feat: kicksecure minimal template

.reuse/dep5

@@ -30,6 +30,10 @@ Copyright: The Qubes OS Project <https://www.qubes-os.org>
            Simon Gaiser <simon@invisiblethingslab.com>
 License: CC0-1.0
 
+Files: salt/kicksecure-minimal/files/template/ld.so.preload
+Copyright: 2014 Patrick Schleizer <adrelanos@kicksecure.com>
+License: CC0-1.0
+
 Files: salt/ansible/files/repo/*
 Copyright: 2014 Ansible, Inc. <https://ansible.com>
 License: CC0-1.0
@@ -42,6 +46,10 @@ Files: salt/docker/files/repo/*
 Copyright: 2017 Docker Inc. <docker@docker.com>
 License: CC0-1.0
 
+Files: salt/kicksecure-minimal/files/repo/*
+Copyright: 2014 Patrick Schleizer <adrelanos@kicksecure.com>
+License: CC0-1.0
+
 Files: salt/signal/files/repo/*
 Copyright: 2017 Open Whisper Systems <support@whispersystems.org>
 License: CC0-1.0

salt/kicksecure-minimal/README.md

@@ -0,0 +1,43 @@
+# kicksecure
+
+Kicksecure Template in Qubes OS.
+
+## Table of Contents
+
+* [Description](#description)
+* [Installation](#installation)
+* [Usage](#usage)
+
+## Description
+
+Creates the Kicksecure template as well as a Disposable Template based on it.
+
+## Installation
+
+- Top:
+```sh
+qubesctl top.enable kicksecure
+qubesctl --targets=kicksecure-17 state.apply
+qubesctl top.disable kicksecure
+qubesctl state.apply kicksecure.prefs
+```
+
+- State:
+<!-- pkg:begin:post-install -->
+```sh
+qubesctl state.apply kicksecure.create
+qubesctl --skip-dom0 --targets=kicksecure-17 state.apply kicksecure.install
+qubesctl state.apply kicksecure.prefs
+```
+<!-- pkg:end:post-install -->
+
+If you want to help improve Kicksecure on Qubes, install packages that are
+known to be broken on Qubes and report bugs upstream (get a terminal with
+qvm-console-dispvm):
+```sh
+qubesctl --skip-dom0 --targets=kicksecure-17 state.apply kicksecure.install-testing
+```
+
+## Usage
+
+AppVMs and StandaloneVMs can be based on this template.

salt/kicksecure-minimal/clone.sls

@@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{%- import slsdotpath ~ "/template.jinja" as template -%}
+
+{% from 'utils/macros/clone-template.sls' import clone_template -%}
+{{ clone_template('debian-minimal', template.template, 'noprefix') }}

salt/kicksecure-minimal/clone.top

@@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - kicksecure-minimal.clone

salt/kicksecure-minimal/create.sls

@@ -0,0 +1,71 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{%- from "qvm/template.jinja" import load -%}
+
+{%- import slsdotpath ~ "/template.jinja" as template -%}
+
+include:
+  - .clone
+
+"{{ slsdotpath }}-updated":
+  pkg.uptodate:
+    - refresh: True
+
+"{{ slsdotpath }}-installed":
+  pkg.installed:
+    - refresh: True
+    - install_recommends: False
+    - skip_suggestions: True
+    - pkgs:
+      - grub2-xen-pvh
+
+{% load_yaml as defaults -%}
+name: dvm-{{ template.template_clean }}
+force: True
+require:
+- sls: {{ template.template_clean }}.clone
+present:
+- template: {{ template.template }}
+- label: red
+prefs:
+- template: {{ template.template }}
+- label: red
+- memory: 300
+- maxmem: 600
+- vcpus: 1
+- template_for_dispvms: True
+- include_in_backups: False
+features:
+- enable:
+  - appmenus-dispvm
+- set:
+  - menu-items: "qubes-open-file-manager.desktop qubes-run-terminal.desktop qubes-start.desktop"
+tags:
+- add:
+  - updatevm-sys-cacher
+{%- endload %}
+{{ load(defaults) }}
+
+{% load_yaml as defaults -%}
+name: {{ template.template }}
+force: True
+require:
+- sls: {{ slsdotpath }}.clone
+present:
+- label: black
+prefs:
+- label: black
+- memory: 300
+- maxmem: 600
+- vcpus: 2
+- include_in_backups: False
+features:
+- set:
+  - menu-items: "qubes-open-file-manager.desktop qubes-run-terminal.desktop qubes-start.desktop"
+  - default-menu-items: "qubes-open-file-manager.desktop qubes-run-terminal.desktop qubes-start.desktop"
+{%- endload %}
+{{ load(defaults) }}

salt/kicksecure-minimal/create.top

@@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - kicksecure-minimal.create

salt/kicksecure-minimal/files/repo/derivative.sources

@@ -0,0 +1,6 @@
+Types: deb
+URIs: http://deb.kicksecure.com
+Suites: bookworm
+Components: main contrib non-free
+Signed-by: /usr/share/keyrings/derivative.asc
+# vim:ft=debsources

salt/kicksecure-minimal/files/template/grub.d/40_qusal.cfg

@@ -0,0 +1,10 @@
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# Values for the parameter "remountsecure"
+# 0: disable remount secure
+# 1: remount with nodev and nosuid
+# 2: remount with nodev, nosuid and noexec for most mount points excluding /home
+# 3: remount with nodev, nosuid, noexec for all mount points including /home
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3"

salt/kicksecure-minimal/files/template/hide-hardware-info.d/40_qusal.conf

@@ -0,0 +1,9 @@
+# vim: ft=sh
+# shellcheck disable=SC2034
+
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+sysfs_whitelist=0
+cpuionfo_whitelist=0

salt/kicksecure-minimal/files/template/ld.so.preload

@@ -0,0 +1 @@
+libhardened_malloc.so

salt/kicksecure-minimal/files/template/permission-hardener.d/40_qusal.conf

@@ -0,0 +1,8 @@
+# vim: ft=sh
+# shellcheck disable=SC2034
+
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+whitelists_disable_all=true

salt/kicksecure-minimal/init.top

@@ -0,0 +1,13 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - kicksecure-minimal.create
+  'I@qubes:type:template and E@^kicksecure-[0-9][0-9]-minimal$':
+    - match: compound
+    - kicksecure-minimal.install

salt/kicksecure-minimal/install-repo.sls

@@ -0,0 +1,12 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{% if grains['nodename'] != 'dom0' -%}
+
+{% from 'utils/macros/install-repo.sls' import install_repo -%}
+{{ install_repo(sls_path, 'derivative') }}
+
+{% endif -%}

salt/kicksecure-minimal/install-repo.top

@@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'I@qubes:type:template and E@^kicksecure-[0-9][0-9]-minimal$':
+    - match: compound
+    - kicksecure-minimal.install-repo

salt/kicksecure-minimal/install-testing.sls

@@ -0,0 +1,71 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+
+Most likely the GUI agent will break, use qvm-console-dispvm to get a terminal.
+#}
+
+{% if grains['nodename'] != 'dom0' -%}
+
+include:
+  - kicksecure-minimal.install
+
+## Breaks systemd service qubes-gui-agent
+"{{ slsdotpath }}-proc-hidepid-enabled":
+  service.enabled:
+    - require:
+      - pkg: "{{ slsdotpath }}-installed"
+    - name: proc-hidepid
+
+## Breaks systemd services xen and systemd-binfmt
+"{{ slsdotpath }}-harden-module-loading-enabled":
+  service.enabled:
+    - require:
+      - pkg: "{{ slsdotpath }}-installed"
+    - name: harden-module-loading
+
+## Breaks systemd services qubes-gui-agent and user@1000
+"{{ slsdotpath }}-hide-hardware-info-enabled":
+  service.enabled:
+    - require:
+      - pkg: "{{ slsdotpath }}-installed"
+    - name: hide-hardware-info
+
+"{{ slsdotpath }}-hide-hardware-info-conf":
+  file.managed:
+    - require:
+      - service: "{{ slsdotpath }}-hide-hardware-info-enabled"
+    - name: /etc/hide-hardware-info.d/40_qusal.conf
+    - source: salt://{{ slsdotpath }}/files/template/hide-hardware-info.d/40_qusal.conf
+    - mode: '0600'
+    - user: root
+    - group: root
+    - makedirs: True
+
+## Service ExecStart command-line not reading grub option
+"{{ slsdotpath }}-remount-secure-enabled":
+  service.enabled:
+    - require:
+      - pkg: "{{ slsdotpath }}-installed"
+    - name: remount-secure
+
+"{{ slsdotpath }}-remount-secure-grub-cfg":
+  file.managed:
+    - require:
+      - service: "{{ slsdotpath }}-remount-secure-enabled"
+    - name: /etc/default/grub.d/40_qusal.cfg
+    - source: salt://{{ slsdotpath }}/files/template/grub.d/40_qusal.cfg
+    - mode: '0600'
+    - user: root
+    - group: root
+    - makedirs: True
+
+"{{ slsdotpath }}-update-grub":
+  cmd.run:
+    - require:
+      - file: "{{ slsdotpath }}-remount-secure-grub-cfg"
+    - name: update-grub
+    - runas: root
+
+{% endif %}

salt/kicksecure-minimal/install-testing.top

@@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'I@qubes:type:template and E@^kicksecure-[0-9][0-9]-minimal$':
+    - match: compound
+    - kicksecure-minimal.install-testing

salt/kicksecure-minimal/install.sls

@@ -0,0 +1,83 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+
+https://www.kicksecure.com/wiki/Debian
+https://www.kicksecure.com/wiki/Security-misc
+https://www.kicksecure.com/wiki/Hardened-kernel
+https://www.kicksecure.com/wiki/Hardened_Malloc
+https://www.kicksecure.com/wiki/Operating_System_Hardening
+https://www.kicksecure.com/wiki/Linux_Kernel_Runtime_Guard_LKRG
+https://www.qubes-os.org/doc/managing-vm-kernels/#distribution-kernel
+#}
+
+{% if grains['nodename'] != 'dom0' -%}
+
+include:
+  - kicksecure-minimal.install-repo
+  - sys-cacher.install-client
+  - utils.tools.zsh
+
+"{{ slsdotpath }}-updated":
+  pkg.uptodate:
+    - refresh: True
+
+"{{ slsdotpath }}-installed":
+  pkg.installed:
+    - refresh: True
+    - install_recommends: False
+    - skip_suggestions: True
+    - pkgs:
+      - kicksecure-qubes-cli
+      - lkrg-dkms
+      - hardened-kernel
+      - tirdad
+      - linux-image-amd64
+      - linux-headers-amd64
+      - grub2
+      - qubes-kernel-vm-support
+
+"{{ slsdotpath }}-remove-debian-default-sources.list":
+  file.absent:
+    - require:
+      - pkg: "{{ slsdotpath }}-installed"
+    - name: /etc/apt/sources.list
+
+"{{ slsdotpath }}-permission-hardener-enabled":
+  service.enabled:
+    - require:
+      - pkg: "{{ slsdotpath }}-installed"
+    - name: permission-hardening
+    #- name: permission-hardener
+
+"{{ slsdotpath }}-permission-hardener-conf":
+  file.managed:
+    - require:
+      - service: "{{ slsdotpath }}-permission-hardener-enabled"
+    - name: /etc/permission-hardener.d/40_qusal.conf
+    - source: salt://{{ slsdotpath }}/files/template/permission-hardener.d/40_qusal.conf
+    - mode: '0600'
+    - user: root
+    - group: root
+    - makedirs: True
+
+"{{ slsdotpath }}-hardened-malloc-preload":
+  file.managed:
+    - require:
+      - pkg: "{{ slsdotpath }}-installed"
+    - name: /etc/ld.so.preload
+    - source: salt://{{ slsdotpath }}/files/template/ld.so.preload
+    - mode: '0644'
+    - user: root
+    - group: root
+    - makedirs: True
+
+"{{ slsdotpath }}-distribution-kernel":
+  cmd.run:
+    - require:
+      - pkg: "{{ slsdotpath }}-installed"
+    - name: grub-install /dev/xvda
+    - runas: root
+
+{% endif %}

salt/kicksecure-minimal/install.top

@@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'I@qubes:type:template and E@^kicksecure-[0-9][0-9]-minimal$':
+    - match: compound
+    - kicksecure-minimal.install

salt/kicksecure-minimal/prefs.sls

@@ -0,0 +1,22 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{%- from "qvm/template.jinja" import load -%}
+
+{%- import slsdotpath ~ "/template.jinja" as template -%}
+
+include:
+  - .clone
+
+{% load_yaml as defaults -%}
+name: {{ template.template }}
+force: True
+require:
+- sls: {{ slsdotpath }}.clone
+prefs:
+- kernel: pvgrub2-pvh
+{%- endload %}
+{{ load(defaults) }}

salt/kicksecure-minimal/prefs.top

@@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - kicksecure-minimal.prefs

salt/kicksecure-minimal/template.jinja

@@ -0,0 +1,15 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{% set base = 'kicksecure' -%}
+{% set version = salt['pillar.get']('qvm:kicksecure:version', '17') -%}
+{% set flavor = salt['pillar.get']('qvm:kicksecure:flavor', 'minimal') -%}
+#{% set repo = salt['pillar.get']('qvm:kicksecure:repo', 'qubes-templates-itl') -%}
+{% if flavor -%}
+  {% set flavor = '-' ~ flavor -%}
+{% endif -%}
+{% set template = base  ~ '-' ~ version ~ flavor -%}
+{% set template_clean = base ~ flavor -%}

salt/sys-cacher/install-client.sls

@@ -23,6 +23,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
       - repl: 'http://HTTPS/'
       - flags: [ 'IGNORECASE', 'MULTILINE' ]
       - backup: False
+      - ignore_if_missing: True
 {% endif -%}
 
 {% elif grains['os_family']|lower == 'arch' -%}

salt/utils/macros/clone-template.sls

@@ -13,18 +13,23 @@ Usage:
 {{ clone_template('debian-minimal', sls_path) }}
 #}
 
-{% macro clone_template(source, name) -%}
+{% macro clone_template(source, name, noprefix) -%}
 
 {%- import source ~ "/template.jinja" as template -%}
 
 include:
   - {{ source }}.create
 
-"tpl-{{ name }}-clone":
+{% set prefix = "tpl-" -%}
+{% if noprefix -%}
+  {%- set prefix = "" -%}
+{% endif -%}
+
+"{{ prefix }}{{ name }}-clone":
   qvm.clone:
     - require:
       - sls: {{ source }}.create
     - source: {{ template.template }}
-    - name: tpl-{{ name }}
+    - name: {{ prefix }}{{ name }}
 
 {% endmacro -%}