#!/bin/bash # From https://github.com/tasket/Qubes-VM-hardening # installer version 0.9.0 set -e [ `id -u` -eq 0 ] || exit if [ "$1" = "--uninstall" ]; then echo "Removing vm-boot-protect.service..." echo "Warning: This will remove any custom files added to /etc/default/vms!" read -p "Proceed [y/N]? " ans if [[ $ans == @(Y|y) ]]; then systemctl disable vm-boot-protect.service rm -r /lib/systemd/system/vm-boot-protect.service /usr/lib/qubes/init/vm-boot-protect.sh /etc/default/vms systemctl daemon-reload echo "Done." else echo "Aborted." fi exit 0 fi echo "Installing vm-boot-protect.service..." cp vm-boot-protect.sh /usr/lib/qubes/init chmod +x /usr/lib/qubes/init/vm-boot-protect.sh cp vm-boot-protect.service /lib/systemd/system systemctl daemon-reload systemctl enable vm-boot-protect.service echo "Adding defaults in /etc/default/vms..." mkdir -p /etc/default/vms # Careful... ownership & mode are not preserved here! cp -riv default/vms/* /etc/default/vms echo -e "\nvm-boot-protect installed!\n" bash ./configure-sudo-prompt exit 0