mirror of
https://github.com/vyos/vyos-build.git
synced 2025-10-01 20:28:40 +02:00
fd737172f1
This adds support for UEFI Secure Boot. It adds the missing pieces to the Linux Kernel and enforces module signing. This results in an additional security layer where untrusted (unsigned) Kernel modules can no longer be loaded into the live system. NOTE: This commit will not work unless signing keys are present. Arbitrary keys can be generated using instructions found in: data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
77 lines
2.1 KiB
Bash
Executable File
77 lines
2.1 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
#
|
|
# Discard symbols and other data from object files.
|
|
#
|
|
# Reference:
|
|
# https://www.linuxfromscratch.org/lfs/view/systemd/chapter08/stripping.html
|
|
# https://www.debian.org/doc/debian-policy/ch-files.html
|
|
#
|
|
|
|
# Set variables.
|
|
STRIPCMD_REGULAR="strip --remove-section=.comment --remove-section=.note --preserve-dates"
|
|
STRIPCMD_DEBUG="strip --strip-debug --remove-section=.comment --remove-section=.note --preserve-dates"
|
|
STRIPCMD_UNNEEDED="strip --strip-unneeded --remove-section=.comment --remove-section=.note --preserve-dates"
|
|
STRIPDIR_REGULAR="
|
|
"
|
|
STRIPDIR_DEBUG="
|
|
/usr/lib/modules
|
|
"
|
|
STRIPDIR_UNNEEDED="
|
|
/etc/hsflowd/modules
|
|
/usr/bin
|
|
/usr/lib/openvpn
|
|
/usr/lib/x86_64-linux-gnu
|
|
/usr/lib32
|
|
/usr/lib64
|
|
/usr/libx32
|
|
/usr/sbin
|
|
"
|
|
STRIP_EXCLUDE=`dpkg-query -L libbinutils | grep '.so'`
|
|
|
|
# Perform stuff.
|
|
echo "Stripping symbols..."
|
|
|
|
# List excluded files.
|
|
echo "Exclude files: ${STRIP_EXCLUDE}"
|
|
|
|
# CMD: strip
|
|
for DIR in ${STRIPDIR_REGULAR}; do
|
|
echo "Parse dir (strip): ${DIR}"
|
|
find ${DIR} -type f -exec file {} \; | grep 'not stripped' | cut -d ":" -f 1 | while read FILE; do
|
|
echo "${STRIP_EXCLUDE}" | grep -F -q -w "${FILE}"
|
|
if [ $? -ne 0 ]; then
|
|
echo "Strip file (strip): ${FILE}"
|
|
${STRIPCMD_REGULAR} ${FILE}
|
|
fi
|
|
done
|
|
done
|
|
|
|
# CMD: strip --strip-debug
|
|
for DIR in ${STRIPDIR_DEBUG}; do
|
|
echo "Parse dir (strip-debug): ${DIR}"
|
|
find ${DIR} -type f -exec file {} \; | grep 'not stripped' | cut -d ":" -f 1 | while read FILE; do
|
|
echo "${STRIP_EXCLUDE}" | grep -F -q -w "${FILE}"
|
|
if [ $? -ne 0 ]; then
|
|
echo "Strip file (strip-debug): ${FILE}"
|
|
${STRIPCMD_DEBUG} ${FILE}
|
|
fi
|
|
done
|
|
done
|
|
|
|
# CMD: strip --strip-unneeded
|
|
for DIR in ${STRIPDIR_UNNEEDED}; do
|
|
echo "Parse dir (strip-unneeded: ${DIR}"
|
|
find ${DIR} -type f -exec file {} \; | grep 'not stripped' | cut -d ":" -f 1 | while read FILE; do
|
|
echo "${STRIP_EXCLUDE}" | grep -F -q -w "${FILE}"
|
|
if [ $? -ne 0 ]; then
|
|
echo "Strip file (strip-unneeded): ${FILE}"
|
|
${STRIPCMD_UNNEEDED} ${FILE}
|
|
fi
|
|
done
|
|
done
|
|
|
|
# Remove binutils package.
|
|
apt-get -y purge --autoremove binutils
|
|
|