No hack required for Linux on Chromebooks with the Termina VM and containers or Virtualbox

Chromebooks have a security model that traditional laptop OS makes are still struggling to broadly implement. Chrome OS (Chromebook) is one of the more secure platforms for web browsing and web applications restricting users to a limited set of high level APIs.

Power users  and developers often belittle the system because they are unable to install and run arbitrary applications. The ChromeOS and Chromium teams have resisted unbridled execution of the Linux programs because that would weaken the security profile of Chrome based devices.  ChromeOS/Chromium  as now addressed this issue by providing secure sandboxed environments that execute Linux programs that are highly isolated from the Chrome operating system.

Chromebooks, including CloudReady devices, now support isolated Crostini Linux containers with only a single preference setting.  Crostini Linux runs in a sandboxed Linux Container inside a Linux VM.  Programs running inside Crostini are heavily isolating from the core ChromeOS.  This lets chrome users run Linux without compromising the core Chrome operating system.  Developers can now use Chromebook devices as developer workstations. I run Microsoft Visual Studio Code and Android Studio in this environment with few issues.

CloudReady provides a 2nd containerized environment in addition to Crostini.  Users can enable a bundled version of VirtualBox basic. This lets you run full Linux or other operating systems as VMs on the laptop.  CloudReady does not support VirtualBox extensions because they can be used to weaken the VM / host boundary.  I installed Kali Linux as a VirtualBox VM for Security CTF and other events.

VMs and Containers inside ChromeOS and CloudReady


The left branch  represents the new native ChromeOS linux environment. It may be enough for people that need to run native style programs on a Chromebook.  Crostini spins up a single debian container by default.  It is possible to add custom containers. 

The right branch can be used when you need to run and customize a full featured Operating System like Linux.  CloudReady makes it easy to install/enable the VirtualBox hypervisor. VirtualBox is not available on all Chromebooks. 

Enabling Crostini, Termina and Linux containers

Linux support in ChromeOS is still in Beta as of the time of writing this.  You must enable the Linux Beta in the Chrome settings panel in order to use this beta feature.

Starting and stopping Crostini and it's Containers

Crostini, its VM and container are automatically started when you select one of the Linux Apps available in the ChromeOS app launcher.  The VM and container can only be stopped by rebooting or from the command line as described below.

Managing Crostini and containers from the command line

The termina vm and it's penguin container can also be started and stopped from the command line.  The following diagrams show the available commands available at each level.


Linux applications run in the Penguin container inside the termina VM hosted on the ChromeOS.  VMC and VSH commands are used to start the termina  VM and the peliccan user container.  VMC and VSH are run from inside the Chrome Shell (crosh).

It is possible run a shell in the termina VM itself and then run linux container commands to start and stop various Linux containers.  You would run a vsh command from crosh to shell into the termina vm after it is started

Other Links

Installing Apps

Debian packages can be installed in the container by downloading the .deb files, viewing the file in the file viewer, and then right-mousing to select "install"
  • Installing Android Studio https://developer.android.com/studio/install#chrome-os
  • Installing Visual Studio Code see the debian instructions the Microsoft site.
    • You can make Visual Studio Code the default linux text editor by running
          sudo update-alternatives --set editor /usr/bin/code

Limits

Only one VT-x hypervisor can execute at a time.  This means you can run either Crostini or Virtualbox but not both simultaneously.

My Experience

I wanted a secure burner device as my main machine while attending DEFCON 2019.  I converted my Dell E7240 from a Windows laptop to a CloudReady Chromebook. The experience has been great.  The device has been stable and way more useful than I expected as a heavy Mac and Windows user.  I use Chrome for general browsing, Google Docs, mail, conferencing and drawings (using Draw.io).

Edited 2019/28/09

Comments

Popular posts from this blog

Understanding your WSL2 RAM and swap - Changing the default 50%-25%

Installing the RNDIS driver on Windows 11 to use USB Raspberry Pi as network attached

DNS for Azure Point to Site (P2S) VPN - getting the internal IPs