fix: vm kernel only applies to developers

Fixes: https://github.com/ben-grande/qusal/issues/3
2024-10-01 02:35:49 -04:00 · 2024-02-03 20:58:28 +01:00 · 2024-02-03 20:58:28 +01:00 · 56ecc25352
commit 56ecc25352
parent 8f076d2441
10 changed files with 150 additions and 31 deletions
--- a/salt/kicksecure-minimal/README.md
+++ b/salt/kicksecure-minimal/README.md
@ -32,6 +32,8 @@ qubesctl state.apply kicksecure-minimal.prefs
 ```
 <!-- pkg:end:post-install -->

+### Kicksecure Developers Installation
+
 If you want to help improve Kicksecure integration on Qubes, install packages
 that are known to be broken on Qubes and can break the boot of the Kicksecure
 Qube, to report bugs upstream (get a terminal with `qvm-console-dispvm`):
@ -39,11 +41,28 @@ Qube, to report bugs upstream (get a terminal with `qvm-console-dispvm`):
 qubesctl --skip-dom0 --targets=kicksecure-17-minimal state.apply kicksecure-minimal.install-developers
 ```

+Choose the `kernel` according to the `virt_mode` you want for the template:
+
+- `hvm`:
+```sh
+qubesctl state.apply kicksecure-minimal.kernel-hvm
+```
+
+- `pvh`:
+```sh
+qubesctl state.apply kicksecure-minimal.kernel-pv
+```
+
+- Dom0 provided kernel (resets `virt_mode` to `pvh`):
+```sh
+qubesctl state.apply kicksecure-minimal.kernel-default
+```
+
 ## Usage

 AppVMs and StandaloneVMs can be based on this template.

-### Kicksecure Developers
+### Kicksecure Developers Usage

 This is intended for Kicksecure Developers to test known to be broken
 hardening measures. It is not intended for other developers or users.
--- a/salt/kicksecure-minimal/create.sls
+++ b/salt/kicksecure-minimal/create.sls
@ -11,18 +11,6 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 include:
  - .clone

-"{{ slsdotpath }}-updated":
-  pkg.uptodate:
-    - refresh: True
-
-"{{ slsdotpath }}-installed":
-  pkg.installed:
-    - refresh: True
-    - install_recommends: False
-    - skip_suggestions: True
-    - pkgs:
-      - grub2-xen-pvh
-
 {% load_yaml as defaults -%}
 name: {{ template.template }}
 force: True
--- a/salt/kicksecure-minimal/install-developers.sls
+++ b/salt/kicksecure-minimal/install-developers.sls
@ -3,7 +3,14 @@ SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.co

 SPDX-License-Identifier: AGPL-3.0-or-later

-Most likely the GUI agent will break, use qvm-console-dispvm to get a terminal.
+The GUI agent will break, use qvm-console-dispvm to get a terminal.
+
+https://www.kicksecure.com/wiki/Security-misc
+https://www.kicksecure.com/wiki/Hardened-kernel
+https://www.kicksecure.com/wiki/Hardened_Malloc
+https://www.kicksecure.com/wiki/Operating_System_Hardening
+https://www.kicksecure.com/wiki/Linux_Kernel_Runtime_Guard_LKRG
+https://www.qubes-os.org/doc/managing-vm-kernels/#distribution-kernel
 #}

 {% if grains['nodename'] != 'dom0' -%}
@ -21,6 +28,10 @@ include:
    - install_recommends: False
    - skip_suggestions: True
    - pkgs:
+      - qubes-kernel-vm-support
+      - linux-image-amd64
+      - linux-headers-amd64
+      - grub2
      - lkrg
      - tirdad

@ -92,4 +103,11 @@ include:
    - name: update-grub
    - runas: root

+"{{ slsdotpath }}-distribution-kernel":
+  cmd.run:
+    - require:
+      - pkg: "{{ slsdotpath }}-installed"
+    - name: grub-install /dev/xvda
+    - runas: root
+
 {% endif %}
--- a/salt/kicksecure-minimal/install.sls
+++ b/salt/kicksecure-minimal/install.sls
@ -4,12 +4,6 @@ SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.co
 SPDX-License-Identifier: AGPL-3.0-or-later

 https://www.kicksecure.com/wiki/Debian
-https://www.kicksecure.com/wiki/Security-misc
-https://www.kicksecure.com/wiki/Hardened-kernel
-https://www.kicksecure.com/wiki/Hardened_Malloc
-https://www.kicksecure.com/wiki/Operating_System_Hardening
-https://www.kicksecure.com/wiki/Linux_Kernel_Runtime_Guard_LKRG
-https://www.qubes-os.org/doc/managing-vm-kernels/#distribution-kernel
 #}

 {% if grains['nodename'] != 'dom0' -%}
@ -30,10 +24,6 @@ include:
    - skip_suggestions: True
    - pkgs:
      - kicksecure-qubes-cli
-      - linux-image-amd64
-      - linux-headers-amd64
-      - grub2
-      - qubes-kernel-vm-support

 "{{ slsdotpath }}-remove-debian-default-sources.list":
  file.comment:
@ -43,11 +33,4 @@ include:
    - regex: "^\s*deb"
    - ignore_missing: True

-"{{ slsdotpath }}-distribution-kernel":
-  cmd.run:
-    - require:
-      - pkg: "{{ slsdotpath }}-installed"
-    - name: grub-install /dev/xvda
-    - runas: root
-
 {% endif %}
--- a/salt/kicksecure-minimal/kernel-default.sls
+++ b/salt/kicksecure-minimal/kernel-default.sls
@ -0,0 +1,23 @@
+{#
+SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{%- from "qvm/template.jinja" import load -%}
+
+{%- import slsdotpath ~ "/template.jinja" as template -%}
+
+include:
+  - .clone
+
+{% load_yaml as defaults -%}
+name: {{ template.template }}
+force: True
+require:
+- sls: {{ slsdotpath }}.clone
+prefs:
+- virt_mode: pvh
+- kernel: "*default*"
+{%- endload %}
+{{ load(defaults) }}
--- a/salt/kicksecure-minimal/kernel-default.top
+++ b/salt/kicksecure-minimal/kernel-default.top
@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - kicksecure-minimal.kernel-default
--- a/salt/kicksecure-minimal/kernel-hvm.sls
+++ b/salt/kicksecure-minimal/kernel-hvm.sls
@ -0,0 +1,23 @@
+{#
+SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{%- from "qvm/template.jinja" import load -%}
+
+{%- import slsdotpath ~ "/template.jinja" as template -%}
+
+include:
+  - .clone
+
+{% load_yaml as defaults -%}
+name: {{ template.template }}
+force: True
+require:
+- sls: {{ slsdotpath }}.clone
+prefs:
+- virt_mode: hvm
+- kernel: ""
+{%- endload %}
+{{ load(defaults) }}
--- a/salt/kicksecure-minimal/kernel-hvm.top
+++ b/salt/kicksecure-minimal/kernel-hvm.top
@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - kicksecure-minimal.kernel-hvm
--- a/salt/kicksecure-minimal/kernel-pv.sls
+++ b/salt/kicksecure-minimal/kernel-pv.sls
@ -0,0 +1,35 @@
+{#
+SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{%- from "qvm/template.jinja" import load -%}
+
+{%- import slsdotpath ~ "/template.jinja" as template -%}
+
+include:
+  - .clone
+
+"{{ slsdotpath }}-updated":
+  pkg.uptodate:
+    - refresh: True
+
+"{{ slsdotpath }}-installed":
+  pkg.installed:
+    - refresh: True
+    - install_recommends: False
+    - skip_suggestions: True
+    - pkgs:
+      - grub2-xen-pvh
+
+{% load_yaml as defaults -%}
+name: {{ template.template }}
+force: True
+require:
+- sls: {{ slsdotpath }}.clone
+prefs:
+- virt_mode: pv
+- kernel: pvgrub2-pvh
+{%- endload %}
+{{ load(defaults) }}
--- a/salt/kicksecure-minimal/kernel-pv.top
+++ b/salt/kicksecure-minimal/kernel-pv.top
@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - kicksecure-minimal.kernel-pv