fix: vm kernel only applies to developers

Fixes: https://github.com/ben-grande/qusal/issues/3

salt/kicksecure-minimal/README.md

@@ -32,6 +32,8 @@ qubesctl state.apply kicksecure-minimal.prefs
 ```
 <!-- pkg:end:post-install -->
 
+### Kicksecure Developers Installation
+
 If you want to help improve Kicksecure integration on Qubes, install packages
 that are known to be broken on Qubes and can break the boot of the Kicksecure
 Qube, to report bugs upstream (get a terminal with `qvm-console-dispvm`):
@@ -39,11 +41,28 @@ Qube, to report bugs upstream (get a terminal with `qvm-console-dispvm`):
 qubesctl --skip-dom0 --targets=kicksecure-17-minimal state.apply kicksecure-minimal.install-developers
 ```
 
+Choose the `kernel` according to the `virt_mode` you want for the template:
+
+- `hvm`:
+```sh
+qubesctl state.apply kicksecure-minimal.kernel-hvm
+```
+
+- `pvh`:
+```sh
+qubesctl state.apply kicksecure-minimal.kernel-pv
+```
+
+- Dom0 provided kernel (resets `virt_mode` to `pvh`):
+```sh
+qubesctl state.apply kicksecure-minimal.kernel-default
+```
+
 ## Usage
 
 AppVMs and StandaloneVMs can be based on this template.
 
-### Kicksecure Developers
+### Kicksecure Developers Usage
 
 This is intended for Kicksecure Developers to test known to be broken
 hardening measures. It is not intended for other developers or users.

salt/kicksecure-minimal/create.sls

@@ -11,18 +11,6 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 include:
   - .clone
 
-"{{ slsdotpath }}-updated":
-  pkg.uptodate:
-    - refresh: True
-
-"{{ slsdotpath }}-installed":
-  pkg.installed:
-    - refresh: True
-    - install_recommends: False
-    - skip_suggestions: True
-    - pkgs:
-      - grub2-xen-pvh
-
 {% load_yaml as defaults -%}
 name: {{ template.template }}
 force: True

salt/kicksecure-minimal/install-developers.sls

@@ -3,7 +3,14 @@ SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.co
 
 SPDX-License-Identifier: AGPL-3.0-or-later
 
-Most likely the GUI agent will break, use qvm-console-dispvm to get a terminal.
+The GUI agent will break, use qvm-console-dispvm to get a terminal.
+
+https://www.kicksecure.com/wiki/Security-misc
+https://www.kicksecure.com/wiki/Hardened-kernel
+https://www.kicksecure.com/wiki/Hardened_Malloc
+https://www.kicksecure.com/wiki/Operating_System_Hardening
+https://www.kicksecure.com/wiki/Linux_Kernel_Runtime_Guard_LKRG
+https://www.qubes-os.org/doc/managing-vm-kernels/#distribution-kernel
 #}
 
 {% if grains['nodename'] != 'dom0' -%}
@@ -21,6 +28,10 @@ include:
     - install_recommends: False
     - skip_suggestions: True
     - pkgs:
+      - qubes-kernel-vm-support
+      - linux-image-amd64
+      - linux-headers-amd64
+      - grub2
       - lkrg
       - tirdad
 
@@ -92,4 +103,11 @@ include:
     - name: update-grub
     - runas: root
 
+"{{ slsdotpath }}-distribution-kernel":
+  cmd.run:
+    - require:
+      - pkg: "{{ slsdotpath }}-installed"
+    - name: grub-install /dev/xvda
+    - runas: root
+
 {% endif %}

salt/kicksecure-minimal/install.sls

@@ -4,12 +4,6 @@ SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.co
 SPDX-License-Identifier: AGPL-3.0-or-later
 
 https://www.kicksecure.com/wiki/Debian
-https://www.kicksecure.com/wiki/Security-misc
-https://www.kicksecure.com/wiki/Hardened-kernel
-https://www.kicksecure.com/wiki/Hardened_Malloc
-https://www.kicksecure.com/wiki/Operating_System_Hardening
-https://www.kicksecure.com/wiki/Linux_Kernel_Runtime_Guard_LKRG
-https://www.qubes-os.org/doc/managing-vm-kernels/#distribution-kernel
 #}
 
 {% if grains['nodename'] != 'dom0' -%}
@@ -30,10 +24,6 @@ include:
     - skip_suggestions: True
     - pkgs:
       - kicksecure-qubes-cli
-      - linux-image-amd64
-      - linux-headers-amd64
-      - grub2
-      - qubes-kernel-vm-support
 
 "{{ slsdotpath }}-remove-debian-default-sources.list":
   file.comment:
@@ -43,11 +33,4 @@ include:
     - regex: "^\s*deb"
     - ignore_missing: True
 
-"{{ slsdotpath }}-distribution-kernel":
-  cmd.run:
-    - require:
-      - pkg: "{{ slsdotpath }}-installed"
-    - name: grub-install /dev/xvda
-    - runas: root
-
 {% endif %}

salt/kicksecure-minimal/kernel-default.sls

@@ -0,0 +1,23 @@
+{#
+SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{%- from "qvm/template.jinja" import load -%}
+
+{%- import slsdotpath ~ "/template.jinja" as template -%}
+
+include:
+  - .clone
+
+{% load_yaml as defaults -%}
+name: {{ template.template }}
+force: True
+require:
+- sls: {{ slsdotpath }}.clone
+prefs:
+- virt_mode: pvh
+- kernel: "*default*"
+{%- endload %}
+{{ load(defaults) }}

salt/kicksecure-minimal/kernel-default.top

@@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - kicksecure-minimal.kernel-default

salt/kicksecure-minimal/kernel-hvm.sls

@@ -0,0 +1,23 @@
+{#
+SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{%- from "qvm/template.jinja" import load -%}
+
+{%- import slsdotpath ~ "/template.jinja" as template -%}
+
+include:
+  - .clone
+
+{% load_yaml as defaults -%}
+name: {{ template.template }}
+force: True
+require:
+- sls: {{ slsdotpath }}.clone
+prefs:
+- virt_mode: hvm
+- kernel: ""
+{%- endload %}
+{{ load(defaults) }}

salt/kicksecure-minimal/kernel-hvm.top

@@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - kicksecure-minimal.kernel-hvm

salt/kicksecure-minimal/kernel-pv.sls

@@ -0,0 +1,35 @@
+{#
+SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{%- from "qvm/template.jinja" import load -%}
+
+{%- import slsdotpath ~ "/template.jinja" as template -%}
+
+include:
+  - .clone
+
+"{{ slsdotpath }}-updated":
+  pkg.uptodate:
+    - refresh: True
+
+"{{ slsdotpath }}-installed":
+  pkg.installed:
+    - refresh: True
+    - install_recommends: False
+    - skip_suggestions: True
+    - pkgs:
+      - grub2-xen-pvh
+
+{% load_yaml as defaults -%}
+name: {{ template.template }}
+force: True
+require:
+- sls: {{ slsdotpath }}.clone
+prefs:
+- virt_mode: pv
+- kernel: pvgrub2-pvh
+{%- endload %}
+{{ load(defaults) }}

salt/kicksecure-minimal/kernel-pv.top

@@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - kicksecure-minimal.kernel-pv