qubes-issues icon indicating copy to clipboard operation
qubes-issues copied to clipboard

Published 20 hours ago verified publisher icon QubesOS

Kicksecure template

Open adrelanos opened this issue 1 year ago • 12 comments

The problem you're addressing (if any)

A Kicksecure Qubes Template is unavailable.

The only way to use Kicksecure in Qubes is Distribution Morphing.

The solution you'd like

Provide a Kicksecure Qubes template that can be installed using:

qvm-template install --enablerepo=qubes-templates-community kicksecure-17

The value to a user, and who that user might be

Easily installable Kicksecure Template that does not come with issue https://github.com/QubesOS/qubes-issues/issues/7447, requires no lengthy distribution morphing instructions, comes security hardened by default.

(Should also come with in-VM kernel enabled by default. (https://github.com/QubesOS/qubes-issues/issues/9570))

Users that indicated interest for a Kicksecure Qubes Template:

  • https://forum.qubes-os.org/search?q=kicksecure%20in%3Atitle
  • https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue+kicksecure+in%3Atitle
  • https://forums.kicksecure.com/search?q=qubes%20in%3Atitle

Qubes Template source code

https://github.com/Kicksecure/qubes-template-kicksecure

Untested.

Update: Tested.

Related non-duplicates

  • https://github.com/QubesOS/qubes-issues/issues/9332 (ticket isn't about Kicksecure) (is a ticket about default use of a hardened Template)

Completion criteria checklist

(This section is for developer use only. Please do not modify it.)

adrelanos avatar Nov 11 '24 20:11 adrelanos

Note: the qusal project has this which might be a helpful reference as well

mzpqnxow avatar Nov 24 '24 16:11 mzpqnxow

Unrelated.

adrelanos avatar Nov 25 '24 12:11 adrelanos

Progress:

  • https://github.com/QubesOS/qubes-builderv2/pull/170 [merged] [done]

~~Todo:~~

  • ~~kicksecure-meta-packages fixes for qubes-template-kicksecure~~ [done]]

adrelanos avatar Jan 13 '25 13:01 adrelanos

https://github.com/Kicksecure/qubes-template-kicksecure

Has been fixed and tested by @ArrayBolt3.

A testers release is now ready to be built by Qubes infrastructure.

adrelanos avatar Feb 04 '25 09:02 adrelanos

Documentation on how to manually built the Kicksecure Qubes Template (thanks to @ArrayBolt3 for the contribution!) can be found here: https://www.kicksecure.com/wiki/Dev/Qubes

adrelanos avatar Feb 09 '25 13:02 adrelanos

@ArrayBolt3 as for the documentation linked above:

Templates are simply RPM packages, meaning they can run arbitrary code as root during installation. This means that a compromised template can, and probably will, compromise dom0.

If you install the template using qvm-template tool, it should be safe. It doesn't really install the rpm package (so, no install scripts are executed), just extracts root.img from it.

But nevertheless fresh App qube is a good idea.

marmarek avatar Feb 19 '25 01:02 marmarek

@marmarek hmm, didn't know that. Thanks!

ArrayBolt3 avatar Feb 19 '25 01:02 ArrayBolt3

https://forums.kicksecure.com/t/kicksecure-template-for-qubes-testers-wanted/1020

adrelanos avatar May 05 '25 06:05 adrelanos

What happens to the following Template build command?

https://github.com/QubesOS/updates-status/issues/566#issuecomment-2866893209 (and following)

it is not in https://github.com/QubesOS/updates-status and not in https://github.com/QubesOS/build-issues/issues

adrelanos avatar May 10 '25 21:05 adrelanos

What happens to the following Template build command?

The command you posted is invalid:

Build-template rR4.3 whonix-workstation-17 202505091502

Note the double "rR"

marmarek avatar May 13 '25 08:05 marmarek

Kicksecure stable template has been released a while ago: https://forums.kicksecure.com/t/kicksecure-template-for-qubes-initial-stable-release/1020

Could you please post an announcement? @adw

Similar to: https://www.qubes-os.org/news/2021/09/30/whonix-16-template-available/

adrelanos avatar Jun 13 '25 19:06 adrelanos

Kicksecure stable template has been released a while ago: https://forums.kicksecure.com/t/kicksecure-template-for-qubes-initial-stable-release/1020

Could you please post an announcement? @adw

Similar to: https://www.qubes-os.org/news/2021/09/30/whonix-16-template-available/

We usually don't make official announcements for community templates, except for Whonix. For example, our community template documentation also lists Ubuntu, Arch, Gentoo, and CentOS templates, but we've never made an official announcement for any of them (except for a quasi-announcement for the Gentoo template as part of one of Frédéric's posts). I'm not opposed to making an official announcement for the Kicksecure template, but if we do, then we should decide whether Kicksecure is going to be a special exception like Whonix or whether we're going to start making official announcements for all community templates.

Whonix seems to be a special exception since it's included in the installer. If Kicksecure is going to have a similar status, do we need a third category in between "official" and "community," like "partner templates" or something?

What do you think, @marmarek?

andrewdavidwong avatar Jun 13 '25 23:06 andrewdavidwong