The shim review board (which is the secure boot base loader) recommends using
ephemeral keys when signing the Linux Kernel. This commit enables the Kernel
build system to generate a one-time ephemeral key that is used to:
* sign all build-in Kernel modules
* sign all other out-of-tree Kernel modules
The key lives in /tmp and is destroyed after the build container exits and is
named: "VyOS build time autogenerated kernel key".
In addition the Kernel now uses CONFIG_MODULE_SIG_FORCE. This now makes it
unable to load any Kernel Module to the image that is NOT signed by the
ephemeral key.
The ixgbe driver did not support the 1000BASE-BX standard so for example FS.com
SFP-GE-BX 1310/1490nm 10km transceiver received an unsupported module error even
with allow_unsupported_sfp enabled.
To solve this problem I created a patch that was accepted by Linux upstream
(1b43e0d20f)
so starting from kernel 6.9 the ixgbe driver will have 1000BASE-BX support,
however VyOS uses the out of tree driver so it is necessary to backport the patch.
In-tree vs. Out-Of-Tree drivers differ in the way how unsupported transceivers
are defined (uint vs array of int) for the Kernel module parameters.
This results in:
kernel: ixgbe 0000:5e:00.0: failed to initialize because an unsupported SFP+ module type was detected.
kernel: ixgbe 0000:5e:00.0: Reload the driver after installing a supported module.
kernel: ixgbe 0000:5e:00.0: removed PHC on eth6
This patch always enables unsupported SFP+ modules as wo do anyway from
the userspace but only for the first port.
