From a096e8b93636be1873c4182bca94603c15640df8 Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Tue, 25 Aug 2020 17:19:16 -0700
Subject: [PATCH] Checks for u2mfn kernel module in metapackage

The u2mfn kernel module is required for GUI operations in a VM. It
should be built automatically via dkms, but that process can fail. We
must report such errors up to the parent apt operation to notify users.
The /etc/kernel/postinst.d/dkms hooks are run on installation of the
linux-image-* packages, so we don't need an explicit call to dkms
autoinstall (which fails silently) in the metapackage postinst.

Since we've observed VMs fail to build the u2mfn.ko dynamically in the
past, let's try to recover in that situation, otherwise fail loudly.
---
 .../debian/changelog-buster                   |  6 ++++
 securedrop-workstation-grsec/debian/postinst  | 32 +++++++++++++++++--
 2 files changed, 35 insertions(+), 3 deletions(-)

diff --git a/securedrop-workstation-grsec/debian/changelog-buster b/securedrop-workstation-grsec/debian/changelog-buster
index 6f117718..cda17eb6 100644
--- a/securedrop-workstation-grsec/debian/changelog-buster
+++ b/securedrop-workstation-grsec/debian/changelog-buster
@@ -1,3 +1,9 @@
+securedrop-workstation-grsec (4.14.186+buster2) unstable; urgency=medium
+
+  * Ensures u2mfn module is built via dkms, otherwise fails
+
+ -- SecureDrop Team <securedrop@freedom.press>  Wed, 26 Aug 2020 15:05:49 -0700
+
 securedrop-workstation-grsec (4.14.186+buster1) unstable; urgency=medium
 
   * Starts paxctld before dkms autoinstall step in postinst
diff --git a/securedrop-workstation-grsec/debian/postinst b/securedrop-workstation-grsec/debian/postinst
index 2362d3d0..13bdc97c 100644
--- a/securedrop-workstation-grsec/debian/postinst
+++ b/securedrop-workstation-grsec/debian/postinst
@@ -17,7 +17,11 @@ set -e
 # for details, see https://www.debian.org/doc/debian-policy/ or
 # the debian-policy package
 
+
+# When updating the kernel version, also check that the u2mfn version matches:
+# https://github.com/QubesOS/qubes-linux-utils/blob/release4.0/version
 GRSEC_VERSION='4.14.186-grsec-workstation'
+U2MFN_VERSION="4.0.30"
 
 # Sets default grub boot parameter to the kernel version specified
 # by $GRSEC_VERSION. The debian buster default kernel is 4.19, thus
@@ -38,12 +42,34 @@ start_paxctld() {
     fi
 }
 
+# Checks that the u2mfn kernel module was successfully built via dkms.
+verify_u2mfn_exists() {
+    ko_filepath="/usr/lib/modules/${GRSEC_VERSION}/updates/dkms/u2mfn.ko"
+    if ! test -f "$ko_filepath"; then
+        return 1
+    fi
+}
+
+# For reasons unknown, u2mfn may be missing. If not found, try to rebuild it,
+# otherwise we'll fail and require admin intervention.
+ensure_u2mfn_exists() {
+    if ! verify_u2mfn_exists ; then
+        dkms remove u2mfn -v "$U2MFN_VERSION" -k "$GRSEC_VERSION" || true
+        dkms autoinstall -k "$GRSEC_VERSION"
+        if ! verify_u2mfn_exists ; then
+            echo "ERROR: u2mfn kernel object is missing: $ko_filepath"
+            exit 1
+        fi
+    fi
+}
+
 case "$1" in
     configure)
-    # Ensure pax flags are set prior to running dkms & grub
+    # Ensure pax flags are set prior to running grub
     start_paxctld
-    # DKMS autoinstall the qubes kernel modules
-    dkms autoinstall $GRSEC_VERSION
+    # Rebuild u2mfn kernel module if missing
+    ensure_u2mfn_exists
+    # Force latest hardened kernel for next boot
     set_grub_default
     update-grub
     ;;