qusal/salt/sys-usb/create.sls

{#
SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>

SPDX-License-Identifier: AGPL-3.0-or-later
#}

{%- from "qvm/template.jinja" import load -%}

include:
  - .clone
  - qvm.hide-usb-from-dom0

"{{ slsdotpath }}-updated-dom0":
  pkg.uptodate:
    - refresh: True

"{{ slsdotpath }}-installed-dom0":
  pkg.installed:
    - refresh: True
    - install_recommends: False
    - skip_suggestions: True
    - pkgs:
      - qubes-input-proxy

{% load_yaml as defaults -%}
name: tpl-{{ slsdotpath }}
force: True
require:
- sls: {{ slsdotpath }}.clone
prefs:
- audiovm: ""
{%- endload %}
{{ load(defaults) }}

{% load_yaml as defaults -%}
name: dvm-{{ slsdotpath }}
force: True
require:
- sls: {{ slsdotpath }}.clone
present:
- template: tpl-{{ slsdotpath }}
- label: red
prefs:
- template: tpl-{{ slsdotpath }}
- label: red
- netvm: ""
- audiovm: ""
- memory: 400
- maxmem: 0
- vcpus: 1
- virt_mode: hvm
- template_for_dispvms: True
- include_in_backups: False
features:
- enable:
  - servicevm
  - appmenus-dispvm
- disable:
  - service.network-manager
  - service.cups
  - service.cups-browsed
  - service.meminfo-writer
  - service.qubes-updates-proxy
{%- endload %}
{{ load(defaults) }}

{% set usb_pcidevs = salt['grains.get']('pci_usb_devs', []) -%}
{% if usb_pcidevs == ['00:14.0', '00:1a.0', '00:1d.0'] -%}
  {% set usb_host_model = 'ThinkPad T430' -%}
  {% set usbs = ['disp-sys-usb', 'disp-sys-usb-dock', 'disp-sys-usb-left'] -%}
{% else -%}
  {% set usb_host_model = 'unknown' -%}
  {% set usbs = ['disp-sys-usb'] -%}
{% endif -%}

{#
TODO: salt jinja best practice
Map different usb controlles to different usb qubes.
Problems:
- Random name generator for qubes would be troublesome for the user
  to guess to which qube his usb controller is. Only mapped brands and
  models will work.
Questions:
- How to use jinja array to assign a qube per controller?
- How to assign UNCATEGORIZED to unregistered products?
#}
{#
{% set usb_pcidevs = {
    'ThinkPad T430': {
      'qubes': ['disp-sys-usb', 'disp-sys-usb-dock', 'disp-sys-usb-left'],
      'pcidevs': ['00:14.0', '00:1a.0', '00:1d.0'],
      'autostart': False,
    },
    'UNCATEGORIZED': {
      'qubes': ['disp-sys-usb'],
      'pcidevs': {{ usb_pcidevs }},
      'autostart': True,
    },
}.get(salt['smbios.get']('system-version') -%}

{% for usb in usb_pcidevs.qubes -%}
pcidevs: {{ usb_pcidevs.pcidevs|sequence|yaml }}
autostart: {{ usb_pcidevs.autostart|sequence|yaml }}
{% endfor -%}
#}

{% for usb in usbs -%}
{% load_yaml as defaults -%}
name: {{ usb }}
force: True
require:
- qvm: dvm-{{ slsdotpath }}
present:
- template: dvm-{{ slsdotpath }}
- label: red
- class: DispVM
prefs:
- template: dvm-{{ slsdotpath }}
- label: red
- netvm: ""
- audiovm: ""
- memory: 400
- maxmem: 0
- include_in_backups: False
- pci_strictreset: False
{% if usb_host_model == 'ThinkPad T430' -%}
- autostart: False
{% if usb == 'disp-sys-usb-left' -%}
- pcidevs: {{ [usb_pcidevs[0]]|yaml }}
{% elif usb == 'disp-sys-usb' -%}
- pcidevs: {{ [usb_pcidevs[1]]|yaml }}
{% elif usb == 'disp-sys-usb-dock' -%}
- pcidevs: {{ [usb_pcidevs[2]]|yaml }}
{% endif -%}
{% else -%}
- autostart: True
- pcidevs: {{ usb_pcidevs|yaml }}
{% endif -%}
features:
- enable:
  - servicevm
- disable:
  - service.network-manager
  - service.cups
  - service.cups-browsed
  - service.meminfo-writer
  - service.qubes-updates-proxy
tags:
- add:
  - usbvm
{%- endload %}
{{ load(defaults) }}
{% endfor -%}

{% from 'utils/macros/policy.sls' import policy_set with context -%}
{{ policy_set(sls_path, '80') }}
refactor: initial commit 2023-11-13 09:33:28 -05:00			`{#`
chore: Fix unman copyright contact 2023-11-13 13:18:06 -05:00			`SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>`
chore: copyright update 2024-01-29 10:49:54 -05:00			`SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>`
refactor: initial commit 2023-11-13 09:33:28 -05:00
			`SPDX-License-Identifier: AGPL-3.0-or-later`
			`#}`

			`{%- from "qvm/template.jinja" import load -%}`

			`include:`
			`- .clone`
fix: sys-usb hide-usb-from-dom0 in keyboard state 2024-01-12 13:08:56 -05:00			`- qvm.hide-usb-from-dom0`

			`"{{ slsdotpath }}-updated-dom0":`
			`pkg.uptodate:`
			`- refresh: True`

			`"{{ slsdotpath }}-installed-dom0":`
			`pkg.installed:`
			`- refresh: True`
			`- install_recommends: False`
			`- skip_suggestions: True`
			`- pkgs:`
			`- qubes-input-proxy`
refactor: initial commit 2023-11-13 09:33:28 -05:00
feat: remove audiovm setting when unnecessary Decrease audio attack surface to qubes that will never need to use it. 2024-01-20 13:34:39 -05:00			`{% load_yaml as defaults -%}`
			`name: tpl-{{ slsdotpath }}`
			`force: True`
			`require:`
			`- sls: {{ slsdotpath }}.clone`
			`prefs:`
			`- audiovm: ""`
			`{%- endload %}`
			`{{ load(defaults) }}`

refactor: initial commit 2023-11-13 09:33:28 -05:00			`{% load_yaml as defaults -%}`
			`name: dvm-{{ slsdotpath }}`
			`force: True`
			`require:`
			`- sls: {{ slsdotpath }}.clone`
			`present:`
			`- template: tpl-{{ slsdotpath }}`
			`- label: red`
			`prefs:`
			`- template: tpl-{{ slsdotpath }}`
			`- label: red`
			`- netvm: ""`
feat: remove audiovm setting when unnecessary Decrease audio attack surface to qubes that will never need to use it. 2024-01-20 13:34:39 -05:00			`- audiovm: ""`
refactor: initial commit 2023-11-13 09:33:28 -05:00			`- memory: 400`
			`- maxmem: 0`
			`- vcpus: 1`
			`- virt_mode: hvm`
			`- template_for_dispvms: True`
			`- include_in_backups: False`
			`features:`
			`- enable:`
			`- servicevm`
			`- appmenus-dispvm`
			`- disable:`
			`- service.network-manager`
			`- service.cups`
			`- service.cups-browsed`
			`- service.meminfo-writer`
			`- service.qubes-updates-proxy`
			`{%- endload %}`
			`{{ load(defaults) }}`

			`{% set usb_pcidevs = salt['grains.get']('pci_usb_devs', []) -%}`
			`{% if usb_pcidevs == ['00:14.0', '00:1a.0', '00:1d.0'] -%}`
			`{% set usb_host_model = 'ThinkPad T430' -%}`
fix: sys-usb disposables must have name prefix 2024-01-12 12:21:35 -05:00			`{% set usbs = ['disp-sys-usb', 'disp-sys-usb-dock', 'disp-sys-usb-left'] -%}`
refactor: initial commit 2023-11-13 09:33:28 -05:00			`{% else -%}`
			`{% set usb_host_model = 'unknown' -%}`
fix: sys-usb disposables must have name prefix 2024-01-12 12:21:35 -05:00			`{% set usbs = ['disp-sys-usb'] -%}`
refactor: initial commit 2023-11-13 09:33:28 -05:00			`{% endif -%}`

			`{#`
			`TODO: salt jinja best practice`
			`Map different usb controlles to different usb qubes.`
			`Problems:`
			`- Random name generator for qubes would be troublesome for the user`
			`to guess to which qube his usb controller is. Only mapped brands and`
			`models will work.`
			`Questions:`
			`- How to use jinja array to assign a qube per controller?`
			`- How to assign UNCATEGORIZED to unregistered products?`
			`#}`
			`{#`
			`{% set usb_pcidevs = {`
			`'ThinkPad T430': {`
fix: sys-usb disposables must have name prefix 2024-01-12 12:21:35 -05:00			`'qubes': ['disp-sys-usb', 'disp-sys-usb-dock', 'disp-sys-usb-left'],`
refactor: initial commit 2023-11-13 09:33:28 -05:00			`'pcidevs': ['00:14.0', '00:1a.0', '00:1d.0'],`
			`'autostart': False,`
			`},`
			`'UNCATEGORIZED': {`
fix: sys-usb disposables must have name prefix 2024-01-12 12:21:35 -05:00			`'qubes': ['disp-sys-usb'],`
refactor: initial commit 2023-11-13 09:33:28 -05:00			`'pcidevs': {{ usb_pcidevs }},`
			`'autostart': True,`
			`},`
			`}.get(salt['smbios.get']('system-version') -%}`

			`{% for usb in usb_pcidevs.qubes -%}`
			`pcidevs: {{ usb_pcidevs.pcidevs\|sequence\|yaml }}`
			`autostart: {{ usb_pcidevs.autostart\|sequence\|yaml }}`
			`{% endfor -%}`
			`#}`

			`{% for usb in usbs -%}`
			`{% load_yaml as defaults -%}`
			`name: {{ usb }}`
			`force: True`
			`require:`
			`- qvm: dvm-{{ slsdotpath }}`
			`present:`
			`- template: dvm-{{ slsdotpath }}`
			`- label: red`
			`- class: DispVM`
			`prefs:`
			`- template: dvm-{{ slsdotpath }}`
			`- label: red`
			`- netvm: ""`
feat: remove audiovm setting when unnecessary Decrease audio attack surface to qubes that will never need to use it. 2024-01-20 13:34:39 -05:00			`- audiovm: ""`
refactor: initial commit 2023-11-13 09:33:28 -05:00			`- memory: 400`
			`- maxmem: 0`
			`- include_in_backups: False`
			`- pci_strictreset: False`
			`{% if usb_host_model == 'ThinkPad T430' -%}`
			`- autostart: False`
fix: sys-usb disposables must have name prefix 2024-01-12 12:21:35 -05:00			`{% if usb == 'disp-sys-usb-left' -%}`
refactor: initial commit 2023-11-13 09:33:28 -05:00			`- pcidevs: {{ [usb_pcidevs[0]]\|yaml }}`
fix: sys-usb disposables must have name prefix 2024-01-12 12:21:35 -05:00			`{% elif usb == 'disp-sys-usb' -%}`
refactor: initial commit 2023-11-13 09:33:28 -05:00			`- pcidevs: {{ [usb_pcidevs[1]]\|yaml }}`
fix: sys-usb disposables must have name prefix 2024-01-12 12:21:35 -05:00			`{% elif usb == 'disp-sys-usb-dock' -%}`
refactor: initial commit 2023-11-13 09:33:28 -05:00			`- pcidevs: {{ [usb_pcidevs[2]]\|yaml }}`
			`{% endif -%}`
			`{% else -%}`
			`- autostart: True`
			`- pcidevs: {{ usb_pcidevs\|yaml }}`
			`{% endif -%}`
			`features:`
			`- enable:`
			`- servicevm`
			`- disable:`
			`- service.network-manager`
			`- service.cups`
			`- service.cups-browsed`
			`- service.meminfo-writer`
			`- service.qubes-updates-proxy`
feat: policy support for multiple sys-usb qubes 2024-01-09 12:44:50 -05:00			`tags:`
			`- add:`
			`- usbvm`
refactor: initial commit 2023-11-13 09:33:28 -05:00			`{%- endload %}`
			`{{ load(defaults) }}`
			`{% endfor -%}`
feat: policy support for multiple sys-usb qubes 2024-01-09 12:44:50 -05:00
			`{% from 'utils/macros/policy.sls' import policy_set with context -%}`
			`{{ policy_set(sls_path, '80') }}`