Linux Kernel Runtime Guard (LKRG) in Qubes OS Debian or Qubes-Whonix ™ VMs
From Whonix
< Linux Kernel Runtime Guard LKRG
FREE
Linux Kernel Runtime Guard (LKRG) protects the kernel. It provides security through diversity and has a similar effect to running an uncommon operating system (kernel). [1]
LKRG renders whole classes of kernel exploits ineffective, while making other exploits less reliable and more difficult to write; see features and security. LKRG was developed by a security professional with reviews undertaken by other high profile security professionals; see authorship. For further information, refer to the main LKRG entry.
The instructions below explain how to install LKRG in Qubes Debian-based VMs. Most users will want to apply these instructions in the Qubes Debian TemplateVM.
Qubes-Whonix ™ is supported as well, but in that case the steps to add the signing key and repository should be skipped because they are already present in Qubes-Whonix ™.
For all other platforms , see LKRG.
Qubes VM Kernel[edit]
Since LKRG is a kernel module, it is required (and advisable) to reconfigure the VM to use a Qubes VM kernel. [2]
Any issues with Qubes VM kernel should not be confused with LKRG. Otherwise, LKRG could be falsely suspected of causing unrelated issues, which wastes time in successfully completing the configuration.
- Follow the Qubes OS Installing kernel in Debian VM [archive] instructions.
- Ensure the Qubes VM kernel is functional before proceeding -- Qubes VM kernel issues should be raised at Qubes support [archive] and not in Whonix ™ forums. [3] [4]
- Reboot dom0 with Qubes VM kernel. This is because Qubes VM kernel might break unrelated things such as the USB VM. [5]
- Once the Qubes VM kernel is functional, proceed with the following instructions.
Add Signing Key[edit]
Complete the following steps to add the Whonix Signing Key to the system's APT keyring. [6]
Open a terminal.
Install curl
, gpg
, gpg-agent
. [7]
Install curl gpg gpg-agent --no-install-recommends
.
1. Update the package lists.
sudo apt-get update
2. Upgrade the system.
sudo apt-get dist-upgrade
3. Install the curl gpg gpg-agent --no-install-recommends
package.
Using apt-get
command line parameter --no-install-recommends
is in most cases optional.
sudo apt-get install --no-install-recommends curl gpg gpg-agent --no-install-recommends
The procedure of installing curl gpg gpg-agent --no-install-recommends
is complete.
Download Whonix Signing Key. [8]
If you are using a Qubes TemplateVM, run.
curl --proxy http://127.0.0.1:8082/ --tlsv1.2 --proto =https --max-time 180 --output ~/patrick.asc https://www.whonix.org/patrick.asc
If you are using Debian, run.
curl --tlsv1.2 --proto =https --max-time 180 --output ~/patrick.asc https://www.whonix.org/patrick.asc
Users can check Whonix Signing Key for better security.
Add Whonix signing key to APT trusted keys.
sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg add ~/patrick.asc
The procedure of adding Whonix signing key is now complete.
Add Repository[edit]
Add Whonix ™ Repository.
Choose either: Option A, Option B OR Option C.
Option A: Add Whonix ™ Onion Repository.
To add Whonix ™ Repository over Onion please press on expand on the right.
Install apt-transport-tor from the Debian repository.
sudo apt-get install apt-transport-tor
Add Whonix's APT repository for default Whonix using Debian stable. At the time of writing this was buster
.
echo "deb tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list
Option B: Add Whonix ™ Clearnet Repository over Tor.
To add Whonix ™ Repository over torified clearnet please press on expand on the right.
Install apt-transport-tor from the Debian repository.
sudo apt-get install apt-transport-tor
Add Whonix's APT repository for default Whonix using Debian stable. At the time of writing this was buster
.
echo "deb tor+https://deb.Whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list
Option C: Add Whonix Clearnet Repository over clearnet.
To add Whonix ™ Repository over clearnet please press on expand on the right.
Add Whonix's APT repository for default Whonix using Debian stable. At the time of writing this was buster
.
echo "deb https://deb.Whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list
Install LKRG[edit]
Install LKRG.
Install lkrg-dkms linux-headers-amd64
.
1. Update the package lists.
sudo apt-get update
2. Upgrade the system.
sudo apt-get dist-upgrade
3. Install the lkrg-dkms linux-headers-amd64
package.
Using apt-get
command line parameter --no-install-recommends
is in most cases optional.
sudo apt-get install --no-install-recommends lkrg-dkms linux-headers-amd64
The procedure of installing lkrg-dkms linux-headers-amd64
is complete.
The LKRG installation procedure is complete. Interested users can learn more, consider additional hardening and so on; see here for further information.
Credits and Source Code[edit]
The original [archive] source software is maintained by Adam "pi3" Zabrocki. See also: LKRG authorship.
This website with Qubes instructions and LKRG Debian Package Website is the software fork [archive] homepage for LKRG, with a focus on easy installation, added user documentation, and integration with Whonix, Kicksecure, Debian, and other distributions. The software fork source code can be found here [archive].
References[edit]
Qubes ticket: make Linux Kernel Runtime Guard (LKRG) easily avaialble in Qubes [archive]
- ↑ https://www.openwall.com/lkrg/ [archive]
- ↑ cannot compile LKRG (Linux Kernel Runtime Guard) with Qubes dom0 kernel / broken gcc plugins structleak_plugin.so latent_entropy_plugin.so [archive] This probably occurs due to this recently closed issue which has only filtered through to Qubes OS master branches, but not the stable branches: kernel-devel package have broken gcc plugin [archive]. The dom0 kernel compilation bug might be fixed after upgrades. It is unclear if it would then be advisable to use dom0 kernel.
- ↑ https://forums.whonix.org/t/what-to-post-in-this-qubes-whonix-forum-and-what-not/2275 [archive]
- ↑ Qubes feature request: Simplify and promote using in-vm kernel [archive]
- ↑ As experienced firsthand by Whonix ™ developer Patrick Schleizer.
- ↑
The following is unreliable due to gpg connectivity bugs [archive].
sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg adv --keyserver hkp://ipv4.pool.sks-keyservers.net:80 --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA
- ↑
gpg
is required byapt-key
.gpg-agent
is required due to the following error message.sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg add ~/patrick.asc
gpg: failed to start agent '/usr/bin/gpg-agent': No such file or directory gpg: can't connect to the agent: No such file or directory
- ↑
See Secure Downloads to understand why
curl
and the parameters--tlsv1.2 --proto =https
are used instead ofwget
.
Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki
Have you read our Documentation, Design and Developer Portal links yet?
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.
Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)
Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].
Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.