vyos-build.git/packages, branch ga-test

vyos-build.git/packages, branch ga-test VyOS image build scripts (mirror of https://github.com/vyos/vyos-build.git) https://git.amelek.net/vyos/vyos-build.git/atom?h=ga-test 2024-10-06T10:50:00+00:00 T6754: Ignore everyhting under packages folder via .gitignore 2024-10-06T10:50:00+00:00 Christian Breunig christian@breunig.cc 2024-10-06T10:50:00+00:00 urn:sha1:cf809b77502efa144baa965602ca3167422712c1 T6754: Delete Jenkins build packages 2024-10-02T08:02:51+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2024-10-02T08:02:51+00:00 urn:sha1:2fed892f2746561207aa21a2660f4d8f3f79d24e T861: sign all Kernel modules with an ephemeral key 2024-09-25T18:24:21+00:00 Christian Breunig christian@breunig.cc 2024-09-25T18:24:21+00:00 urn:sha1:d235b31a095f9b8fdb2d5c231935c8b4b4c3da6c The shim review board (which is the secure boot base loader) recommends using ephemeral keys when signing the Linux Kernel. This commit enables the Kernel build system to generate a one-time ephemeral key that is used to: * sign all build-in Kernel modules * sign all other out-of-tree Kernel modules The key lives in /tmp and is destroyed after the build container exits and is named: "VyOS build time autogenerated kernel key". In addition the Kernel now uses CONFIG_MODULE_SIG_FORCE. This now makes it unable to load any Kernel Module to the image that is NOT signed by the ephemeral key. Kernel: T5887: disable various unused/not needed debug options 2024-09-22T07:31:31+00:00 Christian Breunig christian@breunig.cc 2024-09-21T19:01:31+00:00 urn:sha1:b2945a4753c90b30df1870df76ce8e9a894308bf ethtool: T6729: upgrade to 6.10 to make use of more --json options 2024-09-21T07:27:41+00:00 Christian Breunig christian@breunig.cc 2024-09-21T07:16:36+00:00 urn:sha1:9e7dd13f52ecedac56188c31ace917f8cf13c6c0 Same as T6078 but we now wan't to make use of ethtool --json eth0 to drop out own text based parsing of ethtool options in [1]. This is the base for moving to a better, machine readable interface 1: https://github.com/vyos/vyos-1x/blob/e47d4fd385631236da68/python/vyos/ethtool.py#L77-L105 Merge pull request #764 from c-po/secure-boot 2024-09-16T21:37:05+00:00 Christian Breunig christian@breunig.cc 2024-09-16T21:37:05+00:00 urn:sha1:be867edddc35ed5e8880c6de3a55e879dbf70524 Kernel: T861: use find over ls when probing for Kernel signing public keys Kernel: T861: use find over ls when probing for Kernel signing public keys 2024-09-16T19:09:41+00:00 Christian Breunig christian@breunig.cc 2024-09-16T19:09:41+00:00 urn:sha1:5aaf98f57c46ac1c57782fe54a3ab1d4a46ae3b3 Merge pull request #763 from c-po/secure-boot 2024-09-16T09:27:21+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2024-09-16T09:27:21+00:00 urn:sha1:5255ad102a0df86ccc251c7a9bf51f798cb95bf8 T861: add UEFI Secure Boot support T861: add UEFI Secure Boot support 2024-09-14T21:05:23+00:00 Christian Breunig christian@breunig.cc 2024-09-04T19:37:11+00:00 urn:sha1:fd737172f1068870fe1ededbe9b2ed4a86663acd This adds support for UEFI Secure Boot. It adds the missing pieces to the Linux Kernel and enforces module signing. This results in an additional security layer where untrusted (unsigned) Kernel modules can no longer be loaded into the live system. NOTE: This commit will not work unless signing keys are present. Arbitrary keys can be generated using instructions found in: data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md Kernel: T5887: cleanup Debian postinst files after package build 2024-09-14T18:58:44+00:00 Christian Breunig christian@breunig.cc 2024-09-14T18:58:27+00:00 urn:sha1:beb3df0733d8cf682291e19b0df0871da20ab5d4