<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-build.git/scripts/package-build/linux-kernel/sign-modules.sh, branch rolling</title>
<subtitle>VyOS image build scripts (mirror of https://github.com/vyos/vyos-build.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-build.git/atom?h=rolling</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-build.git/atom?h=rolling'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-build.git/'/>
<updated>2024-09-25T18:24:21+00:00</updated>
<entry>
<title>T861: sign all Kernel modules with an ephemeral key</title>
<updated>2024-09-25T18:24:21+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2024-09-25T18:24:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-build.git/commit/?id=d235b31a095f9b8fdb2d5c231935c8b4b4c3da6c'/>
<id>urn:sha1:d235b31a095f9b8fdb2d5c231935c8b4b4c3da6c</id>
<content type='text'>
The shim review board (which is the secure boot base loader) recommends using
ephemeral keys when signing the Linux Kernel. This commit enables the Kernel
build system to generate a one-time ephemeral key that is used to:

* sign all build-in Kernel modules
* sign all other out-of-tree Kernel modules

The key lives in /tmp and is destroyed after the build container exits and is
named: "VyOS build time autogenerated kernel key".

In addition the Kernel now uses CONFIG_MODULE_SIG_FORCE. This now makes it
unable to load any Kernel Module to the image that is NOT signed by the
ephemeral key.
</content>
</entry>
</feed>
