From e5c8fb2a11fa0b43af135a7127a0795e5808b59b Mon Sep 17 00:00:00 2001
From: Ben Grande <ben.grande.b@gmail.com>
Date: Sat, 3 Feb 2024 20:58:28 +0100
Subject: [PATCH] fix: vm kernel only applies to developers

Fixes: https://github.com/ben-grande/qusal/issues/3
---
 salt/kicksecure-minimal/README.md             | 21 ++++++++++-
 salt/kicksecure-minimal/create.sls            | 12 -------
 .../kicksecure-minimal/install-developers.sls | 20 ++++++++++-
 salt/kicksecure-minimal/install.sls           | 17 ---------
 salt/kicksecure-minimal/kernel-default.sls    | 23 ++++++++++++
 salt/kicksecure-minimal/kernel-default.top    | 10 ++++++
 salt/kicksecure-minimal/kernel-hvm.sls        | 23 ++++++++++++
 salt/kicksecure-minimal/kernel-hvm.top        | 10 ++++++
 salt/kicksecure-minimal/kernel-pv.sls         | 35 +++++++++++++++++++
 salt/kicksecure-minimal/kernel-pv.top         | 10 ++++++
 10 files changed, 150 insertions(+), 31 deletions(-)
 create mode 100644 salt/kicksecure-minimal/kernel-default.sls
 create mode 100644 salt/kicksecure-minimal/kernel-default.top
 create mode 100644 salt/kicksecure-minimal/kernel-hvm.sls
 create mode 100644 salt/kicksecure-minimal/kernel-hvm.top
 create mode 100644 salt/kicksecure-minimal/kernel-pv.sls
 create mode 100644 salt/kicksecure-minimal/kernel-pv.top

diff --git a/salt/kicksecure-minimal/README.md b/salt/kicksecure-minimal/README.md
index 5b41ba8..8293838 100644
--- a/salt/kicksecure-minimal/README.md
+++ b/salt/kicksecure-minimal/README.md
@@ -32,6 +32,8 @@ qubesctl state.apply kicksecure-minimal.prefs
 ```
 <!-- pkg:end:post-install -->
 
+### Kicksecure Developers Installation
+
 If you want to help improve Kicksecure integration on Qubes, install packages
 that are known to be broken on Qubes and can break the boot of the Kicksecure
 Qube, to report bugs upstream (get a terminal with `qvm-console-dispvm`):
@@ -39,11 +41,28 @@ Qube, to report bugs upstream (get a terminal with `qvm-console-dispvm`):
 qubesctl --skip-dom0 --targets=kicksecure-17-minimal state.apply kicksecure-minimal.install-developers
 ```
 
+Choose the `kernel` according to the `virt_mode` you want for the template:
+
+- `hvm`:
+```sh
+qubesctl state.apply kicksecure-minimal.kernel-hvm
+```
+
+- `pvh`:
+```sh
+qubesctl state.apply kicksecure-minimal.kernel-pv
+```
+
+- Dom0 provided kernel (resets `virt_mode` to `pvh`):
+```sh
+qubesctl state.apply kicksecure-minimal.kernel-default
+```
+
 ## Usage
 
 AppVMs and StandaloneVMs can be based on this template.
 
-### Kicksecure Developers
+### Kicksecure Developers Usage
 
 This is intended for Kicksecure Developers to test known to be broken
 hardening measures. It is not intended for other developers or users.
diff --git a/salt/kicksecure-minimal/create.sls b/salt/kicksecure-minimal/create.sls
index 3504c7a..3af1a01 100644
--- a/salt/kicksecure-minimal/create.sls
+++ b/salt/kicksecure-minimal/create.sls
@@ -11,18 +11,6 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 include:
   - .clone
 
-"{{ slsdotpath }}-updated":
-  pkg.uptodate:
-    - refresh: True
-
-"{{ slsdotpath }}-installed":
-  pkg.installed:
-    - refresh: True
-    - install_recommends: False
-    - skip_suggestions: True
-    - pkgs:
-      - grub2-xen-pvh
-
 {% load_yaml as defaults -%}
 name: {{ template.template }}
 force: True
diff --git a/salt/kicksecure-minimal/install-developers.sls b/salt/kicksecure-minimal/install-developers.sls
index 1a69c78..9d27eee 100644
--- a/salt/kicksecure-minimal/install-developers.sls
+++ b/salt/kicksecure-minimal/install-developers.sls
@@ -3,7 +3,14 @@ SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.co
 
 SPDX-License-Identifier: AGPL-3.0-or-later
 
-Most likely the GUI agent will break, use qvm-console-dispvm to get a terminal.
+The GUI agent will break, use qvm-console-dispvm to get a terminal.
+
+https://www.kicksecure.com/wiki/Security-misc
+https://www.kicksecure.com/wiki/Hardened-kernel
+https://www.kicksecure.com/wiki/Hardened_Malloc
+https://www.kicksecure.com/wiki/Operating_System_Hardening
+https://www.kicksecure.com/wiki/Linux_Kernel_Runtime_Guard_LKRG
+https://www.qubes-os.org/doc/managing-vm-kernels/#distribution-kernel
 #}
 
 {% if grains['nodename'] != 'dom0' -%}
@@ -21,6 +28,10 @@ include:
     - install_recommends: False
     - skip_suggestions: True
     - pkgs:
+      - qubes-kernel-vm-support
+      - linux-image-amd64
+      - linux-headers-amd64
+      - grub2
       - lkrg
       - tirdad
 
@@ -92,4 +103,11 @@ include:
     - name: update-grub
     - runas: root
 
+"{{ slsdotpath }}-distribution-kernel":
+  cmd.run:
+    - require:
+      - pkg: "{{ slsdotpath }}-installed"
+    - name: grub-install /dev/xvda
+    - runas: root
+
 {% endif %}
diff --git a/salt/kicksecure-minimal/install.sls b/salt/kicksecure-minimal/install.sls
index b2ec772..9a148e5 100644
--- a/salt/kicksecure-minimal/install.sls
+++ b/salt/kicksecure-minimal/install.sls
@@ -4,12 +4,6 @@ SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.co
 SPDX-License-Identifier: AGPL-3.0-or-later
 
 https://www.kicksecure.com/wiki/Debian
-https://www.kicksecure.com/wiki/Security-misc
-https://www.kicksecure.com/wiki/Hardened-kernel
-https://www.kicksecure.com/wiki/Hardened_Malloc
-https://www.kicksecure.com/wiki/Operating_System_Hardening
-https://www.kicksecure.com/wiki/Linux_Kernel_Runtime_Guard_LKRG
-https://www.qubes-os.org/doc/managing-vm-kernels/#distribution-kernel
 #}
 
 {% if grains['nodename'] != 'dom0' -%}
@@ -30,10 +24,6 @@ include:
     - skip_suggestions: True
     - pkgs:
       - kicksecure-qubes-cli
-      - linux-image-amd64
-      - linux-headers-amd64
-      - grub2
-      - qubes-kernel-vm-support
 
 "{{ slsdotpath }}-remove-debian-default-sources.list":
   file.comment:
@@ -43,11 +33,4 @@ include:
     - regex: "^\s*deb"
     - ignore_missing: True
 
-"{{ slsdotpath }}-distribution-kernel":
-  cmd.run:
-    - require:
-      - pkg: "{{ slsdotpath }}-installed"
-    - name: grub-install /dev/xvda
-    - runas: root
-
 {% endif %}
diff --git a/salt/kicksecure-minimal/kernel-default.sls b/salt/kicksecure-minimal/kernel-default.sls
new file mode 100644
index 0000000..a5ee5d4
--- /dev/null
+++ b/salt/kicksecure-minimal/kernel-default.sls
@@ -0,0 +1,23 @@
+{#
+SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{%- from "qvm/template.jinja" import load -%}
+
+{%- import slsdotpath ~ "/template.jinja" as template -%}
+
+include:
+  - .clone
+
+{% load_yaml as defaults -%}
+name: {{ template.template }}
+force: True
+require:
+- sls: {{ slsdotpath }}.clone
+prefs:
+- virt_mode: pvh
+- kernel: "*default*"
+{%- endload %}
+{{ load(defaults) }}
diff --git a/salt/kicksecure-minimal/kernel-default.top b/salt/kicksecure-minimal/kernel-default.top
new file mode 100644
index 0000000..d1a54f0
--- /dev/null
+++ b/salt/kicksecure-minimal/kernel-default.top
@@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - kicksecure-minimal.kernel-default
diff --git a/salt/kicksecure-minimal/kernel-hvm.sls b/salt/kicksecure-minimal/kernel-hvm.sls
new file mode 100644
index 0000000..6bb161b
--- /dev/null
+++ b/salt/kicksecure-minimal/kernel-hvm.sls
@@ -0,0 +1,23 @@
+{#
+SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{%- from "qvm/template.jinja" import load -%}
+
+{%- import slsdotpath ~ "/template.jinja" as template -%}
+
+include:
+  - .clone
+
+{% load_yaml as defaults -%}
+name: {{ template.template }}
+force: True
+require:
+- sls: {{ slsdotpath }}.clone
+prefs:
+- virt_mode: hvm
+- kernel: ""
+{%- endload %}
+{{ load(defaults) }}
diff --git a/salt/kicksecure-minimal/kernel-hvm.top b/salt/kicksecure-minimal/kernel-hvm.top
new file mode 100644
index 0000000..0082c8d
--- /dev/null
+++ b/salt/kicksecure-minimal/kernel-hvm.top
@@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - kicksecure-minimal.kernel-hvm
diff --git a/salt/kicksecure-minimal/kernel-pv.sls b/salt/kicksecure-minimal/kernel-pv.sls
new file mode 100644
index 0000000..f69d5e6
--- /dev/null
+++ b/salt/kicksecure-minimal/kernel-pv.sls
@@ -0,0 +1,35 @@
+{#
+SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{%- from "qvm/template.jinja" import load -%}
+
+{%- import slsdotpath ~ "/template.jinja" as template -%}
+
+include:
+  - .clone
+
+"{{ slsdotpath }}-updated":
+  pkg.uptodate:
+    - refresh: True
+
+"{{ slsdotpath }}-installed":
+  pkg.installed:
+    - refresh: True
+    - install_recommends: False
+    - skip_suggestions: True
+    - pkgs:
+      - grub2-xen-pvh
+
+{% load_yaml as defaults -%}
+name: {{ template.template }}
+force: True
+require:
+- sls: {{ slsdotpath }}.clone
+prefs:
+- virt_mode: pv
+- kernel: pvgrub2-pvh
+{%- endload %}
+{{ load(defaults) }}
diff --git a/salt/kicksecure-minimal/kernel-pv.top b/salt/kicksecure-minimal/kernel-pv.top
new file mode 100644
index 0000000..cf2febc
--- /dev/null
+++ b/salt/kicksecure-minimal/kernel-pv.top
@@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - kicksecure-minimal.kernel-pv