The shim review board (which is the secure boot base loader) recommends using
ephemeral keys when signing the Linux Kernel. This commit enables the Kernel
build system to generate a one-time ephemeral key that is used to:
* sign all build-in Kernel modules
* sign all other out-of-tree Kernel modules
The key lives in /tmp and is destroyed after the build container exits and is
named: "VyOS build time autogenerated kernel key".
In addition the Kernel now uses CONFIG_MODULE_SIG_FORCE. This now makes it
unable to load any Kernel Module to the image that is NOT signed by the
ephemeral key.
As the VyOS Linux Kernel will be compiled with CONFIG_MODULE_SIG_FORCE all
driver modules need to be cryptographically signed. This happens during build
of the Kernel and it's 3rd party modules.
Stripping the objects would remove said signature and the system will be unable
to boot b/c of CONFIG_MODULE_SIG_FORCE.
This adds support for UEFI Secure Boot. It adds the missing pieces to the Linux
Kernel and enforces module signing. This results in an additional security
layer where untrusted (unsigned) Kernel modules can no longer be loaded into
the live system.
NOTE: This commit will not work unless signing keys are present. Arbitrary
keys can be generated using instructions found in:
data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
As of Debian version 4.9.5+ds1-1 podman increased the dependency on
libc6 and libgpgme11t64.
podman : Depends: libc6 (>= 2.38) but 2.36-9+deb12u7 is to be installed
Depends: libgpgme11t64 (>= 1.4.1) but it is not going to be installed
Pin the version to a prior one that requires the old libc.
As we got rid of most of the old vyatta packages we can now also discontinue
vyos-world. It only served the purpose of keeping the package list during ISO
build small.
Delete not existing units:
```
06:12:51 Failed to disable unit, unit logd.service does not exist.
06:12:51 Failed to disable unit, unit heartbeat.service does not exist.
```
With libpam-systemd >= 230-2, ssh-session-cleanup.service is no longer
necessary because when `UsePAM yes` in `/etc/ssh/sshd_config` (which is
the default), SSH sessions are cleaned up automatically when ssh-server
is shutdown or the system is rebooted.
Without this, GRUB will report a 'invalid magic' or 'missing UEFI
stub' error when loading kernels on arm64.
This change has no effect on x86-64 systems.
This is a roundup commit to 0be277647 ("T5511: Cleanup of unused directories
(and files) in order to shrink image-size") that dropy empty/commented out
live-build hook scripts.
