VM Live Mode: Read-only Mode for Virtual Hard Drives

From Kicksecure
Jump to navigation Jump to search

Set virtual machine (VM) hard drives to read only. Prevent write access to VM drives.

Introduction[edit]

It is possible to optionally set the virtual machine (VM) disks to read-only. This increases the security of Live Mode in the VM, because otherwise malware running as root in the VM could theoretically mount the image read-write and gain persistence in this way.

Read-only Mode Configuration[edit]

Qubes[edit]

grub-live is currently unsupported on Qubes, but may become available in the future. Refer to the following forum discussionarchive.org for further information.

In Qubes R4, Qubes Disposabless are a suitable alternative.

VirtualBox[edit]

1. Warning.

Issue: VirtualBox might no longer support VBoxInternal/Devices/lsilogicsas/0/LUN#0/AttachedDriver/Config/ReadOnly. Settings set through VBoxManage setextradata are not officially supported and might be gone at some time such as now.

2. Set the VM disks to read-only.

Follow these steps:

  • Power off the virtual machine (VM).
  • Set the disk to read-only.
    • The name of the VM in the following example below is Kicksecure-Xfce. It could be replaced with the name of any other VM such as Kicksecure-Xfce.
    • On the host command line, run.

VBoxManage setextradata Kicksecure-Xfce "VBoxInternal/Devices/lsilogicsas/0/LUN#0/AttachedDriver/Config/ReadOnly" 1

3. Remove VirtualBox virtual DVD drive.

This is only required if the VM has a virtual DVD drive. It is not required in Kicksecure version 15.0.1.2.7 and above since it no longer comes with a virtual DVD drive by default. See footnote for a Kicksecure build version lower than 15.0.1.2.7. [1]

4. Launch the live system.

Following reboot, a second boot entry called "VM Live Mode-mode" will be visible. Select it and then press Enter to boot the live system and use it as normal.

5. Optional: Revert the read-only change.

To boot into normal mode again, run this command on the host to revert the change.

VBoxManage setextradata Kicksecure-Xfce "VBoxInternal/Devices/lsilogicsas/0/LUN#0/AttachedDriver/Config/ReadOnly"

The normal boot option can now be selected in the GRUB menu.

6. Optional: Re-add the virtual DVD.

Only when you need this; see footnotes. [2]

7. Done.

The process has been completed.

Troubleshooting: If the system does not boot, check the Recommended VirtualBox Version for Kicksecure VirtualBox is in use.

KVM[edit]

1. Set the VM disks to read-only.

Follow these steps:

  • Power off the machine.
  • Set the hard disk to read-only in the virt-manager GUI before booting into live mode.

2. Launch live-mode.

Following reboot, a second boot entry called "VM Live Mode-mode" will be visible. Select it and then press Enter to boot the live system and use it as normal.

3. Optional: Revert the read-only change.

To boot into normal mode again, revert the change from step 1 and choose the normal boot option in the GRUB menu.

Alternative Configurations[edit]

Skip this section if the KVM Live-mode or Virtualbox Live-mode configuration steps above have already been completed.

Virtualbox and KVM:

VirtualBox only:

Footnotes[edit]

  1. Careful. If you remove the wrong drive, your VM will no longer boot. If you are worried, clone the VM first before proceeding.
    1. Power off the VM.
    2. VirtualBoxclick a VMSettingsStorageclick on DVD device symbolclick on disk removal symbol
    3. VirtualBox will ask

    Are you sure you want to delete the optical drive?

    You will not be able to insert any optical disks or ISO images or install the Guest Additions without it!

    4. click "Remove"

    https://forums.whonix.org/t/no-longer-add-virtual-dvd-drive-to-vm-by-default/9337archive.org

  2. Careful. If you remove the wrong drive, your VM will no longer boot. If you are worried, clone the VM first before proceeding.
    1. Power off the VM.
    2. VirtualBoxclick a VMSettingsStorageclick on DVD device add symbolclick Leave Emptyclick OK
    3. Usual way to add DVD's to VirtualBox VMs can now be used such as VirtualBoxclick a VMclick on [Optical Drive]

Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!