{{Header}} {{Title| title=VM Live Mode: Read-only Mode for Virtual Hard Drives }} {{#seo: |description=Set virtual machine (VM) hard drives to read only. Prevent write access to VM drives. |image=Read-live23231.jpg }} {{live}} {{grub-live}} [[File:Read-live23231.jpg|thumb]] {{intro| Set virtual machine (VM) hard drives to read only. Prevent write access to VM drives. }} = Introduction = It is possible to optionally set the virtual machine (VM) disks to read-only. This increases the security of [[Live Mode]] in the VM, because otherwise malware running as root in the VM could theoretically mount the image read-write and gain persistence in this way. = Read-only Mode Configuration= == Qubes == grub-live is currently [[unsupported]] on [[Qubes]], but may become available in the future. Refer to the following [https://forums.whonix.org/t/whonix-live-mode-amnesia-amnesic-non-persistent-anti-forensics/3894/31 forum discussion] for further information. In Qubes R4, [[Qubes/Disposables|Qubes Disposabless]] are a suitable alternative. == VirtualBox == {{Box|text= '''1.''' Warning. Issue: VirtualBox might no longer support VBoxInternal/Devices/lsilogicsas/0/LUN#0/AttachedDriver/Config/ReadOnly. Settings set through VBoxManage setextradata are not officially supported and might be gone at some time such as now. '''2.''' Set the VM disks to read-only. Follow these steps: * Power off the virtual machine (VM). * Set the disk to read-only. ** The name of the VM in the following example below is {{project_name_workstation_short}}-Xfce. It could be replaced with the name of any other VM such as {{project_name_gateway_short}}-Xfce. ** On the host command line, run. {{CodeSelect|code= VBoxManage setextradata {{project_name_workstation_short}}-Xfce "VBoxInternal/Devices/lsilogicsas/0/LUN#0/AttachedDriver/Config/ReadOnly" 1 }} '''3.''' Remove VirtualBox virtual DVD drive. This is only required if the VM has a virtual DVD drive. It is not required in {{project_name_short}} version 15.0.1.2.7 and above since it no longer comes with a virtual DVD drive by default. See footnote for a {{project_name_short}} build version lower than 15.0.1.2.7. {{VirtualBox_DVD_Remove}} https://forums.whonix.org/t/no-longer-add-virtual-dvd-drive-to-vm-by-default/9337 '''4.''' Launch the live system. Following reboot, a second boot entry called "VM Live Mode-mode" will be visible. Select it and then press Enter to boot the live system and use it as normal. '''5.''' ''Optional:'' Revert the read-only change. To boot into normal mode again, run this command on the host to revert the change. {{CodeSelect|code= VBoxManage setextradata {{project_name_workstation_short}}-Xfce "VBoxInternal/Devices/lsilogicsas/0/LUN#0/AttachedDriver/Config/ReadOnly" }} The normal boot option can now be selected in the GRUB menu. '''6.''' ''Optional:'' Re-add the virtual DVD. Only when you need this; see footnotes. {{VirtualBox_DVD_Add}} '''7.''' Done. The process has been completed. }} Troubleshooting: If the system does not boot, check the [[VirtualBox/Recommended_Version|Recommended VirtualBox Version]] for {{project_name_short}} VirtualBox is in use. == KVM == {{Box|text= '''1.''' Set the VM disks to read-only. Follow these steps: * Power off the machine. * Set the hard disk to read-only in the virt-manager GUI before booting into live mode. '''2.''' Launch live-mode. Following reboot, a second boot entry called "VM Live Mode-mode" will be visible. Select it and then press Enter to boot the live system and use it as normal. '''3.''' ''Optional:'' Revert the read-only change. To boot into normal mode again, revert the change from step 1 and choose the normal boot option in the GRUB menu. }} == Alternative Configurations == {{mbox | image = [[File:Ambox_warning_pn.svg.png|40px]] | text = Skip this section if the [[#KVM|KVM Live-mode]] or [[#VirtualBox|Virtualbox Live-mode]] configuration steps above have already been completed. }} Virtualbox and KVM: * [[VM Live Mode/ro-mode-init|VM Live Mode: Alternative ro-mode-init Configuration]] VirtualBox only: * [[VM Live Mode/Immutable Disk Method on VirtualBox|VM Live Mode: Immutable Disk Method on VirtualBox]] = Footnotes = {{reflist|close=1}} [[Category:Documentation]] {{Footer}}