Update the Secure Kernel Loader package support for QubesOS

[BeataZdunczyk]

Is your feature request related to a problem? Please describe.

Since the initial work done by 3mdeb engineers for AMD AEM in Qubes OS, the Secure Kernel Loader (formerly Landing Zone) package support has not been updated. The package has undergone significant improvements and added new features. SKL is an open-source module written by TrenchBoot developers required by AMD Secure Startup technology to perform DRTM launch. The task aims to refresh the previous work and update the SKL package for Qubes OS to the newest revision.

Is your feature request related to a new idea or technology that
would benefit the project? Please describe.

Updating the Secure Kernel Loader package support for QubesOS on AMD would benefit the project by providing a more up-to-date and reliable version of the package, which is essential for AMD Secure Startup technology to perform DRTM launch.

Describe the solution you'd like

Update the Secure Kernel Loader (SKL) package support for QubesOS on AMD to the newest revision.

Describe alternatives you've considered

N/A

Additional context

This feature request is part of Phase 4 in TrenchBoot as Anti Evil Maid project, as outlined in the documentation: https://docs.dasharo.com/projects/trenchboot-aem-v2/.

Checklist:

• SKL package for QubesOS
• Above building in github actions
• Ensure SKL builds for different compilers - push https://github.com/TrenchBoot/secure-kernel-loader/blob/master/.github/workflows/build.yml forward
• Additional CI checks:
  • CodeQL secure-kernel-loader#12
  • pre-commit ? we have some templates: https://github.com/3mdeb/hooks/blob/main/pre-commit-init/pre-commit-init.py but maybe not extra useful for this SKL repo
  • other proposals

Relevant documentation you've consulted

N/A

[macpijan]

Since the initial work done by 3mdeb engineers for AMD AEM in Qubes OS

I'm not really certain, if we had done some support for QubesOS AMD AEM before?
As far as I remember, the https://github.com/trenchboot/landing-zone has not been packaged for QubesOS before, @miczyg1 @krystian-hebel ?

I cannot find such traces in landing-zone repo inn either trenchboot, nor 3mdeb repositories.

So the goal of this task would be to package the https://github.com/TrenchBoot/secure-kernel-loader (replacement for Landing Zone) for QubesOS. Including adding github CI ensuring package can still be built, and artifact can be stored for easier deployment.

The operational state of the SKL repo is really unknown I guess, especially in terms of changes in other repositories happening in parallel. I would say that the goal would be here to have something that builds reliably, so we can work on that in the next tasks.

[macpijan]

There are some workflows already: https://github.com/TrenchBoot/secure-kernel-loader/tree/master/.github/workflows
But I do not see them being built on the latest commits. This needs to be checked/updated/improved.

There were also some discussion with @andyhhp in TrenchBoot/secure-kernel-loader#12 we might want to go back to that here to decide on pursuing that further, or dropping.

[macpijan]

@SergiiDmytruk I have updated checklist in the first comment. Feel free to adjust/extend it if necessary, or discuss here.

[SergiiDmytruk]

Sent TrenchBoot/.github#6 and TrenchBoot/secure-kernel-loader#14.

[krystian-hebel]

I've approved PR for building RPMs (TrenchBoot/secure-kernel-loader#14), but we still need a second approval to merge it. @andyhhp @dpsmith @rossphilipson care to take a look?