freedomofpress · emkll · Oct 19, 2018 · Oct 17, 2018 · Oct 18, 2018
diff --git a/Makefile b/Makefile
@@ -63,6 +63,7 @@ prep-salt: assert-dom0 ## Configures Salt layout for SD workstation VMs
 	@sudo cp sd-journalist.sec /srv/salt/sd
 	@sudo cp -r sd-journalist /srv/salt/sd
 	@sudo cp -r sd-svs /srv/salt/sd
+	@sudo cp -r sd-workstation /srv/salt/sd
 	@sudo cp dom0/* /srv/salt/
 #sudo cp -r sd-svs-disp /srv/salt/sd  # nothing there yet...
 

diff --git a/dom0/sd-workstation-template-files.sls b/dom0/sd-workstation-template-files.sls
@@ -1,9 +1,14 @@
 # -*- coding: utf-8 -*-
 # vim: set syntax=yaml ts=2 sw=2 sts=2 et :
 
+configure apt-test apt repo:
+  pkgrepo.managed:
+    - name: "deb [arch=amd64] https://apt-test-qubes.freedom.press stretch main"
+    - file: /etc/apt/sources.list.d/fpf-apt-test.list
+    - key_url: "salt://sd/sd-workstation/apt-test-pubkey.asc"
 
 configure mimetype support for debian9:
   pkg.installed:
     - pkgs:
-      - gvfs-bin
-      - libgnomevfs2-bin
+      - securedrop-workstation-config
+      - securedrop-workstation-grsec
diff --git a/dom0/sd-workstation-template.sls b/dom0/sd-workstation-template.sls
@@ -16,5 +16,6 @@ sd-workstation-template:
     - clone:
       - source: debian-9
       - label: yellow
-
-
+    - prefs:
+      - virt-mode: hvm
+      - kernel: ''
diff --git a/sd-workstation/apt-test-pubkey.asc b/sd-workstation/apt-test-pubkey.asc
@@ -0,0 +1,30 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBFhPGZsBCACzn00s3+i5HdGIldDGYXxY2HKL9Qhk0DhiRrNPaQemhNijuFlC
+geCeKN/smDAUyM5mfEoxmWy3V7n8SEQUpqI4dIS2AohReLkyKEKiIpTuXW7F9kO3
+vcXHgrTka+8B4ZQxDuTHNFJLmBwJnP24LrL6BzkDIUNeQFwM0EFTDOJlW1QV6qkm
+9WGizo2sR0VBJJabfRWrTWd8llYOVcc+LptErVNADPaX6iqb+QnZVJ/nYmCTgABj
+lD3aZ4EPZ+ioVOcOxbgBkAX76COObUUw/XahBGwj4fJ5kyzvDSBCHHlRzN39LKpM
+Y+HfSc1scAOWN+Dd0N/joIa0j0U4SGHo1NdzABEBAAG0MVNlY3VyZURyb3AgVEVT
+VElORyBrZXkgPHNlY3VyZWRyb3BAZnJlZWRvbS5wcmVzcz6JAU4EEwEIADgWIQRO
+15zDNi19EoNwRgJKO+SpIhGwPAUCWE8ZmwIbAwULCQgHAgYVCAkKCwIEFgIDAQIe
+AQIXgAAKCRBKO+SpIhGwPCb9B/9SuVoxbe3nLlU0bHDQtoq5P7adyTZK+5gKIiAo
+mtAkc/EuiF6jYIDLo+DBB1GBJVjyD5igTt14XR3JpMe6nLtztD5zgGk47gYQk3y5
+6f5ydd7zRo9OxulRYDvU1mXMUc0EmqfzuSxY55HJy5KQvjeKIU0fTvwbPYXdhFCC
+42iyBIkp4e4/C5oO4lNrNY2DJEZ+a8H5LHasJ4g9A78f/D5q0HWO1HutzfDeiMvq
+WFwlGMD2OzTEQA2MGlVRIYvLHAG1aV9fXY8kjCFT8ri5hxlQeTkKISfbW3pFSq6s
+Ow4r975zWLTPJNm+WTbBpfIOFBVAW34EHkcb/QmntlvqkNM+uQENBFhPGZsBCAC4
+VEtCQEuZ3WzCNL/0yQFih1EjT/AsS3j3++xvSOYWF+c7AjR9X0MkJFTnUZBHs6MX
+PM33bbkWbBBE2ILdDCEF72Uc5HyyC2lW2DvPY9ZLVSGcMCUsKARv5rbeNdgiLVP5
+8AMkmG48q0Pxrr6UVX14M34Jm5G91c/dj9zHtVwkLg4RG/rcumQdlpQhNmMycB2X
+lat48atmEkutfLEQizXIlgiCdNEpgfUBy/jZZcCOjwr8PUPmSUWjKOVMv6CSLx8K
+z2cP4We7tyq4qhc0cWjJOWOmJpu5tbmi6XEEWGaIJyN+POhHEcb0tI1rTJ88nrMb
+DI/NF/35kuWIIkADOb2vABEBAAGJATYEGAEIACAWIQRO15zDNi19EoNwRgJKO+Sp
+IhGwPAUCWE8ZmwIbDAAKCRBKO+SpIhGwPC3fB/0TfuScS718FiEcVRI3F2wBbzTQ
+VARhGzEvPSU5Z3Cur/EB8ihpWvwi39tUMeg5HTheDl/8A7f1QCjIFSVEr1slGNLh
+YFF07XGWhy837z6kiihK2z6/w6Q9QJqjE+QVZCKr97aIPejvEoHoslZTU5pJ52qF
+J7KQd1hEvVs00DxY6VlyK0FzXqByKYq6Arl2tzlCZ6RPEHKXV2xSP06jLEagzgYe
+DylVo9Xahenj4n/Mtq7Am6tGgU9Vy9cGbWNBdUND/mFQEEZSh9RJabPeluH12sir
+5/tfsDr4DGHSz7ws+5M6Zbk6oNJEwQZ4cR+81qCfXE5X5LW1KlAL8wDl7dfS
+=fYUi
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/tests/test_vms_exist.py b/tests/test_vms_exist.py
@@ -4,6 +4,9 @@
 from base import WANTED_VMS
 
 
+EXPECTED_KERNEL_VERSION = "4.14.74-grsec"
+
+
 class SD_VM_Tests(unittest.TestCase):
     def setUp(self):
         self.app = Qubes()
@@ -16,6 +19,21 @@ def test_expected(self):
         for test_vm in WANTED_VMS:
             self.assertTrue(test_vm in vm_set)
 
+    def _check_kernel(self, vm):
+        """
+        Confirms expected grsecurity-patched kernel is running.
+        """
+        # Running custom kernel requires HVM with empty kernel
+        self.assertTrue(vm.virt_mode == "hvm")
+        self.assertTrue(vm.kernel == "")
+
+        # Check exact kernel version in VM
+        raw_output = vm.run("uname -r")
+        # Response is a tuple of e.g. ('4.14.74-grsec\n', '')
+        kernel_version = raw_output[0].rstrip()
+        assert kernel_version.endswith("-grsec")
+        assert kernel_version == EXPECTED_KERNEL_VERSION
+
     def test_sd_whonix_config(self):
         vm = self.app.domains["sd-whonix"]
         nvm = vm.netvm
@@ -39,6 +57,7 @@ def test_sd_svs_config(self):
         self.assertTrue(vm.template == "sd-svs-template")
         self.assertFalse(vm.provides_network)
         self.assertFalse(vm.template_for_dispvms)
+        self._check_kernel(vm)
 
     def test_sd_svs_disp_config(self):
         vm = self.app.domains["sd-svs-disp"]
@@ -47,6 +66,7 @@ def test_sd_svs_disp_config(self):
         self.assertTrue(vm.template == "sd-svs-disp-template")
         self.assertFalse(vm.provides_network)
         self.assertTrue(vm.template_for_dispvms)
+        self._check_kernel(vm)
 
     def test_sd_gpg_config(self):
         vm = self.app.domains["sd-gpg"]
@@ -56,6 +76,13 @@ def test_sd_gpg_config(self):
         self.assertTrue(vm.template == "sd-workstation-template")
         self.assertFalse(vm.provides_network)
         self.assertFalse(vm.template_for_dispvms)
+        self._check_kernel(vm)
+
+    def test_sd_workstation_template(self):
+        vm = self.app.domains["sd-workstation-template"]
+        nvm = vm.netvm
+        self.assertTrue(nvm is None)
+        self._check_kernel(vm)
 
 
 def load_tests(loader, tests, pattern):