ISO - Development

anon87354919 · February 9, 2024, 4:04pm

Where is the repo where is the progress? Where do I contribute and where do I see?

Patrick · February 10, 2024, 11:25am

GitHub - derivative-maker/derivative-maker: https://www.kicksecure.com/wiki/Imprint (build script)
GitHub - derivative-maker/grml-debootstraptest: RAW Image to ISO Image and tests for grml-debootstrap (raw image-to-iso)
GitHub - Kicksecure/live-config-dist (calamares Installer settings)
Whonix-Host Operating System (OS) ISO - Development - Whonix Forum (legacy location but mostly affects both, Kicksecure, Whonix)
kicksecure-meta-packages/debian/control at master · Kicksecure/kicksecure-meta-packages · GitHub (meta packages for Kicksecure hosts)
Kicksecure Operating System Live ISO, Kicksecure-Host Installer

This is a horrible usability bug, not sure it should be considered a blocker:

Build the ISO from a developers git tag.
Boot the ISO (on hardware, or in VM, BIOS or EFI, SecureBoot enabled or not, anything)
Test the ISO.
Test the Calamares installer.
Test the installed system.
Ask in case of issues (build issues or so).
Improve developers documentation to make the process more straight-forward for yourself and potentially other developers.
Fix what’s needed.

Patrick · March 12, 2024, 3:42pm

A downloadable ISO is now available for developers.

grass · April 19, 2024, 4:24pm

The page Kicksecure Operating System Live ISO, Kicksecure-Host Installer has been updated to contain instructions on how to install the ISO. It can help you to contribute for the issues to be fixed.

Patrick · July 5, 2024, 5:07pm

Patrick · August 28, 2024, 9:29am

Major progress fixing major issues thanks to massive help by @ArrayBolt3.

github.com/Kicksecure/derivative-maker

Download Calamares from bookworm-backports

Kicksecure:master ← ArrayBolt3:master

opened 07:34AM - 27 Aug 24 UTC

ArrayBolt3

+42 -0

## Changes This pull request downloads Calamares from bookworm-backports rath…er than from bookworm. This pulls in a significantly newer version of Calamares that contains support for disabling encryption on specific partitions. See https://github.com/Kicksecure/live-config-dist/pull/5 for more information. NOTE: For installation to still work right after this, a new submodule for calamares-settings-debian MUST be added to `packages/kicksecure`! Source code suitable for this purpose can be obtained from https://github.com/ArrayBolt3/calamares-settings-debian (though I recommend cloning that repo, reviewing it, and then pushing it to a Kicksecure-specific location rather than using it directly - it contains a Unicode character fix and some Lintian tag overrides for genmkfile). Additionally, it will be necessary to merge the live-config-dist pull request linked above. ## Mandatory Checklist - [x] Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements: [Terms of Service](https://www.kicksecure.com/wiki/Terms_of_Service), [Privacy Policy](https://www.kicksecure.com/wiki/Privacy_Policy), [Cookie Policy](https://www.kicksecure.com/wiki/Cookie_Policy), [E-Sign Consent](https://www.kicksecure.com/wiki/E-Sign_Consent), [DMCA](https://www.kicksecure.com/wiki/DMCA), [Imprint](https://www.kicksecure.com/wiki/Imprint) ## Optional Checklist The following items are optional but might be requested in certain cases. - [x] I have tested it locally - [x] I have reviewed and updated any documentation if relevant - [x] I am providing new code and test(s) for it

github.com/Kicksecure/live-config-dist

Improve localization, disk encryption, and a few other things

Kicksecure:master ← ArrayBolt3:master

opened 01:15AM - 24 Jul 24 UTC

ArrayBolt3

+135 -49

This pull request improves several aspects of the installation process for Kicks…ecure 17, most notably localization and full disk encryption. ## Changes * `debian/changelog`: * Bump version number. * `debian/copyright`: * Updated copyright and licensing information. * `debian/live-config-dist.displace`: * Add a divert for bootloader-config, which is now overridden to include a `set -x` line. * `etc/calamares/branding/Kicksecure/*`: * Updated capitalization of style fields - this is necessary for Calamares 3.3.8 to parse them properly, failing to do so results in a solid black left sidebar. * Fixed the absence of a Kicksecure logo in the upper-left corner of the installer. This is generally where distros put their logos and it seemed appropriate to me. The logo component was taken from the larger, complete Kicksecure logo in the same directory. * Renamed logo.png to icon.png to fit with the terminology used by Calamares. This made room for a new logo.png to be created, which contains the logo which now appears in the upper-left corner of the installer. * `etc/calamares/modules/partition.conf`: * Removed some obsolete fields that already have replacements integrated into the config file. * Disabled swap file. * `etc/calamares/settings.conf.dist`: * Moved some fields down to the bottom of the file for readability. Not strictly necessary, but made working on the project easier. * Added the `locale` and `keyboard` modules to the `show` component of the `sequence` section. This allows the user to customize their localization, timezone, and keyboard layout information at installation time. * Added several modules to the `exec` component of the `sequence` section: * `locale` - allows setting locale to work. The absence of this module results in language settings not carrying over into the installed system. * `keyboard` - allows setting the keyboard layout to work. The absence of this module results in keyboard layout settings not carrying over into the installed system. * `localecfg` - not entirely sure if this is needed, but it appeared important and so I added it. This was when I was first trying to get localization working right. This might be able to be dropped. * `shellprocess@fixconkeys_part1` and `shellprocess@fixconkeys_part2` - Vital for disk encryption, explained later. * Moved the `grubcfg` and `bootloader-config` modules to later in the installation process to avoid installation errors. * Added two shellprocesses to the `instances` section. These are vital for disk encryption and are explained below. * `etc/calamares/modules/shellprocess_fixconkeys_part1.conf` and `etc/calamares/modules/shellprocess_fixconkeys_part2.conf`: * Vital for disk encryption, explained below. * `usr/sbin/bootloader-config.dist`: * Copied from `calamares-settings-debian`. * Added a `set -x` line for debugging. * Try to install `grub-efi-amd64-bin` rather than `grub-efi` to avoid installation failure. ## Disk Encryption Fixes In order for FDE to work ideally on Kicksecure, a newer version of Calamares than the one present in Bookworm is needed. I locally compiled Calamares 3.3.8 from Trixie for Bookworm and installed it into the live session for testing. This version of Calamares properly processes the `noEncrypt` parameter in `partitions.conf` and thus the `/boot` partition is excluded from encryption. However, **this did not entirely solve disk encryption issues** - when installing Kicksecure using a language with a keyboard layout different from `us` (I used German in my testing), the keyboard layout used by cryptsetup for decrypting the disk is different than the one used by Calamares for setting the encryption passphrase. This is a situation that I previously dealt with in Lubuntu, and is a result of the console keymap not being set correctly within the system's initramfs. Solving this issue requires changing the console keyboard layout within the initramfs at install time to match the keyboard layout chosen by the user. This is non-trivial and requires a pair of scripts (embedded into the `shellprocess_fixconkeys_part*.conf` configuration files) to accomplish. * The first script runs within the live system itself, NOT in the installed system chroot that Calamares creates. This script determines the keyboard layout in use by the user using `setxkbmap -query`, processes the output so as to extract the two-character keyboard layout code, and saves it to `/dev/shm/fixconkeys-layout`. (The reason for choosing `/dev/shm` is because it is a tmpfs that can be shared between the live and installed systems at installation time.) After doing this, the script bind-mounts `/dev/shm` from the live system into the installed system so that the second script can access the `fixconkeys-layout` file from within the installed system chroot. * The second script operates within the installed system via a chroot. It loads the keyboard layout from the `fixconkeys-layout` into the current console session, then saves the loaded settings into a system-wide location using `setupcon`. With this complete, it then regenerates all initramfs'es on the installed system using `dracut`, ensuring this configuration is installed into the initramfs. This ensures that when `cryptsetup` runs from within the initramfs to unlock the disk, the console keyboard layout is set properly, thus allowing the user to decrypt the disk using the same keyboard layout they used to encrypt it. This solution works well in my testing, however Kicksecure is currently missing critical packages necessary for this to work. The following packages will have to be installed into the Kicksecure ISO at ISO build time for this solution to work properly (edit: these are no longer missing): * `console-common` * `console-data` * `console-setup-linux` * `console-setup` * `kbd` I used workarounds to locally install these packages into the live environment and into the installed system for testing purposes, and can confirm that these five packages are sufficient to allow the keyboard layout fix described above to function properly. Last but not least, the `calamares` and `calamares-settings-debian` packages from Trixie will need to be published in Debian's `bookworm-backports` repository before they are available for general use within Kicksecure. I filed a bug report for this in Debian to bring this to the `calamares` package maintainer's attention (and emailed him directly a day before), but have not heard back from him yet. Therefore I intend to attempt creating and maintaining the backport myself. The bug report is here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076740 (edit: `calamares` has gotten into bookworm-backports, `calamares-settings-debian` may take significantly longer and I suggest we go with a "build it ourselves" approach in derivative-maker for now.) ## Mandatory Checklist - [x] Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements: [Terms of Service](https://www.kicksecure.com/wiki/Terms_of_Service), [Privacy Policy](https://www.kicksecure.com/wiki/Privacy_Policy), [Cookie Policy](https://www.kicksecure.com/wiki/Cookie_Policy), [E-Sign Consent](https://www.kicksecure.com/wiki/E-Sign_Consent), [DMCA](https://www.kicksecure.com/wiki/DMCA), [Imprint](https://www.kicksecure.com/wiki/Imprint) ## Optional Checklist The following items are optional but might be requested in certain cases. - [x] I have tested it locally - [x] I have reviewed and updated any documentation if relevant - [x] I am providing new code and test(s) for it * Technically there aren't tests for this code other than manual checking, so while I am providing new code, I am not providing tests for it.

Next is review, merge, build, testing.

Patrick · September 25, 2024, 12:32am

Merged:

github.com/Kicksecure/kicksecure-meta-packages

Fix ISO build failure, add xdg-desktop-portal(-gtk)

Kicksecure:master ← ArrayBolt3:master

opened 05:49PM - 24 Sep 24 UTC

ArrayBolt3

+3 -1

## Changes * Add xdg-desktop-portal to kicksecure-desktop-envrionment-essenti…al-gui, and add xdg-desktop-portal-gtk to kicksecure-desktop-environment-essential-xfce. These are used for the XDG portal in Xebian (another Debian-based XFCE-based distro), and simply installing them in a live session is enough for them to function properly on Kicksecure. * Fix a typo in a package name causing an ISO build failure. ## Mandatory Checklist - [x] Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements: [Terms of Service](https://www.kicksecure.com/wiki/Terms_of_Service), [Privacy Policy](https://www.kicksecure.com/wiki/Privacy_Policy), [Cookie Policy](https://www.kicksecure.com/wiki/Cookie_Policy), [E-Sign Consent](https://www.kicksecure.com/wiki/E-Sign_Consent), [DMCA](https://www.kicksecure.com/wiki/DMCA), [Imprint](https://www.kicksecure.com/wiki/Imprint) ## Optional Checklist The following items are optional but might be requested in certain cases. - [x] I have tested it locally - [x] I have reviewed and updated any documentation if relevant - [x] I am providing new code and test(s) for it Fixes https://www.kicksecure.com/wiki/Dev/audio#mod.rt:_Can.27t_find_org.freedesktop.portal.Desktop._Is_xdg-desktop-portal_running.3F

Thanks to @arraybolt3!

Patrick · November 10, 2024, 12:25pm

github.com/Kicksecure/derivative-maker

Use live-build to build the Kicksecure ISO by default

Kicksecure:master ← ArrayBolt3:arraybolt3/live-build

opened 01:46AM - 28 Oct 24 UTC

ArrayBolt3

+1240 -0

This pull request adds live-build support to derivative-maker. At present it is …designed and enabled for the Kicksecure ISO only. The ISO features a functional live mode, Calamares installer, and debian-installer. Some notes: * Both normal ISO builds and `--remote-derivative-repository` ISO builds work. * Whonix and Kicksecure VM builds still work. I have **NOT** tested derivative-makers various other build features beyond this! * debian-installer's basic functionality works, I have not thoroughly tested every edge case though, nor have I tested (encrypted) LVM or manual partitioning. debian-installer is very powerful, complicated, and isn't really designed to work the way Kicksecure works, so the included preseed file is intended to make most of the "scary" options vanish and leave the user with only "safe" options, however the end-user can override this using GRUB options if they so choose. * **Three Kicksecure packages required changes in order for this to work.** All three of these must be updated before merging this, or there will be problems. The packages (and links to my forks of them) are: * live-config-dist (https://github.com/ArrayBolt3/live-config-dist/tree/arraybolt3/live-build) * dist-base-files (https://github.com/ArrayBolt3/dist-base-files/tree/arraybolt3/live-build) * anon-apt-sources-list (https://github.com/ArrayBolt3/anon-apt-sources-list/tree/arraybolt3/live-build) * **A fork of live-build must be used in order to build this, as it makes use of several experimental features I wrote for this purpose.** The fork can be seen here: https://salsa.debian.org/ArrayBolt3/live-build/-/tree/arraybolt3/lb-dracut?ref_type=heads In particular, this code uses local repository support, mmdebstrap support, and `apt update`-specific options, all of which are not yet merged upstream. ## Changes * build-steps.d/2800_create-lb-iso * This is the ISO creation script used when live-build is enabled. Due to live-build's design, this script handles bootstrapping, chroot installation, and ISO packaging all at the same time. It essentially generates a live-build configuration tree dynamically at runtime, then runs live-build stages on this configuration tree to create the ISO. Due to the complexity of Kicksecure's chroot installation process, the script does quite a bit of "fiddling" to make sure the ISO is properly configured. * build-steps.d/3200_create-raw-image * build-steps.d/3500_install-packages * build-steps.d/4300_run-chroot-scripts-post-d * build-steps.d/4400_zerofree-raw * build-steps.d/4700_convert-to-iso * Added checks so that these don't run when building a Kicksecure ISO. * live-build-data/d-i-branding/* * Kicksecure branding for debian-installer. * live-build-data/d-i-theme/gtkrc * Theming for debian-installer. Without this, the default "emerald" color scheme is used which really does not look right with Kicksecure's blue logo. * live-build-data/grub-config/* * GRUB menu configuration for the ISO. Provides live mode, expert installation modes (for debian-installer), and the ability to access UEFI firmware settings if applicable. * live-build-data/live-build-config/* * Static configuration files for live-build. 2800_create-lb-iso copies these into the appropriate locations at runtime. * live-build-data/preseed.cfg * Configuration file for debian-installer, so that the installation process actually works right. This ends up embedded into the ISO's initramfs files so also cannot be shipped as a package. * packages/kicksecure/developer-meta-files * Latest commits from developer-meta-files, updated by accident. Can easily revert, probably would be better to in order to avoid having unrelated changes mixed up. ## Mandatory Checklist - [x] Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements: [Terms of Service](https://www.kicksecure.com/wiki/Terms_of_Service), [Privacy Policy](https://www.kicksecure.com/wiki/Privacy_Policy), [Cookie Policy](https://www.kicksecure.com/wiki/Cookie_Policy), [E-Sign Consent](https://www.kicksecure.com/wiki/E-Sign_Consent), [DMCA](https://www.kicksecure.com/wiki/DMCA), [Imprint](https://www.kicksecure.com/wiki/Imprint) ## Optional Checklist The following items are optional but might be requested in certain cases. - [x] I have tested it locally - [x] I have reviewed and updated any documentation if relevant - [x] I am providing new code and test(s) for it Fixes: https://www.kicksecure.com/wiki/Dev/todo#ISO_-_port_to_live-build

Patrick · November 14, 2024, 8:57pm

live-build: Binary stage runs apt commands, breaking certain image build workflows

Patrick · January 14, 2025, 7:30am

Debian for grub-pc with grub-efi co-install-ability feature request:
Allow concurrent installation of grub-pc and grub-efi-amd64

(co-install grub-efi-amd64 and grub-pc by default on Whonix-Host ISO - #2 by Patrick - Phabricator Tickets - Whonix Forum)

Patrick · January 14, 2025, 9:36am

github.com/calamares/calamares

Prototype implementation of BIOS+UEFI boot support

calamares:calamares ← ArrayBolt3:arraybolt3/multi-firmware-boot

opened 03:25AM - 05 Jan 25 UTC

ArrayBolt3

+51 -11

It would be very handy for some use case scenarios if Calamares could be configu…red to install both BIOS and GRUB bootloaders on the same system. The primary use for this would be portable installations, where someone does a full install of a distro onto a USB flash drive that they then intend to run on multiple physical machines with varying types of firmware. Currently Calamares can only install the bootloader matching the firmware type of the system being booted though. This PR attempts to change that by adding an option `installHybridGRUB` to `bootloader.conf`. When enabled, Calamares will attempt to install both BIOS and UEFI GRUB bootloaders. Note, I'm not sure if the approach I'm taking here is correct - it seems a bit overly hacky. This PR also isn't complete - it still needs to tackle a problem with partitioning (namely, the EFI system partition is only made on EFI systems, so on BIOS systems, one has to specify an ESP themselves in partition.conf... but if you do that, you end up with two ESPs on EFI systems, because Calamares will add an ESP regardless of whether one already exists in the partition layout or not).

Patrick · August 27, 2025, 3:25pm

Kicksecure 18 and above (based on Debian 13 / trixie) will be even better.

Calamares installer can run as root without Xwayland, yet has a functional graphical user interface (GUI).

(According to @arraybolt3 who tested that.)

As for tickets about calamares running without root (rootless), i.e. splitting the frontend graphical user interface (GUI from the backend command line interface (CLI):

→

This is, admittedly, a non-obvious place for it.

Patrick · January 5, 2026, 9:16am

Install on usb don't boot - Ventoy / Super Grub2 Disk - loopback.cfg

Patrick · January 5, 2026, 9:19am