d235b31a09
The shim review board (which is the secure boot base loader) recommends using ephemeral keys when signing the Linux Kernel. This commit enables the Kernel build system to generate a one-time ephemeral key that is used to: * sign all build-in Kernel modules * sign all other out-of-tree Kernel modules The key lives in /tmp and is destroyed after the build container exits and is named: "VyOS build time autogenerated kernel key". In addition the Kernel now uses CONFIG_MODULE_SIG_FORCE. This now makes it unable to load any Kernel Module to the image that is NOT signed by the ephemeral key.
About
VyOS runs on a custom Linux Kernel (which is 4.19) at the time of this writing. This repository holds a Jenkins Pipeline which is used to build the Custom Kernel (x86_64/amd64 at the moment) and all required out-of tree modules.
VyOS does not utilize the build in Intel Kernel drivers for its NICs as those Kernels sometimes lack features e.g. configurable receive-side-scaling queues. On the other hand we ship additional not mainlined features as WireGuard VPN.
Kernel
The Kernel is build from the vanilla repositories hosted at https://git.kernel.org. VyOS requires two additional patches to work which are stored in the patches/kernel folder.
Config
The Kernel configuration used is x86_64_vyos_defconfig
which will be copied on demand during the Pipeline run into the arch/x86/configsi
direcotry of the Kernel source tree.
Other configurations can be added in the future easily.
Modules
VyOS utilizes several Out-of-Tree modules (e.g. WireGuard, Accel-PPP and Intel network interface card drivers). Module source code is retrieved from the upstream repository and - when needed - patched so it can be build using this pipeline.
In the past VyOS maintainers had a fork of the Linux Kernel, WireGuard and Accel-PPP. This is fine but increases maintenance effort. By utilizing vanilla repositories upgrading to new versions is very easy - only the branch/commit/tag used when cloning the repository via Jenkinsfile needs to be adjusted.