The shim review board (which is the secure boot base loader) recommends using
ephemeral keys when signing the Linux Kernel. This commit enables the Kernel
build system to generate a one-time ephemeral key that is used to:
* sign all build-in Kernel modules
* sign all other out-of-tree Kernel modules
The key lives in /tmp and is destroyed after the build container exits and is
named: "VyOS build time autogenerated kernel key".
In addition the Kernel now uses CONFIG_MODULE_SIG_FORCE. This now makes it
unable to load any Kernel Module to the image that is NOT signed by the
ephemeral key.
This adds support for UEFI Secure Boot. It adds the missing pieces to the Linux
Kernel and enforces module signing. This results in an additional security
layer where untrusted (unsigned) Kernel modules can no longer be loaded into
the live system.
NOTE: This commit will not work unless signing keys are present. Arbitrary
keys can be generated using instructions found in:
data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
Dependency already exists in vyos-1x for live-system, but it does not hurt to
also define the dependency here where it's needed by the filesystem layer.
As part of "T5792: Upgrade to ddclient 3.11.2" in commit 368b89ef056,
ddclient was built using build system from Debian Salsa and source code
from upstream GitHub.
This was subsequently modified in commit 7f7030d9281 to use both build
system and source code from Debian Salsa.
Now that Debian finally has ddclient 3.11.2 release, we can use the
release tag to build the package.
All VyOS kernel modules must live in the appropriate module directory,
example: /lib/modules/6.6.41-amd64-vyos/
In addition we do not abbreviate script options to make reading easier,
without call --help all the time.
Commit 368b89ef05 ("ddclient: T5797: Upgrade to ddclient 3.11.2") bumped the
ddclient version by using the build system from Debian SALSA repo and the
upstream ddclient source code.
Debian now provides the same version from the SALSA repos.
Build OFED drivers and userspace components against the kernel
source tree similar to Intel's NIC drivers.
OFED installers create Debian packages of their own tageting the
kernel version defined in the build invocation if DKMS is omitted.
Script builds with supporting components for VPP to permit handoff
of function to the underlying hardware as appropriate. Updating the
version is fairly trivial along with adding patching as needed to
handle kCFI and hardening measures as they are introduced.
Testing:
Tested against GCC-built Linux Hardened kernel with the various
additions from PR 132 - sustained line-rate testing against 4x100g
links on a single machine at a hair below 200g for each LACP pair.
