This adds support for UEFI Secure Boot. It adds the missing pieces to the Linux
Kernel and enforces module signing. This results in an additional security
layer where untrusted (unsigned) Kernel modules can no longer be loaded into
the live system.
NOTE: This commit will not work unless signing keys are present. Arbitrary
keys can be generated using instructions found in:
data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
All VyOS kernel modules must live in the appropriate module directory,
example: /lib/modules/6.6.41-amd64-vyos/
In addition we do not abbreviate script options to make reading easier,
without call --help all the time.
Build OFED drivers and userspace components against the kernel
source tree similar to Intel's NIC drivers.
OFED installers create Debian packages of their own tageting the
kernel version defined in the build invocation if DKMS is omitted.
Script builds with supporting components for VPP to permit handoff
of function to the underlying hardware as appropriate. Updating the
version is fairly trivial along with adding patching as needed to
handle kCFI and hardening measures as they are introduced.
Testing:
Tested against GCC-built Linux Hardened kernel with the various
additions from PR 132 - sustained line-rate testing against 4x100g
links on a single machine at a hair below 200g for each LACP pair.
The ixgbe driver did not support the 1000BASE-BX standard so for example FS.com
SFP-GE-BX 1310/1490nm 10km transceiver received an unsupported module error even
with allow_unsupported_sfp enabled.
To solve this problem I created a patch that was accepted by Linux upstream
(1b43e0d20f)
so starting from kernel 6.9 the ixgbe driver will have 1000BASE-BX support,
however VyOS uses the out of tree driver so it is necessary to backport the patch.
In-tree vs. Out-Of-Tree drivers differ in the way how unsupported transceivers
are defined (uint vs array of int) for the Kernel module parameters.
This results in:
kernel: ixgbe 0000:5e:00.0: failed to initialize because an unsupported SFP+ module type was detected.
kernel: ixgbe 0000:5e:00.0: Reload the driver after installing a supported module.
kernel: ixgbe 0000:5e:00.0: removed PHC on eth6
This patch always enables unsupported SFP+ modules as wo do anyway from
the userspace but only for the first port.
