How to create a Hardened Gentoo based Whonix-Gateway[edit]


  • Install Gentoo build environment (how-to is for installation in a chroot but you can also use a full gentoo installation)
  • Build Whonix-Gateway kernel and userland
  • Install on media/export to iso/ova (TODO)

Advantages/disadvantages compared to the default Debian/Ubuntu based T-G:

  • Updating is much more complicated:
  • You need to keep a build system around, keep that updated using emerge-webrsync && emerge --update --newuse --deep -av world (and probably etc-update)
  • you need to update the t-g system on the build system (append --update --newuse --deep to that long emerge command below, #Build Whonix-Gateway environment
  • you need to build new kernels manually
  • then you need to copy the new files over your current installation (simple but inefficient: 'cd path/to/torgateway && tar zcvf update.tgz .' extract: 'tar xvzpf update.tgz')
  • emerge is not apt-get, updates often require a bit of manual configuration, review /var/log/portage/elog/summary.log
  • Grsec, full pie, no RBAC (hardly necessary considering the threat model of the gateway), no disk encryption, no RAM wipe on shutdown (help would be welcome). When not using onion services, tor log and cache files can be put into tmpfs so we don't need FDE at all. Otherwise we can still use partial disk encryption (loop file or /var). Evil maid attacks apply anyway as long as there's an unencryped /boot (and BIOS, and firmware...) and no TPM.
  • Size: <50 MB compressed.

Install Gentoo build environment[edit]

Read Upstream Documentation: Gentoo Handbook!

# If you use a grsec kernel on the host:

echo "0" > /proc/sys/kernel/grsecurity/chroot_deny_chmod
echo "0" > /proc/sys/kernel/grsecurity/chroot_caps

mkdir gentoodev
cd gentoodev
# verify fingerprints!
gpg --keyserver --recv-keys 96D8BF6D 2D182910 17072058

# fetch stage3 and portage snapshot
LATESTDL=`wget -q -O - | tail -1`

gpg --verify stage3-*.tar.bz2.DIGESTS.asc
sha1sum -c stage3*.tar.bz2.DIGESTS

gpg --verify portage-latest.tar.bz2.gpgsig portage-latest.tar.bz2
md5sum -c portage-latest.tar.bz2.md5sum

tar xvjpf stage3-*.tar.bz2
tar xvjf portage-latest.tar.bz2 -C usr

# edit makeopts according to your CPU count (cores+1); add a nearby mirror (when using a gentoo install disk use #mirrorselect -i -o >> etc/make.conf
echo '
USE="unicode minimal crypt ssl gpm ncurses fbcon -X -pam -cracklib -git -extensions     -glib -opengl \
-icu -readline -xcb -fts3 -png -policykit -gtk -crashreporter -startup-notification \
-dbus -introspection -libnotify -webm -gnome -qt4 -qt3support -kde -bluetooth -nls     -ipv6 \
-cups -zeroconf -encode -recode -acl -iconv -tcpd -berkdb -pcre -net -cramfs -sqlite -gdbm"
FEATURES="webrsync-gpg nodoc noinfo noman"
#GENTOO_MIRRORS=""' >> etc/make.conf

cp -L /etc/resolv.conf etc/
mount -t proc none proc/
chroot . /bin/bash
source /etc/profile
export PS1="(build-chroot) $PS1"

# set root passwd (just used in the development environment, probably not necessary?)

eselect profile list
# select hardened/linux/x86
eselect profile set 8

echo "en_US ISO-8859-1" >> /etc/locale.gen
cp /usr/share/zoneinfo/UTC /etc/localtime

# get a hardened toolchain
emerge --oneshot binutils gcc virtual/libc
source /etc/profile
export PS1="(build-chroot) $PS1"

# Configure emerge-webrsync. Verify fingerprints!
emerge gnupg
mkdir -p /etc/portage/gpg
chmod 0700 /etc/portage/gpg
gpg --homedir /etc/portage/gpg --keyserver --recv-keys 0x239C75C4 0x96D8BF6D
gpg --homedir /etc/portage/gpg --edit-key AE5454F967B56AB09AE160640838C26E239C75C4 trust
gpg --homedir /etc/portage/gpg --edit-key DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D trust

# update portage with

Build a Kernel for Whonix-Gateway[edit]

emerge hardened-sources
cd /usr/src/linux
make menuconfig
# or, if you use loadable modules:
# make && make modules_install 

Some hints:

  • when using modules make sure that stuff needed to mount root is built in:
  • SCSI disk support
  • ext4
  • SATA BDMA (you need to know your hardware)
  • enable netfilter support (use advanced and enable pretty much everything, save to exclude: protocol specific connection trackers)
  • enable grsecurity
  • security level? (I've only tested workstation, server should work, maybe even High
  • disable ipv6
  • save to disable (always depending on hardware)
  • pci express, pcmcia
  • wifi, bluetooth
  • amateur radio, RF
  • AGP graphics
  • sound
  • File systems (ext2,3, xfs, jfs, ntfs, nfs...)
  • graphic drivers (DRI...)

Build Whonix-Gateway environment[edit]

mkdir /torgateway

emerge gzip baselayout coreutils debianutils diffutils ed file findutils gawk grep groff kbd less iptables \
module-init-tools net-tools openrc sed shadow sysvinit sys-apps/texinfo util-linux     which e2fsprogs udev procps psmisc iputils  \
bash nano tor torsocks localepurge grub dhcpcd \
-v --root /torgateway

mkdir -p /torgateway/{sys,proc,dev,boot,root,home,var/run,var/log,var/lib/run/tor,var/log/tor}

echo "tor:x:101:246:added by portage for tor:/var/lib/tor:/sbin/nologin" >> /torgateway/etc/passwd
echo "tor:x:246:" >> /torgateway/etc/group

# Don't know if etc-update works in Whonix-Gateway? you need at least modify the script and remove any reference to "portageq"
cp /usr/sbin/etc-update /torgateway/usr/sbin/etc-update
cp /etc/etc-update.conf /torgateway/etc/etc-update.conf

cp /usr/src/linux/arch/x86/boot/bzImage /torgateway/boot/kernel
# didn't use modules so that part is missing, refer to

mount -t proc none /torgateway/proc/

# enter target chroot
chroot /torgateway
source /etc/profile
export PS1="(target-chroot) $PS1"

# set root password for Whonix-Gateway

chown tor:tor /var/lib/run/tor
chown tor:tor /var/log/tor

echo "" > /etc/resolv.conf

echo "en_US ISO-8859-1" >> /etc/locale.gen
cp /usr/share/zoneinfo/UTC /etc/localtime

# untested
mv /etc/conf.d/net /etc/conf.d/net.old
echo '# see /usr/share/doc/openrc*/net.example*
config_eth1="  netmask brd"
#routes_eth1="default via"' > /etc/conf.d/net

cd /etc/init.d
ln -s net.lo net.eth0
rc-update add net.eth0 default
ln -s net.lo net.eth1
rc-update add net.eth1 default

rc-update add udev sysinit
rc-update add udev-postmount default
rc-update add gpm default
rc-update add tor default

# copy iptables and torrc from ubuntu-tg
/etc/init.d/iptables save
rc-update add iptables boot

ed -s /etc/locale.nopurge  <<< $',s/NEEDSCONFIGFIRST/#NEEDSCONFIGFIRST/g

w' localepurge

Install Whonix-Gateway to a hard disk or sd card:[edit]

Using Grub:

fdisk /dev/sdb
mkfs.ext4 /dev/sdb1
mkdir /mnt/target
mount /dev/sdb1 /mnt/target

# edit according to partition and disc layout! sda/sdb/hd are just examples!
# The /dev/sd* name will probably be different on your build system and on your target     system.
# in this example the host got two hard disks, you install to the second one, "sdb"
# this drive is attached to the gateway system and if it is the only drive it becomes "sda"
# same goes for grub: hd1 == sdb, hd0 == sda

echo "
title TorGateway
root (hd0,0)
kernel /boot/kernel root=/dev/sda1" >> /boot/grub/grub.conf

grep -v rootfs /proc/mounts > /etc/mtab

echo "/dev/sda1               /               ext4            noatime         0 1" > /etc/fstab

## outside the chroot (open a new terminal on the host)
cd gentoodev
rsync -a dev/ torgateway/dev/
rm -r torgateway/var/db/* torgateway/tmp/*
rsync -a torgateway/ /mnt/target/

## then, inside the target-chroot

# then manually configure:
# grub> root (hd1,0)
# grub> setup (hd1)

# alternatively, may not work properly
#grub-install --no-floppy /dev/sdb --recheck

exit #target-chroot
exit #build-chroot

Random News:

Have you contributed to Whonix? If so, feel free to add your name and highlight what you did on the Whonix authorship page.

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)