Download

(What is a point release?)

Upgrade

Alternatively, an in-place release upgrade is possible using the Kicksecure repository.

This release would not have been possible without the numerous supporters of Kicksecure!

Please Donate!

Please Contribute!

Major Changes

• Major Secure Boot and MOK usability improvements: new helper tools, safer DKMS handling during builds, richer UI controls, and improved detection/diagnostics.
  • (Part of work towards Verified Boot and Sovereign Boot)
• Removable media automount is now disabled by default (including for existing users via upgrade).
• Desktop and installer polish focused on LXQt
  • safer terminal UX (notably qterminal multi-line paste confirmation)
  • screen resolution tooling (kanshi)
• Better system maintenance and diagnostics: enhanced journal inspection (including previous-boot checks) via https://www.kicksecure.com/wiki/Systemcheck

Changelog

• anon-shared-build-apt-sources-tpo:
  • Run sq cert lint with –cert-file.
  • Update the signing key.
• browser-choice:
  • Fix Qubes proxy handling.
  • Enable installation of browsers in ISO Live Mode - user session.
• desktop-config-dist:
  • Add screen resolution tool kanshi (configuration instructions and tools).
  • Disable numlock by default.
  • livecheck
    • Add livecheck CLI mode.
    • Improve error handling and logging.
  • Simplify and improve robustness of volume fix code.
  • Set speaker volume to 50% on login (one time).
    • Non-Qubes only.
    • (/usr/libexec/desktop-config-dist/start-lxqt-session)
    • (Using pactl set-sink-volume @DEFAULT_SINK@ 50%.)
  • Avoid setting an unnecessary system-wide location for qterminal’s bookmarks file.
    • (Remove BookmarksFile=/home/user/.config/qterminal.org/qterminal_bookmarks.xml in file /usr/share/desktop-config-dist/qterminal.org/qterminal.ini.)
  • qterminal: Require confirmation before allowing a multi-line paste.
• dist-base-files:
  • fix: Let zsh pick up the PROFILE_SCRIPTS_WERE_SOURCED variable.
  • GRUB configuration: Document differences between our core boot menu generation scripts and Debian’s original versions.
  • Move PROFILE_SCRIPTS_WERE_SOURCED variable to dist-base-files.
  • fix: Increase priority of 60-dist-base-files.conf to override dracut-config-generic's 50-generic.conf file.
• helper-scripts:
  • Secure Boot usability improvements:
    • shim-signed-mok-setup: Prepare Secure Boot module-signing keys (used only if Secure Boot is enabled).
    • shim-manage-mok: Enroll/delete MOK (machine owner key).
    • Add rebuild-dkms-modules for rebuilding all DKMS modules. (Integrated with shim-manage-mok.)
  • Allow users to provide environment variables to gsudo-{wl,x}.
  • apt-key-install: Lint keys before and after copying.
  • apt-key-install: No longer use gpg-dearmor since no longer required.
  • strings.bsh: Add validate_safe_filename, check_is_alpha_numeric.
  • Add gsudo-wl and gsudo-x scripts, wrapper helper scripts to run graphical user interface (GUI) tools with administrative (“root”) rights. (No influence, change of Strong Linux User Account Isolation design.) Documentation: Graphical Applications and Root Rights
  • fix: autologinchange disable mechanism for greetd.
  • fix: Take greetd configuration into account when looking for autologin users.
  • Avoid spurious autologinchange error messages when /etc/lightdm doesn’t exist.
  • grep-find-unicode-wrapper: fix.
  • Add run-in-new-cgroup helper.
  • log_run_die.sh: Add support for logging of who_ami, add ‘log question’.
  • Allow light_sleep to take a float as an argument.
  • /usr/libexec/helper-scripts/try_wait_for_audio_ready.bsh: Add library for waiting for audio to be functional.
  • pre.bsh, get_colors.sh: Polish.
  • detect-ipv6-enabled-in-kernel.service: Add systemd service for detecting and notifying about the existence of in-kernel ipv6 support.
  • fix: lsmod_deterministic system locale independence.
  • Improve usability and code style of LUKS check in set-keyboard-layout.sh.
  • Add a safeguard when changing the system or console keymap if LUKS is used on the root filesystem.
  • new functions: lsmod_deterministic, kernel_module_loaded_check, modprobe_remove.
  • Add strict_config_parser library.
  • Remove obsolete script desktop-background-skel-test, the default desktop background can now be configured system-wide in /usr/share with LXQt.
  • Redistributable builds: Sort output of ‘find’ when using ‘genmkfile debinstfile’.
• initializer-dist:
  • Add config snippet for disabling DKMS MOK generation to make sure DKMS signing keys are not created during the build process.
    • DKMS bug report: DKMS should not generate a MOK by default when running inside a chroot · Issue #574 · dkms-project/dkms · GitHub
    • DKMS pull request: Add configuration option for enabling and disabling module signing by ArrayBolt3 · Pull Request #575 · dkms-project/dkms · GitHub
• kicksecure-base-files:
  • Disable removable media automount by default.
• kicksecure-meta-packages:
  • Make -cli metapackages directly installable.
    • kicksecure-baremetal-cli
    • kicksecure-vm-cli
  • Versus:
    • kicksecure-baremetal-server
    • kicksecure-vm-server
  • Add firmware-sof-signed to firmware-nonfreedom.
  • Remove firmware-nonfreedom-network dependency from main package kicksecure-qubes-cli. Instead, firmware-nonfreedom-network is now installed during the build process of qubes-template-kicksecure. Therefore, it can be easily uninstalled and simplifies custom user builds.
  • Improved distribution morphing support:
    • Remove dependencies on tirdad (to avoid pulling kernel packages).
    • Remove dependencies on kicksecure-network-conf{,-gui} (to avoid breaking networking).
  • Non-Qubes: Add LXQt localization packages.
  • Add gvfs-backends to dist-general-gui-lxqt.
• legacy-dist:
  • Avoid apt autoremove but allow manual uninstallation by the system administrator.
    • apt-mark manual firmware-nonfreedom-network
    • apt-mark manual kicksecure-network-conf kicksecure-network-conf-gui tirdad tirdad-dkms
  • MOK cleanup.
  • Mark dracut-config-generic for APT autoremoval since no longer required (see also package dist-base-files file /etc/dracut.conf.d/60-dist-base-files.conf).
  • Disable removable media automount by default for existing users.
  • Fix QTerminal being configured to always save bookmarks under /home/user, regardless of the user account it runs as.
  • Enable qterminal ConfirmMultilinePaste=true for all users.
• libvirt-dist:
  • Use FLAVOR consistently in UTM files.
• live-config-dist:
  • Adjust keymap helper script to keep working with encrypted installations.
• msgcollector:
  • Repeatedly try to signal to systemd that msgdispatcher is ready until it works.
• open-link-confirmation:
  • Add featherpad support.
• privleap:
  • Add the ability to parse config files in ‘/usr/local/etc/privleap/conf.d’.
• repository-dist:
  • Lint keyring.
  • Extend signing key validity to infinite.
• sdwdate:
  • Add missing syscalls to seccomp filter (for ppc64).
• sdwdate-gui:
  • Fix log spam when sdwdate-gui is disabled on the gateway but not the workstation.
  • Use strict_config_parser library instead of built-in config parsing routine.
• security-misc:
  • Do not run emerg-shutdown.service in case ‘rd.live.ram’ or ‘rd.live.ram=1’ is set. How to run ISO Live Mode from RAM? - #9 by Patrick
  • Document why we disable sudo DNS.
  • Disable sudo DNS lookups on desktop systems.
  • Add references for AMD SME (Thanks to @raja!).
  • Update option to panic_on_taint (Thanks to @raja!).
  • Update docs on CPU MSRs (Thanks to @raja!).
  • Whitelist 9p module (Thanks to @raja!).
  • Move kernel.panic=-1 setting to sysctl.
  • Allow turning panic-on-oops off with systemctl for system administrator.
  • Add reference for AMD SEV (Thanks to @raja!).
  • Provide option to enable AMD SEV-SNP (Thanks to @raja!).
  • Provide option to enable AMD SEV-ES (Thanks to @raja!).
  • Move (optional) CPU MSR module disable list (Thanks to @raja!).
  • Disable more file systems (Thanks to @raja!).
  • Move joydev from blacklist to disable (Thanks to @raja!).
  • Update docs on CD-ROM/DVD blacklisting (Thanks to @raja!).
  • Move superseded brcm80211 to disabled. Split and replaced by brcmsmac and brcmfmac in kernel 2.6.39 (Thanks to @raja!).
  • Add CPU MSR modules (Thanks to @raja!).
  • Update docs on CPU MSR disabling (Thanks to @raja!).
  • Update docs on Vivid disabling (Thanks to @raja!).
  • Sort RDNIS disabling and add docs (Thanks to @raja!).
  • Update docs on Intel PMT disabling (Thanks to @raja!).
  • Update docs on Bluetooth disabling (Thanks to @raja!).
  • Provide option to panic_on_taint (Thanks to @raja!).
  • Re-set net.ipv4.conf.*.log_martians=1 (Thanks to @raja!).
  • Update docs on CPU mitigations (Thanks to @raja!).
  • Warnings about using mitigations=auto,nosmt (Thanks to @raja!).
  • README: Do not rely on mitigations=auto (Thanks to @raja!).
• setup-dist:
  • Remove Tor enable/disable TUI (terminal user interface) feature Whonix 18 CLI — setup-dist fails due to missing anon_connection_wizard - Support - Whonix Forum
• swap-file-creator:
  • Reduce verbosity (no output during boot) when ENOUGH_RAM is detected.
• sysmaint-panel:
  • Add kanshi (screen resolution) configuration buttons.
  • Add Secure Boot MOK (machine owner key) enrollment button.
  • Add MOK reset button.
  • Fix “Install System” button size.
  • Add dynamic resolution config button to non-qubes VMs (related to wlr-resize-watcher)
  • Add button for toggling panic-on-oops.service on and off.
  • Restructure how sysmaint-panel’s main window UI is built, polish create-user script, create delete-user script.
• systemcheck:
  • Vastly improved Journal Inspection and Diagnostics Logs.
    • Add “segfault”, “killed”, and “fault” checks to the log checker.
    • Check the previous boot’s logs for alerts (useful in case of forced reboot and GUI crash issues).
  • Add privleap group membership check.
  • Check for a login environment, warn the user if one is absent.
  • Add code for suggesting a MOK reset if necessary.
  • Implement torS0X stream isolation Tor's extensions to the SOCKS protocol - Tor Specifications
  • Improved Secure Boot detection code.
    • Add checks for mokutil, DKMS MOK key presence, and shim-signed MOK symlink presence.
  • Add autostart functionality with limited functions and passive notifications to systemcheck.
• tb-starter:
  • Prevent starting Tor Browser in a sysmaint session by default with a better error message.
    • allow overriding with configuration
• tb-updater:
  • Improve CLI output.
  • fix /var/cache/tb-binary folder permissions Tor Browser Error in Whonix 18 AppVM: User Home Folder Permission Issue - Qubes-Whonix - Whonix Forum
  • Fix onion downloads on non-Whonix systems.
  • sandbox-update-torbrowser: isolate browser installation into dedicated user account if installing into /var/cache/tb-binary.
  • Check version file using grep-find-unicode-wrapper.
  • Refuse running in sysmaint session as account other than sysmaint or root.
  • Implement torS0X stream isolation Tor's extensions to the SOCKS protocol - Tor Specifications
  • fix local version number being truncated.
  • version-parser: hardening; increase version string length in preparation to support aarch64 Tor Browser downloads.
• tirdad:
  • Moved documentation to wiki and improved: tirdad - TCP ISN CPU Information Leak Protection
• usability-misc:
  • Use a more reliable way to suppress the zsh-newuser-install wizard (since we ship a full configuration).
  • fix /etc/dkms/framework.conf.d/30_usability-misc.conf for non-English locale.
  • shutdown speed fix: run orca-kill-at-shutdown.service only if file /usr/bin/orca exists.
  • dist-installer-cli: point out if folder /home/user does not exist, likely due to never having logged in under account user.
  • dist-installer-cli: fix: honor –user=user option in sysmaint session.
  • dist-installer-cli: implement torS0X stream isolation Tor's extensions to the SOCKS protocol - Tor Specifications
  • dist-installer-cli: improve kernel module handling.
  • dist-installer-cli: Xfce → LXQt.
• user-sysmaint-split:
  • Add a missing runtime dependency that provides the ‘gio’ command used for launching session background services.
  • fix: Remove Qubes sysmaint boot mode when apt removed even if not fully apt purged.
  • Import environment variables from systemd after labwc starts.
  • Enable usbguard-dbus.service in sysmaint sessions by default.
  • Enable IPv6 detection unit in sysmaint session.
• vm-config-dist:
  • Implement wlr-resize-watcher systemd user unit.
  • Fix suppress-power-management-in-vms always thinking it’s running on a VM.
  • Add virtiofs support to mount-shared.
• qubes-template-kicksecure:
  • Explicitly install firmware-nonfreedom-network on Kicksecure templates.
• derivative-maker:
  • Suppress MOK generation during ISO builds too.
  • Suppress DKMS MOK generation during the build.
  • Add help-steps/codespell-wrapper.
  • fix: Disable unnecessary mandatory –architecture option for –target source.
  • fix: Don’t append .raw to the flavor name for UTM builds.
  • Add version number to Windows installer exe file name.
  • ARM64 (non-Intel/AMD64 actually): fail open in case Tor Browser is unavailable to simplify custom user builds. (No stable builds available from The Tor Project yet at the time of writing)
  • make –arch option mandatory.

Full difference of all changes

https://github.com/Kicksecure/derivative-maker/compare/18.0.8.7-developers-only…18.1.4.2-developers-only