Archived in favor of https://github.com/NOTvyos/vyos-build (mirror of https://github.com/dd010101/vyos-build.git) https://git.amelek.net/dd010101/vyos-build.git/atom?h=current 2024-11-13T21:08:04+00:00 2024-11-13T21:08:04+00:00 John Estabrook jestabro@vyos.io 2024-11-13T20:27:55+00:00 urn:sha1:2416f963adb4ff8dadbbc734e7ade07ff093cb53 Revert "T1416: remove deprecated default-union-grub-entry" This reverts commit d50707bb295dbd4bc50e3d0301fc8be605448429. The file grub/default-union-grub-entry and its companion install-image/postinst are needed for 'compatibility-mode' upgrades: when upgrading from a system with legacy image-tools, those two files are expected to exist in the mounted image of the target iso. 2024-10-24T22:07:11+00:00 sarthurdev 965089+sarthurdev@users.noreply.github.com 2024-10-24T21:18:45+00:00 urn:sha1:61d3585f19045424684ff5ccc978f810264ea8c1 2024-10-17T10:13:35+00:00 Daniil Baturin daniil@baturin.org 2024-10-17T10:13:35+00:00 urn:sha1:bf2e6afc49ca43c5ba81f79787e8d866517263ca 2024-09-25T18:24:21+00:00 Christian Breunig christian@breunig.cc 2024-09-25T18:24:21+00:00 urn:sha1:d235b31a095f9b8fdb2d5c231935c8b4b4c3da6c The shim review board (which is the secure boot base loader) recommends using ephemeral keys when signing the Linux Kernel. This commit enables the Kernel build system to generate a one-time ephemeral key that is used to: * sign all build-in Kernel modules * sign all other out-of-tree Kernel modules The key lives in /tmp and is destroyed after the build container exits and is named: "VyOS build time autogenerated kernel key". In addition the Kernel now uses CONFIG_MODULE_SIG_FORCE. This now makes it unable to load any Kernel Module to the image that is NOT signed by the ephemeral key. 2024-09-22T07:31:31+00:00 Christian Breunig christian@breunig.cc 2024-09-20T20:51:39+00:00 urn:sha1:53bd06d17be1d5c66f75b4546f006a6ed1b4675c As the VyOS Linux Kernel will be compiled with CONFIG_MODULE_SIG_FORCE all driver modules need to be cryptographically signed. This happens during build of the Kernel and it's 3rd party modules. Stripping the objects would remove said signature and the system will be unable to boot b/c of CONFIG_MODULE_SIG_FORCE. 2024-09-14T21:05:23+00:00 Christian Breunig christian@breunig.cc 2024-09-04T19:37:11+00:00 urn:sha1:fd737172f1068870fe1ededbe9b2ed4a86663acd This adds support for UEFI Secure Boot. It adds the missing pieces to the Linux Kernel and enforces module signing. This results in an additional security layer where untrusted (unsigned) Kernel modules can no longer be loaded into the live system. NOTE: This commit will not work unless signing keys are present. Arbitrary keys can be generated using instructions found in: data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md 2024-09-05T05:13:08+00:00 Christian Breunig christian@breunig.cc 2024-09-04T18:44:01+00:00 urn:sha1:d50707bb295dbd4bc50e3d0301fc8be605448429 2024-07-23T06:03:07+00:00 Christian Breunig christian@breunig.cc 2024-07-22T20:01:45+00:00 urn:sha1:a9baaaba16124f847911eeceaff3dbf17f397aeb 2024-07-08T08:13:08+00:00 Christian Breunig christian@breunig.cc 2024-07-08T08:13:08+00:00 urn:sha1:0094dc2ecc4267542fb17c98f49f703fe549d1f6 As of Debian version 4.9.5+ds1-1 podman increased the dependency on libc6 and libgpgme11t64. podman : Depends: libc6 (>= 2.38) but 2.36-9+deb12u7 is to be installed Depends: libgpgme11t64 (>= 1.4.1) but it is not going to be installed Pin the version to a prior one that requires the old libc. 2024-06-30T05:33:00+00:00 Christian Breunig christian@breunig.cc 2024-06-30T05:30:10+00:00 urn:sha1:ff75b076812582f31a78aeb5d8af636ce74883dc