qemu-spoof: seed-driven per-VM hardware-identity anti-detection for pve-qemu

2026-06-11 17:34:09 +03:00
commit 06463ee65c
33 changed files with 1788 additions and 0 deletions
@@ -0,0 +1,77 @@
+# qemu-spoof — inject the seed-driven spoof module + anti-detect patches into
+# pve-qemu and build the pve-qemu-kvm .deb.
+#
+#   make prepare   # init submodules, drop in the module, queue patches, bump changelog
+#   make deb       # build the .deb (runs pve-qemu's own dpkg-buildpackage)
+#   make clean
+#
+# Build on Debian trixie (matches pve-qemu 11.0). Never on a production node.
+
+# Override PVE to build against a pve-qemu checkout kept outside this tree:
+#   make PVE=/path/to/pve-qemu deb
+PVE      ?= pve-qemu
+QSRC     := $(PVE)/qemu
+PATCHDIR := $(PVE)/debian/patches
+SERIES   := $(PATCHDIR)/series
+# package revision = qemu-spoof commit count: unique + monotonic + orderable per
+# content change, so a rebuilt/improved package gets a new version (no 409 on the
+# immutable registry) and apt always picks the latest.
+SPOOF_REV ?= $(shell git rev-list --count HEAD 2>/dev/null || echo 1)
+TAG      := qemu-spoof
+# Epoch: makes our package version permanently OUTRANK any stock pve-qemu-kvm
+# (which has no epoch), so a Proxmox repo update never reverts the spoof. We pull
+# upstream fixes deliberately by rebuilding on a newer pve-qemu and re-publishing
+# (the epoch carries forward). Set EPOCH= to disable.
+EPOCH    ?= 1
+
+.PHONY: all prepare deb clean distclean submodule
+
+all: deb
+
+submodule:
+	@if [ ! -f "$(QSRC)/configure" ]; then \
+	  git submodule update --init --recursive; \
+	fi
+	cd $(QSRC) && meson subprojects download
+
+# Idempotent: safe to re-run. pve-qemu copies the qemu/ working tree (cp -a) into
+# its build dir, so the module files we drop in here are compiled; the call-site
+# wiring is applied on top via debian/patches/series (quilt).
+prepare: submodule
+	@echo ">> install spoof module headers + sources into the qemu tree"
+	@for h in src/spoof*.h; do install -D -m644 "$$h" "$(QSRC)/include/hw/misc/$$(basename $$h)"; done
+	@for c in src/spoof*.c; do install -D -m644 "$$c" "$(QSRC)/hw/misc/$$(basename $$c)"; done
+	@echo ">> register sources in hw/misc/meson.build"
+	@for c in src/spoof*.c; do b=$$(basename "$$c"); \
+	  grep -q "$$b" $(QSRC)/hw/misc/meson.build || \
+	    echo "system_ss.add(files('$$b'))" >> $(QSRC)/hw/misc/meson.build; \
+	  echo "   + $$b"; done
+	@echo ">> queue anti-detect patches into the series"
+	@for p in patches/0*.patch; do \
+	  [ -e "$$p" ] || continue; \
+	  b=$$(basename $$p); \
+	  cp -f $$p $(PATCHDIR)/$$b; \
+	  grep -qxF "$$b" $(SERIES) || echo "$$b" >> $(SERIES); \
+	  echo "   + $$b"; \
+	done
+	@echo ">> bump changelog with epoch $(EPOCH) so it permanently outranks stock pve-qemu-kvm"
+	@cd $(PVE) && { head -1 debian/changelog | grep -q "$(TAG)" || { \
+	  cur=$$(dpkg-parsechangelog -S Version); \
+	  dch -v "$(EPOCH):$${cur}+$(TAG)$(SPOOF_REV)" "qemu-spoof: seed-driven per-VM hardware identity"; }; }
+	@cd $(PVE) && head -1 debian/changelog
+	@echo ">> prepared. run 'make deb'."
+
+deb: prepare
+	$(MAKE) -C $(PVE) deb
+	@echo ">> built:"; ls -1 $(PVE)/*.deb 2>/dev/null || ls -1 *.deb 2>/dev/null || true
+
+clean:
+	-$(MAKE) -C $(PVE) clean 2>/dev/null || true
+	rm -f *.deb *.buildinfo *.changes
+
+# Drop the injected files + series entries so the submodule is pristine again.
+distclean: clean
+	-cd $(QSRC) && git checkout -- hw/misc/meson.build 2>/dev/null || true
+	-rm -f $(QSRC)/hw/misc/spoof*.c $(QSRC)/include/hw/misc/spoof*.h
+	-cd $(PVE) && git checkout -- debian/patches/series debian/changelog 2>/dev/null || true
+	-rm -f $(PATCHDIR)/0*qemu-spoof* $(PATCHDIR)/9*antidetect*