • No longer install serial-console-enable by default due to issues. See also Serial Console.
  • No longer install firejail by default because of these reasons.
  • development of apparmor-profile-everything – AppArmor for everything. APT, systemd, init, all systemd units, all applications. Mandatory Access Control. Security Hardening.
  • corridor – Tor traffic whitelisting gateway and leak tester
  • grub-live – Boot your existing, installed Debian Host into Live Mode with GRUB LIVE
  • Hardened Malloc – Hardened Memory Allocator for many Applications to increase Security. Debian packaging fork only.
  • fix
  • remove Whonix specificity (default config file) from onion-grater (Whitelisting filter for dangerous Tor control protocol commands)
  • dsudoadd sudo askpass wrapper for automated testing
    • I.e. as long as password is set to changeme one can use dsudo and will not be asked to enter the default password.
  • kloak
  • Qubes-Whonix
  • swap-file-creator
  • Tor Browser Starter / Downloader by Whonix developers
  • whonix-firewall: fix, don’t lock down network if IPv6 isn’t available and thereby no need to firewall, apparmor profile added in complain mode
  • research and documentation of entropy / randomness generation
  • created debug-misc – Opt-in package which enables miscellaneous debug settings for easier debugging. (Replaces grub-output-verbose.)
  • No more verbose output during boot to prevent kernel info leaks.
  • Rebrand Whonix as a research project.
    • old: “Whonix is experimental software. Do not rely on it for strong anonymity.”
    • new: “Whonix is a research project.”
  • i2p inside Whonix-Workstation fixes etc

diff too large for github to show, therefore split into two:

Whonix is being used by Edward Snowden, journalists such as Micah Lee, used by the Freedom of the Press Foundation and Qubes OS. It has a 7 years history of keeping its users safe from real world attacks. [1]

The split architecture of Whonix relies on leveraging virtualization technology as a sandbox for vulnerable user applications on endpoints. This is a widely known weakness exploited by entities that want to circumvent cryptography and system integrity. Our Linux distribution come with a wide selection of data protection tools and hardened applications for document/image publishing and communications. We are the first to deploy tirdad, which addresses the long known problem of CPU activity affecting TCP traffic properties in visible ways on the network and vanguards, an enhancement for Tor produced by the developers of Tor, which protects against guard discovery and related traffic analysis attacks. Live Mode was recently added. We deliver the first ever solutions for user behavior masking privacy protections such as Kloak. Kloak prevents websites from recognizing who the typist is by altering keystroke timing signatures that are unique to everyone.

In the future we plan to deploy a hardened Linux kernel with the minimal amount of modules needed to get the job done, an apparmor profile for the whole system, as well as LKRG, the Linux Kernel Runtime Guard, which kills whole classes of kernel exploits.


Tested , worked smoothly!

Standard upgrade (includes kernel upgrade) functional?

Separately, can you upgrade as per


LKRG installation on gateway also does not freeze VM?

tirdad might not survive kernel upgrade unfortunately due to DKMS issues?

If lucky, kvm is unaffected by low RAM vs kernel module DKMS build issue that VirtualBox version is affected by.

Unfortunately I had obliterated my 7.1 install. I never test in-place upgrades. @TNT_BOM_BOM can you please test an in-place upgrade with apt on Whonix GW and report if LKRG successfully compiles and runs?

I meant could you please take this very version and test in-place upgrades, kernel upgrade and LKRG on gateway?

Sure. What commands should I run?

sudo apt update
sudo apt install lkrg
sudo apt dist-upgrade
sudo reboot

and then this:

whonixcheck --verbose

Doesn’t work.

The instructions should install the headers first, but that’s not what’s wrong here.


sudo dkms status shows recompiled modules for lkrg, tirdad as installed, but lsmod indicates they never load. Same outcome with more RAM so this is not the problem.

KVM Kicksecure has no internet access for me. There is no problem with KVM Whonix on the same box, or other VMs also using the default network adapter. I have restarted the physical computer, deleted the qcow2 image, and placed the newly extracted one in again. However, it still does not ping or update.

When doing updates, it tries to use Tor. Both tor.service and tor@default.service are running successfully in systemd somehow, but there is still no access to the internet. How would I begin to troubleshoot it?

It’s not DNS, because pinging also does not work.

Please check the status of the default network under VMM -> edit -> connection details -> virtual networks.

It should be active and set to autostart on boot. Odds are it is not on your machine.

It is there and set to auto start. I remember defining ‘default’ when I set up Whonix, in addition to Whonix-External and Whonix-Internal networks.

virsh -c qemu:///system net-autostart default
virsh -c qemu:///system net-start default

I know it works, because other VMs have used ‘default’ with internet access (just tested Ubuntu). I’m not sure what the issue could be.

Btw these are installed by default in Whonix / Kicksecure.

Yes, that’s not a low RAM issue.

Indeed. Created DKMS kernel modules (LKRG and tirdad) fail to properly recompile on kernel upgrade for it.

It seems to need the corresponding kernel version’s headers. You’ve seen and reported the problem with bpo2 kernel pulling in bpo3 headers.

HulaHoop via Whonix Forum:

It seems to need the corresponding kernel version’s headers.

Stable kernel image and headers are installed by default form Debian
buster repository.

You’ve seen and reported the problem with bpo2 kernel pulling in bpo3 headers.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951315 is only a
problem in context of https://www.whonix.org/wiki/Kernel i.e. using
Debian kernel from buster-backports.

2 posts were split to a new topic: Kicksecure Network Configuration

Source: Whonix

Leave a Reply