qusal/salt/kicksecure-minimal
Ben Grande 7df3be4b78
fix: install caching client before common update
Cacher client installation state included in the common update state as
all qubes that updates with Qusal states use it, rather than including
it on all the installation states. The macro utils.macros.install-repo
still also run's apt-cacher-ng-repo in case the user is not updating at
that moment, just adding a new repository without restarting the qube
(systemd service has already ran).

Fixes: https://github.com/ben-grande/qusal/issues/66
2024-06-22 10:21:40 +02:00
..
files fix: enforce https on repository installation 2024-05-16 18:57:59 +02:00
clone.sls chore: copyright update 2024-01-29 16:49:54 +01:00
clone.top chore: copyright update 2024-01-29 16:49:54 +01:00
create.sls fix: vm kernel only applies to developers 2024-02-03 20:58:28 +01:00
create.top chore: copyright update 2024-01-29 16:49:54 +01:00
init.top chore: copyright update 2024-01-29 16:49:54 +01:00
install-developers.sls fix: remove extraneous package repository updates 2024-03-18 17:51:36 +01:00
install-developers.top fix: less intrusive kicksecure default install 2024-02-01 17:40:26 +01:00
install-repo.sls chore: copyright update 2024-01-29 16:49:54 +01:00
install-repo.top chore: copyright update 2024-01-29 16:49:54 +01:00
install.sls fix: install caching client before common update 2024-06-22 10:21:40 +02:00
install.top chore: copyright update 2024-01-29 16:49:54 +01:00
kernel-default.sls fix: vm kernel only applies to developers 2024-02-03 20:58:28 +01:00
kernel-default.top fix: vm kernel only applies to developers 2024-02-03 20:58:28 +01:00
kernel-hvm.sls fix: vm kernel only applies to developers 2024-02-03 20:58:28 +01:00
kernel-hvm.top fix: vm kernel only applies to developers 2024-02-03 20:58:28 +01:00
kernel-pv.sls fix: remove extraneous package repository updates 2024-03-18 17:51:36 +01:00
kernel-pv.top fix: vm kernel only applies to developers 2024-02-03 20:58:28 +01:00
prefs.sls chore: copyright update 2024-01-29 16:49:54 +01:00
prefs.top chore: copyright update 2024-01-29 16:49:54 +01:00
README.md doc: update table of contents 2024-06-16 10:45:42 +02:00
template.jinja chore: copyright update 2024-01-29 16:49:54 +01:00
version fix: generate RPM Specs for Qubes Builder V2 2024-06-21 17:00:06 +02:00

kicksecure-minimal

Kicksecure Minimal Template in Qubes OS.

Table of Contents

Description

Creates the Kicksecure Minimal template as well as a Disposable Template based on it.

Installation

  • Top:
sudo qubesctl top.enable kicksecure-minimal
sudo qubesctl --targets=kicksecure-17-minimal state.apply
sudo qubesctl top.disable kicksecure-minimal
sudo qubesctl state.apply kicksecure-minimal.prefs
  • State:
sudo qubesctl state.apply kicksecure-minimal.create
sudo qubesctl --skip-dom0 --targets=kicksecure-17-minimal state.apply kicksecure-minimal.install
sudo qubesctl state.apply kicksecure-minimal.prefs

Kicksecure Developers Installation

If you want to help improve Kicksecure integration on Qubes, install packages that are known to be broken on Qubes and can break the boot of the Kicksecure Qube, to report bugs upstream (get a terminal with qvm-console-dispvm):

sudo qubesctl --skip-dom0 --targets=kicksecure-17-minimal state.apply kicksecure-minimal.install-developers

Choose the kernel according to the virt_mode you want for the template:

  • hvm:
sudo qubesctl state.apply kicksecure-minimal.kernel-hvm
  • pvh:
sudo qubesctl state.apply kicksecure-minimal.kernel-pv
  • Dom0 provided kernel (resets virt_mode to pvh):
sudo qubesctl state.apply kicksecure-minimal.kernel-default

Usage

AppVMs and StandaloneVMs can be based on this template.

Kicksecure Developers Usage

This is intended for Kicksecure Developers to test known to be broken hardening measures. It is not intended for other developers or users.

After you have ran the developers SaltFile, when reporting bugs upstream, share the following information of the customizations made by this formula:

  • hardened-malloc:
libhardened_malloc.so
  • hide-hardware-info:
sysfs_whitelist=0
cpuionfo_whitelist=0
  • permission-hardener:
whitelists_disable_all=true