12 files changed, 71 insertions, 49 deletions

diff --git a/data/architectures/amd64.toml b/data/architectures/amd64.toml
index e85b4158..9ab1c03b 100644
--- a/data/architectures/amd64.toml
+++ b/data/architectures/amd64.toml
@@ -1,15 +1,18 @@
-additional_repositories = [
-  "deb [arch=amd64] https://repo.saltproject.io/py3/debian/11/amd64/3005 bullseye main"
-]
-
 # Packages added to images for x86 by default
 packages = [
   "grub2",
   "grub-pc",
+  "vyos-drivers-realtek-r8152",
   "vyos-linux-firmware",
   "vyos-intel-qat",
   "vyos-intel-ixgbe",
   "vyos-intel-ixgbevf",
-  "mlnx-ofed-kernel-modules",
-  "mlnx-tools",
 ]
+
+[additional_repositories.salt]
+  architecture = "amd64"
+  url = "https://packages.vyos.net/saltproject/debian/11/amd64/3005"
+  distribution = "bullseye"
+
+[additional_repositories.zabbix]
+  url = "https://repo.zabbix.com/zabbix/6.0/debian"
diff --git a/data/architectures/arm64.toml b/data/architectures/arm64.toml
index 228d0f3f..ebf14ef4 100644
--- a/data/architectures/arm64.toml
+++ b/data/architectures/arm64.toml
@@ -1,9 +1,13 @@
-additional_repositories = [
-  "deb [arch=arm64] https://repo.saltproject.io/py3/debian/11/arm64/3005 bullseye main"
-]
-
 # Packages included in ARM64 images by default
 packages = [
   "grub-efi-arm64",
 ]
 bootloaders = "grub-efi"
+
+[additional_repositories.salt]
+  architecture = "arm64"
+  url =	"https://packages.vyos.net/saltproject/debian/11/amd64/3005"
+  distribution = "bullseye"
+
+[additional_repositories.zabbix]
+  url = "https://repo.zabbix.com/zabbix/6.0/debian-arm64"
diff --git a/data/architectures/armhf.toml b/data/architectures/armhf.toml
index de5e62f4..8cf2d763 100644
--- a/data/architectures/armhf.toml
+++ b/data/architectures/armhf.toml
@@ -1,5 +1,5 @@
 additional_repositories = [
-  "deb [arch=armhf] https://repo.saltproject.io/py3/debian/11/armhf/3005 bullseye main"
+  "deb [arch=armhf] https://packages.vyos.net/saltproject/debian/11/arm64/3005 bullseye main"
 ]
 
 # Packages included in armhf images by default
diff --git a/data/defaults.toml b/data/defaults.toml
index efe6399f..b97a2de8 100644
--- a/data/defaults.toml
+++ b/data/defaults.toml
@@ -9,12 +9,12 @@ debian_security_mirror = "http://deb.debian.org/debian-security"
 
 debian_archive_areas = "main contrib non-free non-free-firmware"
 
-vyos_mirror = "https://rolling-packages.vyos.net/current"
+vyos_mirror = "https://packages.vyos.net/repositories/current"
 
 vyos_branch = "current"
 release_train = "current"
 
-kernel_version = "6.6.51"
+kernel_version = "6.6.62"
 kernel_flavor = "vyos"
 bootloaders = "syslinux,grub-efi"
 
diff --git a/data/live-build-config/archives/zabbix-official-repo.key.chroot b/data/live-build-config/archives/zabbix-official-repo.key.chroot
new file mode 100644
index 00000000..660c453a
--- /dev/null
+++ b/data/live-build-config/archives/zabbix-official-repo.key.chroot
diff --git a/data/live-build-config/hooks/live/01-live-serial.binary b/data/live-build-config/hooks/live/01-live-serial.binary
index e138b20d..05785da7 100755
--- a/data/live-build-config/hooks/live/01-live-serial.binary
+++ b/data/live-build-config/hooks/live/01-live-serial.binary
@@ -10,22 +10,22 @@ SERIAL_CONSOLE="console=tty0 console=ttyS0,115200"
 GRUB_MENUENTRY=$(sed -e '/menuentry.*hotkey.*/,/^}/!d' -e 's/--hotkey=l//g' $GRUB_PATH)
 
 # Update KVM menuentry name
-sed -i 's/"Live system \((.*-vyos)\)"/"Live system \1 - KVM console"/' $GRUB_PATH
+sed -i 's/"Live system \((.*vyos)\)"/"Live system \1 - KVM console"/' $GRUB_PATH
 
 # Insert serial menuentry
 echo "$GRUB_MENUENTRY" | sed \
-    -e 's/"Live system \((.*-vyos)\)"/"Live system \1 - Serial console"/' \
+    -e 's/"Live system \((.*vyos)\)"/"Live system \1 - Serial console"/' \
     -e "s/$KVM_CONSOLE/$SERIAL_CONSOLE/g" >> $GRUB_PATH
 
 # Live.cfg Update
 ISOLINUX_MENUENTRY=$(sed -e '/label live-\(.*\)-vyos$/,/^\tappend.*/!d' $ISOLINUX_PATH)
 
 # Update KVM menuentry name
-sed -i 's/Live system \((.*-vyos)\)/Live system \1 - KVM console/' $ISOLINUX_PATH
+sed -i 's/Live system \((.*vyos)\)/Live system \1 - KVM console/' $ISOLINUX_PATH
 
 # Insert serial menuentry
 echo "\n$ISOLINUX_MENUENTRY" | sed \
     -e 's/live-\(.*\)-vyos/live-\1-vyos-serial/' \
     -e '/^\tmenu default/d' \
-    -e 's/Live system \((.*-vyos)\)/Live system \1 - Serial console/' \
+    -e 's/Live system \((.*vyos)\)/Live system \1 - Serial console/' \
     -e "s/$KVM_CONSOLE/$SERIAL_CONSOLE/g" >> $ISOLINUX_PATH
diff --git a/data/live-build-config/hooks/live/19-kernel_symlinks.chroot b/data/live-build-config/hooks/live/19-kernel_symlinks.chroot
index e63ca263..a7e95e0e 100755
--- a/data/live-build-config/hooks/live/19-kernel_symlinks.chroot
+++ b/data/live-build-config/hooks/live/19-kernel_symlinks.chroot
@@ -1,6 +1,9 @@
 #!/bin/sh
 
-echo I: Creating kernel symlinks.
+echo I: Creating Linux Kernel symbolic links
 cd /boot
 ln -s initrd.img-* initrd.img
 ln -s vmlinuz-* vmlinuz
+
+echo I: Remove Linux Kernel symbolic link to source folder
+rm -rf /lib/modules/*/build
diff --git a/data/live-build-config/hooks/live/92-strip-symbols.chroot b/data/live-build-config/hooks/live/92-strip-symbols.chroot
index 704f9cb3..f44cb01d 100755
--- a/data/live-build-config/hooks/live/92-strip-symbols.chroot
+++ b/data/live-build-config/hooks/live/92-strip-symbols.chroot
@@ -15,7 +15,6 @@ STRIPCMD_UNNEEDED="strip --strip-unneeded --remove-section=.comment --remove-sec
 STRIPDIR_REGULAR="
 "
 STRIPDIR_DEBUG="
-/usr/lib/modules
 "
 STRIPDIR_UNNEEDED="
 /etc/hsflowd/modules
diff --git a/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot b/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot
new file mode 100755
index 00000000..1dc03186
--- /dev/null
+++ b/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot
@@ -0,0 +1,22 @@
+#!/bin/sh
+SIGN_FILE=$(find /usr/lib -name sign-file)
+MOK_KEY="/var/lib/shim-signed/mok/MOK.key"
+MOK_CERT="/var/lib/shim-signed/mok/MOK.pem"
+VMLINUZ=$(readlink /boot/vmlinuz)
+
+# All Linux Kernel modules need to be cryptographically signed
+find /lib/modules -type f -name \*.ko | while read MODULE; do
+    modinfo ${MODULE} | grep -q "signer:"
+    if [ $? != 0 ]; then
+        echo "E: Module ${MODULE} is not signed!"
+        read -n 1 -s -r -p "Press any key to continue"
+    fi
+done
+
+if [ ! -f ${MOK_KEY} ]; then
+    echo "I: Signing key for Linux Kernel not found - Secure Boot not possible"
+else
+    echo "I: Signing Linux Kernel for Secure Boot"
+    sbsign --key ${MOK_KEY} --cert ${MOK_CERT} /boot/${VMLINUZ} --output /boot/${VMLINUZ}
+    sbverify --list /boot/${VMLINUZ}
+fi
diff --git a/data/live-build-config/hooks/live/93-sign-kernel.chroot b/data/live-build-config/hooks/live/93-sign-kernel.chroot
deleted file mode 100755
index 031db10d..00000000
--- a/data/live-build-config/hooks/live/93-sign-kernel.chroot
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/sh
-SIGN_FILE=$(find /usr/lib -name sign-file)
-MOK_KEY="/var/lib/shim-signed/mok/kernel.key"
-MOK_CERT="/var/lib/shim-signed/mok/kernel.pem"
-kernel_elf=$(readlink /boot/vmlinuz)
-
-if [ ! -f ${MOK_KEY} ]; then
-    echo "I: Signing key for Linux Kernel not found - Secure Boot not possible"
-else
-    echo "I: Signing Linux Kernel for Secure Boot"
-
-    sbsign --key $MOK_KEY --cert $MOK_CERT /boot/${kernel_elf} --output /boot/${kernel_elf}
-    sbverify --list /boot/${kernel_elf}
-
-    find /lib/modules -type f -name \*.ko -o -name \*.ko.xz | while read module; do
-      $SIGN_FILE sha512 $MOK_KEY $MOK_CERT $module
-    done
-fi
diff --git a/data/live-build-config/includes.chroot/opt/vyatta/etc/grub/default-union-grub-entry b/data/live-build-config/includes.chroot/opt/vyatta/etc/grub/default-union-grub-entry
new file mode 100644
index 00000000..49f4afc4
--- /dev/null
+++ b/data/live-build-config/includes.chroot/opt/vyatta/etc/grub/default-union-grub-entry
@@ -0,0 +1,20 @@
+menuentry "VyOS  (KVM console)" {
+        linux /boot//vmlinuz boot=live quiet rootdelay=5 noautologin net.ifnames=0 biosdevname=0 udev.exec_delay=3 vyos-union=/boot/ console=ttyS0,115200 console=tty0
+        initrd /boot//initrd.img
+}
+
+menuentry "VyOS  (Serial console)" {
+        linux /boot//vmlinuz boot=live quiet rootdelay=5 noautologin net.ifnames=0 biosdevname=0 udev.exec_delay=3 vyos-union=/boot/ console=tty0 console=ttyS0,115200
+        initrd /boot//initrd.img
+}
+
+menuentry "Lost password change  (KVM console)" {
+        linux /boot//vmlinuz boot=live quiet rootdelay=5 noautologin net.ifnames=0 biosdevname=0 udev.exec_delay=3 vyos-union=/boot/ console=ttyS0,115200 console=tty0 init=/opt/vyatta/sbin/standalone_root_pw_reset
+        initrd /boot//initrd.img
+}
+
+menuentry "Lost password change  (Serial console)" {
+        linux /boot//vmlinuz boot=live quiet rootdelay=5 noautologin net.ifnames=0 biosdevname=0 udev.exec_delay=3 vyos-union=/boot/ console=tty0 console=ttyS0,115200 init=/opt/vyatta/sbin/standalone_root_pw_reset
+        initrd /boot//initrd.img
+}
+
diff --git a/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md b/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
index 5a6edbba..abaaa97a 100644
--- a/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
+++ b/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
@@ -6,17 +6,6 @@ Create Certificate Authority used for Kernel signing. CA is loaded into the
 Machine Owner Key store on the target system.
 
 ```bash
-openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -outform DER -out MOK.der -days 36500 -subj "/CN=VyOS Secure Boot CA/" -nodes
+openssl req -new -x509 -newkey rsa:4096 -keyout MOK.key -outform DER -out MOK.der -days 36500 -subj "/CN=VyOS Secure Boot CA/" -nodes
 openssl x509 -inform der -in MOK.der -out MOK.pem
 ```
-
-## Kernel Module Signing Key
-
-We do not make use of ephemeral keys for Kernel module signing. Instead a key
-is generated and signed by the VyOS Secure Boot CA which signs all the Kernel
-modules during ISO assembly if present.
-
-```bash
-openssl req -newkey rsa:2048 -keyout kernel.key -out kernel.csr -subj "/CN=VyOS Secure Boot Signer 2024 - linux/" -nodes
-openssl x509 -req -in kernel.csr -CA MOK.pem -CAkey MOK.key -CAcreateserial -out kernel.pem -days 730 -sha256
-```