The shim review board (which is the secure boot base loader) recommends using
ephemeral keys when signing the Linux Kernel. This commit enables the Kernel
build system to generate a one-time ephemeral key that is used to:
* sign all build-in Kernel modules
* sign all other out-of-tree Kernel modules
The key lives in /tmp and is destroyed after the build container exits and is
named: "VyOS build time autogenerated kernel key".
In addition the Kernel now uses CONFIG_MODULE_SIG_FORCE. This now makes it
unable to load any Kernel Module to the image that is NOT signed by the
ephemeral key.
This adds support for UEFI Secure Boot. It adds the missing pieces to the Linux
Kernel and enforces module signing. This results in an additional security
layer where untrusted (unsigned) Kernel modules can no longer be loaded into
the live system.
NOTE: This commit will not work unless signing keys are present. Arbitrary
keys can be generated using instructions found in:
data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
In the past the CLI based smoketest was always executed under an else branch in
the testcase if-statement. Instead of using negative logic move all testcases
to positive logic adding an empty "catch all" else path.
When moving to UEFI and secure-boot it's better to just reboot the system
for Machine Owner Key installation, then powercycling the machine.
This commit will use `reboot now` over `poweroff` after base system installation
and boot into installed image for smoketest handling.
Add build scripts for .deb packages without Jenkins.
To exclude Jenkins we need some place where we can put new builds-scripts
to run in parallel (old/new) during meantime
We will deprecate old Jenkins package builds in the future.
As we got rid of most of the old vyatta packages we can now also discontinue
vyos-world. It only served the purpose of keeping the package list during ISO
build small.
Moved defaults away from argparser to `defaults.py`. This unlocks the ability to
pass values that can be defined as command line arguments via a config file.
With this change logic looks like this (in order of overrides).
Pre-build config:
`data/defaults.toml` -> `build-flavors/<flavor>.toml` ->
`--<command line argument>`
Build config:
`defaults.py` -> `data/defaults.toml` -> `build-types/<type>.toml` ->
`architectures/<architecture>.toml` -> `build-flavors/<flavor>.toml` ->
`--<command line argument>`
Added two new options:
- `image_ext`. Can be used if the file extension needs to be different than
the image format
- `image_opts`. Required if a target format needs extra options.
