qusal/salt/kicksecure-minimal/README.md

# kicksecure-minimal

Kicksecure Minimal Template in Qubes OS.

## Table of Contents

* [Description](#description)
* [Installation](#installation)
* [Usage](#usage)

## Description

Creates the Kicksecure Minimal template as well as a Disposable Template based
on it.

## Installation

- Top:
```sh
qubesctl top.enable kicksecure-minimal
qubesctl --targets=kicksecure-17-minimal state.apply
qubesctl top.disable kicksecure-minimal
qubesctl state.apply kicksecure-minimal.prefs
```

- State:
<!-- pkg:begin:post-install -->
```sh
qubesctl state.apply kicksecure-minimal.create
qubesctl --skip-dom0 --targets=kicksecure-17-minimal state.apply kicksecure-minimal.install
qubesctl state.apply kicksecure-minimal.prefs
```
<!-- pkg:end:post-install -->

### Kicksecure Developers Installation

If you want to help improve Kicksecure integration on Qubes, install packages
that are known to be broken on Qubes and can break the boot of the Kicksecure
Qube, to report bugs upstream (get a terminal with `qvm-console-dispvm`):
```sh
qubesctl --skip-dom0 --targets=kicksecure-17-minimal state.apply kicksecure-minimal.install-developers
```

Choose the `kernel` according to the `virt_mode` you want for the template:

- `hvm`:
```sh
qubesctl state.apply kicksecure-minimal.kernel-hvm
```

- `pvh`:
```sh
qubesctl state.apply kicksecure-minimal.kernel-pv
```

- Dom0 provided kernel (resets `virt_mode` to `pvh`):
```sh
qubesctl state.apply kicksecure-minimal.kernel-default
```

## Usage

AppVMs and StandaloneVMs can be based on this template.

### Kicksecure Developers Usage

This is intended for Kicksecure Developers to test known to be broken
hardening measures. It is not intended for other developers or users.

After you have ran the developers SaltFile, when reporting bugs upstream,
share the following information of the customizations made by this formula:

- `hardened-malloc`:
```
libhardened_malloc.so
```

- `hide-hardware-info`:
```
sysfs_whitelist=0
cpuionfo_whitelist=0
```

- `permission-hardener`:
```
whitelists_disable_all=true
```
doc: kicksecure missing minimal flavor 2024-01-14 02:52:24 -05:00			`# kicksecure-minimal`
feat: kicksecure minimal template 2024-01-12 11:22:58 -05:00
doc: kicksecure missing minimal flavor 2024-01-14 02:52:24 -05:00			`Kicksecure Minimal Template in Qubes OS.`
feat: kicksecure minimal template 2024-01-12 11:22:58 -05:00
			`## Table of Contents`

			`* [Description](#description)`
			`* [Installation](#installation)`
			`* [Usage](#usage)`

			`## Description`

doc: kicksecure missing minimal flavor 2024-01-14 02:52:24 -05:00			`Creates the Kicksecure Minimal template as well as a Disposable Template based`
			`on it.`
feat: kicksecure minimal template 2024-01-12 11:22:58 -05:00
			`## Installation`

			`- Top:`
			```sh
doc: kicksecure missing minimal flavor 2024-01-14 02:52:24 -05:00			`qubesctl top.enable kicksecure-minimal`
			`qubesctl --targets=kicksecure-17-minimal state.apply`
			`qubesctl top.disable kicksecure-minimal`
			`qubesctl state.apply kicksecure-minimal.prefs`
feat: kicksecure minimal template 2024-01-12 11:22:58 -05:00			```

			`- State:`
			`<!-- pkg:begin:post-install -->`
			```sh
doc: kicksecure missing minimal flavor 2024-01-14 02:52:24 -05:00			`qubesctl state.apply kicksecure-minimal.create`
			`qubesctl --skip-dom0 --targets=kicksecure-17-minimal state.apply kicksecure-minimal.install`
			`qubesctl state.apply kicksecure-minimal.prefs`
feat: kicksecure minimal template 2024-01-12 11:22:58 -05:00			```
			`<!-- pkg:end:post-install -->`

fix: vm kernel only applies to developers Fixes: https://github.com/ben-grande/qusal/issues/3 2024-02-03 14:58:28 -05:00			`### Kicksecure Developers Installation`

doc: kicksecure missing minimal flavor 2024-01-14 02:52:24 -05:00			`If you want to help improve Kicksecure integration on Qubes, install packages`
fix: less intrusive kicksecure default install - Do not remove sources.list; - Move broken packages to separate state; - Rename to developers state and explain it breaks boot; - Remove settings that are already the default; - Remove configuration that is deprecated and - Remove deprecated packages; Fixes: https://github.com/ben-grande/qusal/issues/4 Fixes: https://github.com/ben-grande/qusal/issues/5 Fixes: https://github.com/ben-grande/qusal/issues/6 Fixes: https://github.com/ben-grande/qusal/issues/7 Fixes: https://github.com/ben-grande/qusal/issues/9 Fixes: https://github.com/ben-grande/qusal/issues/11 Fixes: https://github.com/ben-grande/qusal/issues/13 2024-02-01 11:40:26 -05:00			`that are known to be broken on Qubes and can break the boot of the Kicksecure`
			Qube, to report bugs upstream (get a terminal with `qvm-console-dispvm`):
feat: kicksecure minimal template 2024-01-12 11:22:58 -05:00			```sh
fix: less intrusive kicksecure default install - Do not remove sources.list; - Move broken packages to separate state; - Rename to developers state and explain it breaks boot; - Remove settings that are already the default; - Remove configuration that is deprecated and - Remove deprecated packages; Fixes: https://github.com/ben-grande/qusal/issues/4 Fixes: https://github.com/ben-grande/qusal/issues/5 Fixes: https://github.com/ben-grande/qusal/issues/6 Fixes: https://github.com/ben-grande/qusal/issues/7 Fixes: https://github.com/ben-grande/qusal/issues/9 Fixes: https://github.com/ben-grande/qusal/issues/11 Fixes: https://github.com/ben-grande/qusal/issues/13 2024-02-01 11:40:26 -05:00			`qubesctl --skip-dom0 --targets=kicksecure-17-minimal state.apply kicksecure-minimal.install-developers`
feat: kicksecure minimal template 2024-01-12 11:22:58 -05:00			```

fix: vm kernel only applies to developers Fixes: https://github.com/ben-grande/qusal/issues/3 2024-02-03 14:58:28 -05:00			Choose the `kernel` according to the `virt_mode` you want for the template:

			- `hvm`:
			```sh
			`qubesctl state.apply kicksecure-minimal.kernel-hvm`
			```

			- `pvh`:
			```sh
			`qubesctl state.apply kicksecure-minimal.kernel-pv`
			```

			- Dom0 provided kernel (resets `virt_mode` to `pvh`):
			```sh
			`qubesctl state.apply kicksecure-minimal.kernel-default`
			```

feat: kicksecure minimal template 2024-01-12 11:22:58 -05:00			`## Usage`

			`AppVMs and StandaloneVMs can be based on this template.`
fix: move custom kicksecure settings to dev state Fixes: https://github.com/ben-grande/qusal/issues/12 Fixes: https://github.com/ben-grande/qusal/issues/14 Fixes: https://github.com/ben-grande/qusal/issues/15 2024-02-02 03:57:19 -05:00
fix: vm kernel only applies to developers Fixes: https://github.com/ben-grande/qusal/issues/3 2024-02-03 14:58:28 -05:00			`### Kicksecure Developers Usage`
fix: move custom kicksecure settings to dev state Fixes: https://github.com/ben-grande/qusal/issues/12 Fixes: https://github.com/ben-grande/qusal/issues/14 Fixes: https://github.com/ben-grande/qusal/issues/15 2024-02-02 03:57:19 -05:00
			`This is intended for Kicksecure Developers to test known to be broken`
			`hardening measures. It is not intended for other developers or users.`

			`After you have ran the developers SaltFile, when reporting bugs upstream,`
			`share the following information of the customizations made by this formula:`

			- `hardened-malloc`:
			```
			`libhardened_malloc.so`
			```

			- `hide-hardware-info`:
			```
			`sysfs_whitelist=0`
			`cpuionfo_whitelist=0`
			```

			- `permission-hardener`:
			```
			`whitelists_disable_all=true`
			```