{{Header}}
{{Title|
title=VM Live Mode: Read-only Mode for Virtual Hard Drives
}}
{{#seo:
|description=Set virtual machine (VM) hard drives to read only. Prevent write access to VM drives.
|image=Read-live23231.jpg
}}
{{live}}
{{grub-live}}
[[File:Read-live23231.jpg|thumb]]
{{intro|
Set virtual machine (VM) hard drives to read only. Prevent write access to VM drives.
}}
= Introduction =
It is possible to optionally set the virtual machine (VM) disks to read-only. This increases the security of [[Live Mode]] in the VM, because otherwise malware running as root in the VM could theoretically mount the image read-write and gain persistence in this way.
= Read-only Mode Configuration=
== Qubes ==
grub-live
is currently [[unsupported]] on [[Qubes]], but may become available in the future. Refer to the following [https://forums.whonix.org/t/whonix-live-mode-amnesia-amnesic-non-persistent-anti-forensics/3894/31 forum discussion] for further information.
In Qubes R4, [[Qubes/Disposables|Qubes Disposabless]] are a suitable alternative.
== VirtualBox ==
{{Box|text=
'''1.''' Warning.
Issue: VirtualBox might no longer support VBoxInternal/Devices/lsilogicsas/0/LUN#0/AttachedDriver/Config/ReadOnly
. Settings set through VBoxManage setextradata
are not officially supported and might be gone at some time such as now.
'''2.''' Set the VM disks to read-only.
Follow these steps:
* Power off the virtual machine (VM).
* Set the disk to read-only.
** The name of the VM in the following example below is {{project_name_workstation_short}}-Xfce
. It could be replaced with the name of any other VM such as {{project_name_gateway_short}}-Xfce
.
** On the host command line, run.
{{CodeSelect|code=
VBoxManage setextradata {{project_name_workstation_short}}-Xfce "VBoxInternal/Devices/lsilogicsas/0/LUN#0/AttachedDriver/Config/ReadOnly" 1
}}
'''3.''' Remove VirtualBox virtual DVD drive.
This is only required if the VM has a virtual DVD drive. It is not required in {{project_name_short}} version 15.0.1.2.7
and above since it no longer comes with a virtual DVD drive by default. See footnote for a {{project_name_short}} build version lower than 15.0.1.2.7
. [
{{VirtualBox_DVD_Remove}}
https://forums.whonix.org/t/no-longer-add-virtual-dvd-drive-to-vm-by-default/9337
]
'''4.''' Launch the live system.
Following reboot, a second boot entry called "VM Live Mode-mode" will be visible. Select it and then press Enter
to boot the live system and use it as normal.
'''5.''' ''Optional:'' Revert the read-only change.
To boot into normal mode again, run this command on the host to revert the change.
{{CodeSelect|code=
VBoxManage setextradata {{project_name_workstation_short}}-Xfce "VBoxInternal/Devices/lsilogicsas/0/LUN#0/AttachedDriver/Config/ReadOnly"
}}
The normal boot option can now be selected in the GRUB menu.
'''6.''' ''Optional:'' Re-add the virtual DVD.
Only when you need this; see footnotes. [
{{VirtualBox_DVD_Add}}
]
'''7.''' Done.
The process has been completed.
}}
Troubleshooting: If the system does not boot, check the [[VirtualBox/Recommended_Version|Recommended VirtualBox Version]] for {{project_name_short}} VirtualBox is in use.
== KVM ==
{{Box|text=
'''1.''' Set the VM disks to read-only.
Follow these steps:
* Power off the machine.
* Set the hard disk to read-only in the virt-manager GUI before booting into live mode.
'''2.''' Launch live-mode.
Following reboot, a second boot entry called "VM Live Mode-mode" will be visible. Select it and then press Enter
to boot the live system and use it as normal.
'''3.''' ''Optional:'' Revert the read-only change.
To boot into normal mode again, revert the change from step 1 and choose the normal boot option in the GRUB menu.
}}
== Alternative Configurations ==
{{mbox
| image = [[File:Ambox_warning_pn.svg.png|40px]]
| text =
Skip this section if the [[#KVM|KVM Live-mode]] or [[#VirtualBox|Virtualbox Live-mode]] configuration steps above have already been completed.
}}
Virtualbox and KVM:
* [[VM Live Mode/ro-mode-init|VM Live Mode: Alternative ro-mode-init Configuration]]
VirtualBox only:
* [[VM Live Mode/Immutable Disk Method on VirtualBox|VM Live Mode: Immutable Disk Method on VirtualBox]]
= Footnotes =
{{reflist|close=1}}
[[Category:Documentation]]
{{Footer}}