Merge pull request #763 from c-po/secure-boot

T861: add UEFI Secure Boot support
author: Viacheslav Hletenko <v.gletenko@vyos.io> 2024-09-16 12:27:21 +0300
committer: GitHub <noreply@github.com> 2024-09-16 12:27:21 +0300
commit: 5255ad102a0df86ccc251c7a9bf51f798cb95bf8 (patch)
tree: 475fbba07feb4f9b1b8b0d953eb7abd4940f1da6
parent: 300674c1444d361e31e9a5d3a05bd4e6cd409f17 (diff)
parent: 928c1f505b95bb4b693b9e8eac5c73185d67515f (diff)
download: vyos-build-5255ad102a0df86ccc251c7a9bf51f798cb95bf8.tar.gz
vyos-build-5255ad102a0df86ccc251c7a9bf51f798cb95bf8.zip
20 files changed, 339 insertions, 123 deletions
diff --git a/.gitignore b/.gitignore
index 23101b27..e3724a9f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,6 +5,8 @@ packer_cache/*
 key/*
 packages/*
 !packages/*/
-testinstall*.img
-*.qcow2
-*.tar
+data/live-build-config/includes.chroot/var/lib/shim-signed/mok/*
+/testinstall*.img
+/testinstall*.efivars
+/*.qcow2
+/*.tar
diff --git a/Makefile b/Makefile
index 6d0f0d47..2ff776c0 100644
--- a/Makefile
+++ b/Makefile
@@ -21,12 +21,12 @@ checkiso:
 .PHONY: test
 .ONESHELL:
 test: checkiso
-	scripts/check-qemu-install --debug --configd --match="$(MATCH)" --uefi build/live-image-amd64.hybrid.iso
+	scripts/check-qemu-install --debug --configd --match="$(MATCH)" --smoketest --uefi build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS))
 
 .PHONY: test-no-interfaces
 .ONESHELL:
 test-no-interfaces: checkiso
-	scripts/check-qemu-install --debug --configd --match="$(MATCH)" --uefi --no-interfaces build/live-image-amd64.hybrid.iso
+	scripts/check-qemu-install --debug --configd --match="$(MATCH)" --smoketest --uefi --no-interfaces build/live-image-amd64.hybrid.iso
 
 .PHONY: testc
 .ONESHELL:
@@ -36,7 +36,12 @@ testc: checkiso
 .PHONY: testraid
 .ONESHELL:
 testraid: checkiso
-	scripts/check-qemu-install --debug --configd --raid --configtest build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS))
+	scripts/check-qemu-install --debug --configd --raid build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS))
+
+.PHONY: testsb
+.ONESHELL:
+testsb: checkiso
+	scripts/check-qemu-install --debug --uefi --sbtest build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS))
 
 .PHONY: testtpm
 .ONESHELL:
diff --git a/data/architectures/amd64.toml b/data/architectures/amd64.toml
index 44a203a2..e85b4158 100644
--- a/data/architectures/amd64.toml
+++ b/data/architectures/amd64.toml
@@ -2,8 +2,6 @@ additional_repositories = [
   "deb [arch=amd64] https://repo.saltproject.io/py3/debian/11/amd64/3005 bullseye main"
 ]
 
-kernel_flavor = "amd64-vyos"
-
 # Packages added to images for x86 by default
 packages = [
   "grub2",
diff --git a/data/architectures/arm64.toml b/data/architectures/arm64.toml
index 22f1fd10..228d0f3f 100644
--- a/data/architectures/arm64.toml
+++ b/data/architectures/arm64.toml
@@ -2,8 +2,6 @@ additional_repositories = [
   "deb [arch=arm64] https://repo.saltproject.io/py3/debian/11/arm64/3005 bullseye main"
 ]
 
-kernel_flavor = "arm64-vyos"
-
 # Packages included in ARM64 images by default
 packages = [
   "grub-efi-arm64",
diff --git a/data/defaults.toml b/data/defaults.toml
index e6654c43..efe6399f 100644
--- a/data/defaults.toml
+++ b/data/defaults.toml
@@ -14,7 +14,8 @@ vyos_mirror = "https://rolling-packages.vyos.net/current"
 vyos_branch = "current"
 release_train = "current"
 
-kernel_version = "6.6.49"
+kernel_version = "6.6.51"
+kernel_flavor = "vyos"
 bootloaders = "syslinux,grub-efi"
 
 squashfs_compression_type = "xz -Xbcj x86 -b 256k -always-use-fragments -no-recovery"
diff --git a/data/live-build-config/hooks/live/99-strip-symbols.chroot b/data/live-build-config/hooks/live/92-strip-symbols.chroot
index 704f9cb3..704f9cb3 100755
--- a/data/live-build-config/hooks/live/99-strip-symbols.chroot
+++ b/data/live-build-config/hooks/live/92-strip-symbols.chroot
diff --git a/data/live-build-config/hooks/live/93-sign-kernel.chroot b/data/live-build-config/hooks/live/93-sign-kernel.chroot
new file mode 100755
index 00000000..031db10d
--- /dev/null
+++ b/data/live-build-config/hooks/live/93-sign-kernel.chroot
@@ -0,0 +1,18 @@
+#!/bin/sh
+SIGN_FILE=$(find /usr/lib -name sign-file)
+MOK_KEY="/var/lib/shim-signed/mok/kernel.key"
+MOK_CERT="/var/lib/shim-signed/mok/kernel.pem"
+kernel_elf=$(readlink /boot/vmlinuz)
+
+if [ ! -f ${MOK_KEY} ]; then
+    echo "I: Signing key for Linux Kernel not found - Secure Boot not possible"
+else
+    echo "I: Signing Linux Kernel for Secure Boot"
+
+    sbsign --key $MOK_KEY --cert $MOK_CERT /boot/${kernel_elf} --output /boot/${kernel_elf}
+    sbverify --list /boot/${kernel_elf}
+
+    find /lib/modules -type f -name \*.ko -o -name \*.ko.xz | while read module; do
+      $SIGN_FILE sha512 $MOK_KEY $MOK_CERT $module
+    done
+fi
diff --git a/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md b/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
new file mode 100644
index 00000000..5a6edbba
--- /dev/null
+++ b/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
@@ -0,0 +1,22 @@
+# Secure Boot
+
+## CA
+
+Create Certificate Authority used for Kernel signing. CA is loaded into the
+Machine Owner Key store on the target system.
+
+```bash
+openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -outform DER -out MOK.der -days 36500 -subj "/CN=VyOS Secure Boot CA/" -nodes
+openssl x509 -inform der -in MOK.der -out MOK.pem
+```
+
+## Kernel Module Signing Key
+
+We do not make use of ephemeral keys for Kernel module signing. Instead a key
+is generated and signed by the VyOS Secure Boot CA which signs all the Kernel
+modules during ISO assembly if present.
+
+```bash
+openssl req -newkey rsa:2048 -keyout kernel.key -out kernel.csr -subj "/CN=VyOS Secure Boot Signer 2024 - linux/" -nodes
+openssl x509 -req -in kernel.csr -CA MOK.pem -CAkey MOK.key -CAcreateserial -out kernel.pem -days 730 -sha256
+```
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 40b2067d..5cc8744e 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -372,6 +372,11 @@ RUN sed "s/^%sudo.*/%sudo\tALL=(ALL) NOPASSWD:ALL/g" -i /etc/sudoers && \
 RUN echo "$(opam env --root=/opt/opam --set-root)" >> /etc/skel/.bashrc && \
     echo "export PATH=/opt/go/bin:\$PATH" >> /etc/skel/.bashrc
 
+# Rise upper limit for UID when working in an Active Direcotry integrated
+# environment. This solves the warning: vyos_bld's uid 1632000007 outside of the
+# UID_MIN 1000 and UID_MAX 60000 range.
+RUN sed -i 's/UID_MAX\t\t\t60000/UID_MAX\t\t\t2000000000/g' /etc/login.defs
+
 # Cleanup
 RUN rm -rf /tmp/*
 
diff --git a/packages/linux-kernel/Jenkinsfile b/packages/linux-kernel/Jenkinsfile
index 986780e0..c354200e 100644
--- a/packages/linux-kernel/Jenkinsfile
+++ b/packages/linux-kernel/Jenkinsfile
@@ -63,7 +63,7 @@ def pkgList = [
     ['name': 'ixgbevf', 'buildCmd': 'cd ..; ./build-intel-ixgbevf.sh'],
 
     // Mellanox OFED
-    ['name': 'ofed', 'buildCmd': 'cd ..; ./build-mellanox-ofed.sh'],
+    ['name': 'ofed', 'buildCmd': 'cd ..; sudo ./build-mellanox-ofed.sh'],
 
     // Jool
     ['name': 'jool', 'buildCmd': 'cd ..; ./build-jool.py'],
diff --git a/packages/linux-kernel/arch/x86/configs/vyos_defconfig b/packages/linux-kernel/arch/x86/configs/vyos_defconfig
index 9726ea4b..37becb4c 100644
--- a/packages/linux-kernel/arch/x86/configs/vyos_defconfig
+++ b/packages/linux-kernel/arch/x86/configs/vyos_defconfig
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 6.6.16 Kernel Configuration
+# Linux/x86 6.6.48 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (Debian 12.2.0-14) 12.2.0"
 CONFIG_CC_IS_GCC=y
@@ -15,6 +15,7 @@ CONFIG_CC_CAN_LINK=y
 CONFIG_CC_CAN_LINK_STATIC=y
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y
 CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT=y
+CONFIG_GCC_ASM_GOTO_OUTPUT_WORKAROUND=y
 CONFIG_TOOLS_SUPPORT_RELR=y
 CONFIG_CC_HAS_ASM_INLINE=y
 CONFIG_CC_HAS_NO_PROFILE_FN_ATTR=y
@@ -181,7 +182,7 @@ CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
 CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y
 CONFIG_CC_HAS_INT128=y
 CONFIG_CC_IMPLICIT_FALLTHROUGH="-Wimplicit-fallthrough=5"
-CONFIG_GCC11_NO_ARRAY_BOUNDS=y
+CONFIG_GCC10_NO_ARRAY_BOUNDS=y
 CONFIG_CC_NO_ARRAY_BOUNDS=y
 CONFIG_ARCH_SUPPORTS_INT128=y
 CONFIG_NUMA_BALANCING=y
@@ -193,13 +194,16 @@ CONFIG_MEMCG=y
 CONFIG_MEMCG_KMEM=y
 # CONFIG_BLK_CGROUP is not set
 CONFIG_CGROUP_SCHED=y
+CONFIG_FAIR_GROUP_SCHED=y
 CONFIG_CFS_BANDWIDTH=y
+# CONFIG_RT_GROUP_SCHED is not set
 CONFIG_SCHED_MM_CID=y
 CONFIG_CGROUP_PIDS=y
 # CONFIG_CGROUP_RDMA is not set
 # CONFIG_CGROUP_FREEZER is not set
 # CONFIG_CGROUP_HUGETLB is not set
 CONFIG_CPUSETS=y
+CONFIG_PROC_PID_CPUSET=y
 # CONFIG_CGROUP_DEVICE is not set
 CONFIG_CGROUP_CPUACCT=y
 # CONFIG_CGROUP_PERF is not set
@@ -439,7 +443,6 @@ CONFIG_X86_64_ACPI_NUMA=y
 CONFIG_NODES_SHIFT=6
 CONFIG_ARCH_SPARSEMEM_ENABLE=y
 CONFIG_ARCH_SPARSEMEM_DEFAULT=y
-# CONFIG_ARCH_MEMORY_PROBE is not set
 CONFIG_ARCH_PROC_KCORE_TEXT=y
 CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
 CONFIG_X86_PMEM_LEGACY_DEVICE=y
@@ -509,7 +512,7 @@ CONFIG_CALL_PADDING=y
 CONFIG_HAVE_CALL_THUNKS=y
 CONFIG_CALL_THUNKS=y
 CONFIG_PREFIX_SYMBOLS=y
-CONFIG_SPECULATION_MITIGATIONS=y
+CONFIG_CPU_MITIGATIONS=y
 CONFIG_PAGE_TABLE_ISOLATION=y
 CONFIG_RETPOLINE=y
 CONFIG_RETHUNK=y
@@ -521,6 +524,8 @@ CONFIG_CPU_IBRS_ENTRY=y
 CONFIG_CPU_SRSO=y
 # CONFIG_SLS is not set
 # CONFIG_GDS_FORCE_MITIGATION is not set
+CONFIG_MITIGATION_RFDS=y
+CONFIG_MITIGATION_SPECTRE_BHI=y
 CONFIG_ARCH_HAS_ADD_PAGES=y
 
 #
@@ -573,7 +578,6 @@ CONFIG_ACPI_TABLE_UPGRADE=y
 # CONFIG_ACPI_DEBUG is not set
 CONFIG_ACPI_PCI_SLOT=y
 CONFIG_ACPI_CONTAINER=y
-CONFIG_ACPI_HOTPLUG_MEMORY=y
 CONFIG_ACPI_HOTPLUG_IOAPIC=y
 # CONFIG_ACPI_SBS is not set
 CONFIG_ACPI_HED=y
@@ -687,6 +691,7 @@ CONFIG_AS_SHA256_NI=y
 CONFIG_AS_TPAUSE=y
 CONFIG_AS_GFNI=y
 CONFIG_AS_WRUSS=y
+CONFIG_ARCH_CONFIGURES_CPU_MITIGATIONS=y
 
 #
 # General architecture-dependent options
@@ -971,13 +976,8 @@ CONFIG_HAVE_FAST_GUP=y
 CONFIG_NUMA_KEEP_MEMINFO=y
 CONFIG_MEMORY_ISOLATION=y
 CONFIG_EXCLUSIVE_SYSTEM_RAM=y
-CONFIG_HAVE_BOOTMEM_INFO_NODE=y
 CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
-CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
-CONFIG_MEMORY_HOTPLUG=y
-# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set
-CONFIG_MEMORY_HOTREMOVE=y
-CONFIG_MHP_MEMMAP_ON_MEMORY=y
+# CONFIG_MEMORY_HOTPLUG is not set
 CONFIG_ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE=y
 CONFIG_SPLIT_PTLOCK_CPUS=4
 CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
@@ -990,6 +990,7 @@ CONFIG_MIGRATION=y
 CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION=y
 CONFIG_ARCH_ENABLE_THP_MIGRATION=y
 CONFIG_CONTIG_ALLOC=y
+CONFIG_PCP_BATCH_SCALE_MAX=5
 CONFIG_PHYS_ADDR_T_64BIT=y
 CONFIG_MMU_NOTIFIER=y
 CONFIG_KSM=y
@@ -1021,7 +1022,6 @@ CONFIG_ARCH_HAS_PTE_DEVMAP=y
 CONFIG_ARCH_HAS_ZONE_DMA_SET=y
 CONFIG_ZONE_DMA=y
 CONFIG_ZONE_DMA32=y
-# CONFIG_ZONE_DEVICE is not set
 CONFIG_HMM_MIRROR=y
 CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y
 CONFIG_ARCH_HAS_PKEYS=y
@@ -3076,6 +3076,7 @@ CONFIG_XEN_NETDEV_FRONTEND=m
 CONFIG_XEN_NETDEV_BACKEND=m
 CONFIG_VMXNET3=m
 # CONFIG_FUJITSU_ES is not set
+CONFIG_USB4_NET=m
 CONFIG_HYPERV_NET=m
 # CONFIG_NETDEVSIM is not set
 CONFIG_NET_FAILOVER=m
@@ -4202,6 +4203,7 @@ CONFIG_REGULATOR_TPS65132=m
 # Graphics support
 #
 CONFIG_APERTURE_HELPERS=y
+CONFIG_SCREEN_INFO=y
 CONFIG_VIDEO_CMDLINE=y
 # CONFIG_AUXDISPLAY is not set
 # CONFIG_PANEL is not set
@@ -4269,6 +4271,7 @@ CONFIG_FB_CFB_FILLRECT=y
 CONFIG_FB_CFB_COPYAREA=y
 CONFIG_FB_CFB_IMAGEBLIT=y
 # CONFIG_FB_FOREIGN_ENDIAN is not set
+CONFIG_FB_IOMEM_FOPS=y
 CONFIG_FB_IOMEM_HELPERS=y
 # CONFIG_FB_MODE_HELPERS is not set
 # CONFIG_FB_TILEBLITTING is not set
@@ -5009,7 +5012,6 @@ CONFIG_VIRTIO_PCI=m
 CONFIG_VIRTIO_PCI_LEGACY=y
 # CONFIG_VIRTIO_PMEM is not set
 CONFIG_VIRTIO_BALLOON=m
-CONFIG_VIRTIO_MEM=m
 CONFIG_VIRTIO_INPUT=m
 CONFIG_VIRTIO_MMIO=m
 CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y
@@ -5036,8 +5038,6 @@ CONFIG_HYPERV_BALLOON=m
 # Xen driver support
 #
 CONFIG_XEN_BALLOON=y
-CONFIG_XEN_BALLOON_MEMORY_HOTPLUG=y
-CONFIG_XEN_MEMORY_HOTPLUG_LIMIT=512
 CONFIG_XEN_SCRUB_PAGES_DEFAULT=y
 CONFIG_XEN_DEV_EVTCHN=m
 CONFIG_XEN_BACKEND=y
@@ -5317,7 +5317,8 @@ CONFIG_IDLE_INJECT=y
 CONFIG_RAS=y
 # CONFIG_RAS_CEC is not set
 CONFIG_USB4=m
-CONFIG_USB4_NET=m
+# CONFIG_USB4_DEBUGFS_WRITE is not set
+# CONFIG_USB4_DMA_TEST is not set
 
 #
 # Android
@@ -5639,6 +5640,7 @@ CONFIG_CRYPTO_ALGAPI=y
 CONFIG_CRYPTO_ALGAPI2=y
 CONFIG_CRYPTO_AEAD=y
 CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_SIG=y
 CONFIG_CRYPTO_SIG2=y
 CONFIG_CRYPTO_SKCIPHER=y
 CONFIG_CRYPTO_SKCIPHER2=y
@@ -5751,7 +5753,7 @@ CONFIG_CRYPTO_POLY1305=m
 CONFIG_CRYPTO_RMD160=m
 CONFIG_CRYPTO_SHA1=y
 CONFIG_CRYPTO_SHA256=y
-CONFIG_CRYPTO_SHA512=m
+CONFIG_CRYPTO_SHA512=y
 CONFIG_CRYPTO_SHA3=m
 # CONFIG_CRYPTO_SM3_GENERIC is not set
 CONFIG_CRYPTO_STREEBOG=m
@@ -6008,7 +6010,6 @@ CONFIG_SWIOTLB=y
 CONFIG_SGL_ALLOC=y
 CONFIG_IOMMU_HELPER=y
 CONFIG_CHECK_SIGNATURE=y
-# CONFIG_FORCE_NR_CPUS is not set
 CONFIG_CPU_RMAP=y
 CONFIG_DQL=y
 CONFIG_GLOB=y
@@ -6034,7 +6035,6 @@ CONFIG_ARCH_HAS_CPU_CACHE_INVALIDATE_MEMREGION=y
 CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE=y
 CONFIG_ARCH_HAS_COPY_MC=y
 CONFIG_ARCH_STACKWALK=y
-CONFIG_STACKDEPOT=y
 CONFIG_SBITMAP=y
 CONFIG_PARMAN=m
 CONFIG_OBJAGG=m
@@ -6118,8 +6118,7 @@ CONFIG_HAVE_KCSAN_COMPILER=y
 #
 CONFIG_PAGE_EXTENSION=y
 # CONFIG_DEBUG_PAGEALLOC is not set
-CONFIG_SLUB_DEBUG=y
-# CONFIG_SLUB_DEBUG_ON is not set
+# CONFIG_SLUB_DEBUG is not set
 # CONFIG_PAGE_OWNER is not set
 # CONFIG_PAGE_TABLE_CHECK is not set
 CONFIG_PAGE_POISONING=y
@@ -6332,6 +6331,7 @@ CONFIG_X86_DEBUG_FPU=y
 # CONFIG_PUNIT_ATOM_DEBUG is not set
 CONFIG_UNWINDER_ORC=y
 # CONFIG_UNWINDER_FRAME_POINTER is not set
+# CONFIG_UNWINDER_GUESS is not set
 # end of x86 Debugging
 
 #
diff --git a/packages/linux-kernel/build-intel-ixgbe.sh b/packages/linux-kernel/build-intel-ixgbe.sh
index 5f45c62a..ab44f551 100755
--- a/packages/linux-kernel/build-intel-ixgbe.sh
+++ b/packages/linux-kernel/build-intel-ixgbe.sh
@@ -105,3 +105,6 @@ fi
 if [ -d ${DEBIAN_DIR} ]; then
     rm -rf ${DEBIAN_DIR}
 fi
+if [ -f ${DEBIAN_POSTINST} ]; then
+    rm -f ${DEBIAN_POSTINST}
+fi
diff --git a/packages/linux-kernel/build-intel-ixgbevf.sh b/packages/linux-kernel/build-intel-ixgbevf.sh
index a965e0de..39803852 100755
--- a/packages/linux-kernel/build-intel-ixgbevf.sh
+++ b/packages/linux-kernel/build-intel-ixgbevf.sh
@@ -97,4 +97,6 @@ fi
 if [ -d ${DEBIAN_DIR} ]; then
     rm -rf ${DEBIAN_DIR}
 fi
-
+if [ -f ${DEBIAN_POSTINST} ]; then
+    rm -f ${DEBIAN_POSTINST}
+fi
diff --git a/packages/linux-kernel/build-intel-qat.sh b/packages/linux-kernel/build-intel-qat.sh
index 765cea3f..5b0e023f 100755
--- a/packages/linux-kernel/build-intel-qat.sh
+++ b/packages/linux-kernel/build-intel-qat.sh
@@ -109,3 +109,6 @@ fi
 if [ -d ${DEBIAN_DIR} ]; then
     rm -rf ${DEBIAN_DIR}
 fi
+if [ -f ${DEBIAN_POSTINST} ]; then
+    rm -f ${DEBIAN_POSTINST}
+fi
diff --git a/packages/linux-kernel/build-jool.py b/packages/linux-kernel/build-jool.py
index 1781a6c8..3f8fd3a5 100755
--- a/packages/linux-kernel/build-jool.py
+++ b/packages/linux-kernel/build-jool.py
@@ -29,9 +29,8 @@ def add_depends(package_dir: str, package_name: str,
 # find kernel version and source path
 arch: str = find_arch()
 defaults_file: str = Path('../../data/defaults.toml').read_text()
-architecture_file: str = Path(f'../../data/architectures/{arch}.toml').read_text()
 KERNEL_VER: str = toml_loads(defaults_file).get('kernel_version')
-KERNEL_FLAVOR: str = toml_loads(architecture_file).get('kernel_flavor')
+KERNEL_FLAVOR: str = toml_loads(defaults_file).get('kernel_flavor')
 KERNEL_SRC: str = Path.cwd().as_posix() + '/linux'
 
 # define variables
diff --git a/packages/linux-kernel/build-kernel.sh b/packages/linux-kernel/build-kernel.sh
index 2c02f5c3..3ccb15e9 100755
--- a/packages/linux-kernel/build-kernel.sh
+++ b/packages/linux-kernel/build-kernel.sh
@@ -18,7 +18,8 @@ echo "I: clean modified files"
 git reset --hard HEAD
 
 KERNEL_VERSION=$(make kernelversion)
-KERNEL_SUFFIX=-$(dpkg --print-architecture)-vyos
+KERNEL_SUFFIX=-$(awk -F "= " '/kernel_flavor/ {print $2}' ../../../data/defaults.toml | tr -d \")
+KERNEL_CONFIG=arch/x86/configs/vyos_defconfig
 
 # VyOS requires some small Kernel Patches - apply them here
 # It's easier to habe them here and make use of the upstream
@@ -31,6 +32,28 @@ do
     patch -p1 < ${PATCH_DIR}/${patch}
 done
 
+TRUSTED_KEYS_FILE=trusted_keys.pem
+# start with empty key file
+echo -n "" > $TRUSTED_KEYS_FILE
+CERTS=$(ls ../../../data/live-build-config/includes.chroot/var/lib/shim-signed/mok/*.pem)
+if [ ! -z "${CERTS}" ]; then
+  # add known public keys to Kernel certificate chain
+  for file in $CERTS; do
+    cat $file >> $TRUSTED_KEYS_FILE
+  done
+
+  # Force Kernel module signing and embed public keys
+  echo "CONFIG_MODULE_SIG_FORMAT=y" >> $KERNEL_CONFIG
+  echo "CONFIG_MODULE_SIG=y" >> $KERNEL_CONFIG
+  echo "CONFIG_MODULE_SIG_FORCE=y" >> $KERNEL_CONFIG
+  echo "# CONFIG_MODULE_SIG_ALL is not set" >> $KERNEL_CONFIG
+  echo "CONFIG_MODULE_SIG_SHA512=y" >> $KERNEL_CONFIG
+  echo "CONFIG_MODULE_SIG_HASH=\"sha512\"" >> $KERNEL_CONFIG
+  echo "CONFIG_MODULE_SIG_KEY=\"\"" >> $KERNEL_CONFIG
+  echo "CONFIG_MODULE_SIG_KEY_TYPE_RSA=y" >> $KERNEL_CONFIG
+  echo "CONFIG_SYSTEM_TRUSTED_KEYS=\"$TRUSTED_KEYS_FILE\"" >> $KERNEL_CONFIG
+fi
+
 echo "I: make vyos_defconfig"
 # Select Kernel configuration - currently there is only one
 make vyos_defconfig
diff --git a/packages/linux-kernel/build-mellanox-ofed.sh b/packages/linux-kernel/build-mellanox-ofed.sh
index 51e4d4ca..a157ee61 100755
--- a/packages/linux-kernel/build-mellanox-ofed.sh
+++ b/packages/linux-kernel/build-mellanox-ofed.sh
@@ -4,6 +4,11 @@ DEB_DISTRO='debian12.1'
 CWD=$(pwd)
 KERNEL_VAR_FILE=${CWD}/kernel-vars
 
+if [ $(id -u) -ne 0 ]; then
+  echo "Mellanox OFED script needs to be run as root"
+  exit
+fi
+
 if ! dpkg-architecture -iamd64; then
     echo "Mellanox OFED is only buildable on amd64 platforms"
     exit 0
@@ -66,34 +71,33 @@ if [ -z $KERNEL_DIR ]; then
     exit 1
 fi
 
-rm -f SOURCES/ibarr_0.1.3.orig.tar.gz
-rm -f SOURCES/ibdump_6.0.0.orig.tar.gz
-rm -f SOURCES/ibsim_0.12.orig.tar.gz
-rm -f SOURCES/iser_24.04.OFED.24.04.0.6.6.1.orig.tar.gz
-rm -f SOURCES/isert_24.04.OFED.24.04.0.6.6.1.orig.tar.gz
-rm -f SOURCES/kernel-mft_4.28.0.92.orig.tar.gz
-rm -f SOURCES/knem_1.1.4.90mlnx3.orig.tar.gz
-rm -f SOURCES/libvma_9.8.60.orig.tar.gz
-rm -f SOURCES/libxlio_3.30.5.orig.tar.gz
-rm -f SOURCES/mlnx-ethtool_6.7.orig.tar.gz
-rm -f SOURCES/mlnx-iproute2_6.7.0.orig.tar.gz
-rm -f SOURCES/mlnx-nfsrdma_24.04.OFED.24.04.0.6.6.1.orig.tar.gz
-rm -f SOURCES/mlnx-nvme_24.04.OFED.24.04.0.6.6.1.orig.tar.gz
-rm -f SOURCES/mlx-steering-dump_1.0.0.orig.tar.gz
-rm -f SOURCES/mpitests_3.2.23.orig.tar.gz
-rm -f SOURCES/mstflint_4.16.1.orig.tar.gz
-rm -f SOURCES/ofed-scripts_24.04.OFED.24.04.0.6.6.orig.tar.gz
-rm -f SOURCES/openmpi_4.1.7a1.orig.tar.gz
-rm -f SOURCES/openvswitch_2.17.8.orig.tar.gz
-rm -f SOURCES/perftest_24.04.0.orig.tar.gz
-rm -f SOURCES/rdma-core_2404mlnx51.orig.tar.gz
-rm -f SOURCES/rshim_2.0.28.orig.tar.gz
-rm -f SOURCES/sockperf_3.10.orig.tar.gz
-rm -f SOURCES/srp_24.04.OFED.24.04.0.6.6.1.orig.tar.gz
-rm -f SOURCES/ucx_1.17.0.orig.tar.gz
-
-
-sudo ./install.pl \
+rm -f SOURCES/ibarr_*.tar.gz
+rm -f SOURCES/ibdump_*.tar.gz
+rm -f SOURCES/ibsim_*.tar.gz
+rm -f SOURCES/iser_*.tar.gz
+rm -f SOURCES/isert_*.tar.gz
+rm -f SOURCES/kernel-mft_*.tar.gz
+rm -f SOURCES/knem_*.tar.gz
+rm -f SOURCES/libvma_*.tar.gz
+rm -f SOURCES/libxlio_*.tar.gz
+rm -f SOURCES/mlnx-ethtool_*.tar.gz
+rm -f SOURCES/mlnx-iproute2_*.tar.gz
+rm -f SOURCES/mlnx-nfsrdma_*.tar.gz
+rm -f SOURCES/mlnx-nvme_*.tar.gz
+rm -f SOURCES/mlx-steering-dump_*.tar.gz
+rm -f SOURCES/mpitests_*.tar.gz
+rm -f SOURCES/mstflint_*.tar.gz
+rm -f SOURCES/ofed-scripts_*.tar.gz
+rm -f SOURCES/openmpi_*.tar.gz
+rm -f SOURCES/openvswitch_*.tar.gz
+rm -f SOURCES/perftest_*.tar.gz
+rm -f SOURCES/rdma-core_*.tar.gz
+rm -f SOURCES/rshim_*.tar.gz
+rm -f SOURCES/sockperf_*.tar.gz
+rm -f SOURCES/srp_*.tar.gz
+rm -f SOURCES/ucx_*.tar.gz
+
+./install.pl \
   --basic --dpdk \
   --without-dkms \
   --without-mlnx-nvme-modules \
@@ -106,19 +110,19 @@ sudo ./install.pl \
 
 if [ $DROP_DEV_DBG_DEBS -eq 1 ]; then
   echo "I: Removing development and debug packages"
-  sudo rm $(find $CWD/$DRIVER_DIR/DEBS/$DEB_DISTRO -type f | grep -E '\-dev|\-dbg')
+  rm -f $(find $CWD/$DRIVER_DIR/DEBS/$DEB_DISTRO -type f | grep -E '\-dev|\-dbg')
 fi
 
 cp $(find $CWD/$DRIVER_DIR/DEBS/$DEB_DISTRO -type f | grep '\.deb$') "$CWD/"
 
 echo "I: Cleanup ${DRIVER_NAME} source"
 cd ${CWD}
-if [ -e ${DRIVER_FILE} ]; then
+if [ -f ${DRIVER_FILE} ]; then
     rm -f ${DRIVER_FILE}
 fi
 if [ -d ${DRIVER_DIR} ]; then
-    sudo rm -rf ${DRIVER_DIR}
+    rm -rf ${DRIVER_DIR}
 fi
 if [ -d ${DEBIAN_DIR} ]; then
-    sudo rm -rf ${DEBIAN_DIR}
+    rm -rf ${DEBIAN_DIR}
 fi
diff --git a/packages/linux-kernel/build-nat-rtsp.sh b/packages/linux-kernel/build-nat-rtsp.sh
index ec7d19a6..40018cfb 100755
--- a/packages/linux-kernel/build-nat-rtsp.sh
+++ b/packages/linux-kernel/build-nat-rtsp.sh
@@ -36,3 +36,7 @@ fpm --input-type dir --output-type deb --name nat-rtsp \
     --license "GPL2" --chdir tmp
 
 mv *.deb ..
+
+if [ -f ${DEBIAN_POSTINST} ]; then
+    rm -f ${DEBIAN_POSTINST}
+fi
diff --git a/scripts/check-qemu-install b/scripts/check-qemu-install
index ea3aef63..e1fd45f1 100755
--- a/scripts/check-qemu-install
+++ b/scripts/check-qemu-install
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2019-2023, VyOS maintainers and contributors
+# Copyright (C) 2019-2024, VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -43,14 +43,26 @@ import traceback
 import logging
 import re
 import tomli
+import shutil
 
 from io import BytesIO
-from io import StringIO
 from datetime import datetime
 
 EXCEPTION = 0
 now = datetime.now()
 tpm_folder = '/tmp/vyos_tpm_test'
+qemu_name = 'VyOS-QEMU'
+
+# getch.py
+KEY_F2 = chr(27) + chr(91) + chr(49) + chr(50) + chr(126)
+KEY_F10 = chr(27) + chr(91) + chr(50) + chr(49) + chr(126)
+KEY_DOWN = chr(27) + chr(91) + chr(66)
+KEY_SPACE = chr(32)
+KEY_RETURN = chr(13)
+KEY_ESC = chr(27)
+KEY_Y = chr(121)
+
+mok_password = '1234'
 
 parser = argparse.ArgumentParser(description='Install and start a test VyOS vm.')
 parser.add_argument('iso', help='ISO file to install')
@@ -66,20 +78,23 @@ parser.add_argument('--debug', help='Send all debug output to stdout',
 parser.add_argument('--logfile', help='Log to file')
 parser.add_argument('--match', help='Smoketests to run')
 parser.add_argument('--uefi', help='Boot using UEFI', action='store_true', default=False)
+parser.add_argument('--vnc', help='Enable VNC', action='store_true', default=False)
 parser.add_argument('--raid', help='Perform a RAID-1 install', action='store_true', default=False)
-parser.add_argument('--no-kvm', help='Disable use of kvm', action='store_true', default=False)
 parser.add_argument('--configd', help='Execute testsuite with config daemon', action='store_true',
 				default=False)
 parser.add_argument('--no-interfaces', help='Execute testsuite without interface tests to save time',
                 action='store_true', default=False)
+parser.add_argument('--smoketest', help='Execute script based CLI smoketests',
+                action='store_true', default=False)
 parser.add_argument('--configtest', help='Execute load/commit config tests',
 				action='store_true', default=False)
 parser.add_argument('--tpmtest', help='Execute TPM encrypted config tests',
                 action='store_true', default=False)
+parser.add_argument('--sbtest', help='Execute Secure Boot tests',
+                action='store_true', default=False)
 parser.add_argument('--qemu-cmd', help='Only generate QEMU launch command',
                 action='store_true', default=False)
 
-
 args = parser.parse_args()
 
 with open('data/defaults.toml', 'rb') as f:
@@ -97,14 +112,11 @@ class StreamToLogger(object):
 
     def write(self, buf):
         self.linebuf += buf
-        #print('.')
         while b'\n' in self.linebuf:
             f = self.linebuf.split(b'\n', 1)
             if len(f) == 2:
                 self.logger.debug(self.ansi_escape.sub('', f[0].decode(errors="replace").rstrip()))
                 self.linebuf = f[1]
-            #print(f)
-
 
     def flush(self):
         pass
@@ -116,30 +128,39 @@ def get_half_cpus():
         cpu /= 2
     return int(cpu)
 
-def get_qemu_cmd(name, enable_kvm, enable_uefi, disk_img, raid=None, iso_img=None, tpm=False):
-    kvm = "-enable-kvm"
-    cpu = "-cpu host"
-    if not enable_kvm:
-        kvm = "--no-kvm"
-        cpu = ""
+OVMF_CODE = '/usr/share/OVMF/OVMF_CODE_4M.secboot.fd'
+OVMF_VARS_TMP = args.disk.replace('.img', '.efivars')
+if args.sbtest:
+    shutil.copy('/usr/share/OVMF/OVMF_VARS_4M.ms.fd', OVMF_VARS_TMP)
 
+def get_qemu_cmd(name, enable_uefi, disk_img, raid=None, iso_img=None, tpm=False, vnc_enabled=False, secure_boot=False):
     uefi = ""
     uuid = "f48b60b2-e6ad-49ef-9d09-4245d0585e52"
+    machine = 'pc'
+    vga = '-vga none'
+    vnc = ''
+    if vnc_enabled:
+        vga = '-vga virtio'
+        vnc = '-vnc :0'
+
     if enable_uefi:
         uefi = '-bios /usr/share/OVMF/OVMF_CODE.fd'
         name = f'{name}-UEFI'
-        uuid = 'd27cf29e-4419-4407-8f82-dc73d1acd184'
 
-    bootindex = '1'
+        if secure_boot:
+            name = f'{name}-SECURE-BOOT'
+            machine = 'q35,smm=on'
+
+            uefi = f'-drive "if=pflash,unit=0,format=raw,readonly=on,file={OVMF_CODE}" ' \
+                   f'-drive "if=pflash,unit=1,format=raw,file={OVMF_VARS_TMP}"'
+            # Changing UEFI settings require a display
+            vga = '-vga virtio'
+
     cdrom = ""
     if iso_img:
-        cdrom = f' -boot d' \
-                f' -drive file={iso_img},format=raw,if=none,media=cdrom,id=drive-cd1,readonly=on' \
+        cdrom = f' -drive file={iso_img},format=raw,if=none,media=cdrom,id=drive-cd1,readonly=on' \
                 f' -device ahci,id=achi0' \
-                f' -device ide-cd,bus=achi0.0,drive=drive-cd1,id=cd1,bootindex={bootindex}'
-
-        # Set regular harddisk bootindex to 2 as we boot from a CDROM drive
-        bootindex = '2'
+                f' -device ide-cd,bus=achi0.0,drive=drive-cd1,id=cd1,bootindex=10'
 
     # test using half of the available CPUs on the system
     cpucount = get_half_cpus()
@@ -149,15 +170,17 @@ def get_qemu_cmd(name, enable_kvm, enable_uefi, disk_img, raid=None, iso_img=Non
         -name "{name}" \
         -smp {cpucount},sockets=1,cores={cpucount},threads=1 \
         -cpu host \
+        -machine {machine},accel=kvm \
         {uefi} \
         -m 4G \
         -vga none \
         -nographic \
-        -machine accel=kvm \
+        {vga} {vnc}\
         -uuid {uuid} \
-        {cpu} \
+        -cpu host \
         {cdrom} \
-        {kvm} \
+        -enable-kvm \
+        -monitor unix:/tmp/qemu-monitor-socket-{disk_img},server,nowait \
         -netdev user,id=n0,net=192.0.2.0/24,dhcpstart=192.0.2.101,dns=192.0.2.10 -device virtio-net-pci,netdev=n0,mac={macbase}:00,romfile="" \
         -netdev user,id=n1 -device virtio-net-pci,netdev=n1,mac={macbase}:01,romfile="" \
         -netdev user,id=n2 -device virtio-net-pci,netdev=n2,mac={macbase}:02,romfile="" \
@@ -168,13 +191,11 @@ def get_qemu_cmd(name, enable_kvm, enable_uefi, disk_img, raid=None, iso_img=Non
         -netdev user,id=n7 -device virtio-net-pci,netdev=n7,mac={macbase}:07,romfile="" \
         -device virtio-scsi-pci,id=scsi0 \
         -drive format=raw,file={disk_img},if=none,media=disk,id=drive-hd1,readonly=off \
-        -device scsi-hd,bus=scsi0.0,drive=drive-hd1,id=hd1,bootindex={bootindex}'
+        -device scsi-hd,bus=scsi0.0,drive=drive-hd1,id=hd1,bootindex=1'
 
-    # dynamically increment bootindex - required for RAID system
-    bootindex = str(int(bootindex) + 1)
     if raid:
         cmd += f' -drive format=raw,file={raid},if=none,media=disk,id=drive-hd2,readonly=off' \
-               f' -device scsi-hd,bus=scsi0.0,drive=drive-hd2,id=hd2,bootindex={bootindex}'
+               f' -device scsi-hd,bus=scsi0.0,drive=drive-hd2,id=hd2,bootindex=2'
 
     if tpm:
         cmd += f' -chardev socket,id=chrtpm,path={tpm_folder}/swtpm-sock' \
@@ -249,14 +270,9 @@ if not os.path.isfile(args.iso):
     log.error('Unable to find iso image to install')
     sys.exit(1)
 
-if args.no_kvm:
-    log.error('KVM forced off by command line')
-    kvm=False
-elif not os.path.exists('/dev/kvm'):
+if not os.path.exists('/dev/kvm'):
     log.error('KVM not enabled on host, proceeding with software emulation')
-    kvm=False
-else:
-    kvm=True
+    sys.exit(1)
 
 # Creating diskimage!!
 diskname_raid = None
@@ -294,8 +310,50 @@ def start_swtpm():
     tpm_process.start()
     return tpm_process
 
+def toggleUEFISecureBoot(c):
+    def UEFIKeyPress(c, key):
+        UEFI_SLEEP = 1
+        c.send(key)
+        time.sleep(UEFI_SLEEP)
+
+    # Enter UEFI
+    for ii in range(1, 10):
+        c.send(KEY_F2)
+        time.sleep(0.250)
+
+    time.sleep(10)
+
+    # Device Manager
+    UEFIKeyPress(c, KEY_DOWN)
+    UEFIKeyPress(c, KEY_RETURN)
+
+    # Secure Boot Configuration
+    UEFIKeyPress(c, KEY_DOWN)
+    UEFIKeyPress(c, KEY_DOWN)
+    UEFIKeyPress(c, KEY_RETURN)
+
+    # Attempt Secure Boot Toggle
+    UEFIKeyPress(c, KEY_DOWN)
+    UEFIKeyPress(c, KEY_RETURN)
+    UEFIKeyPress(c, KEY_RETURN)
+
+    # Save Secure Boot
+    UEFIKeyPress(c, KEY_F10)
+    UEFIKeyPress(c, KEY_Y)
+
+    # Go Back to Menu
+    UEFIKeyPress(c, KEY_ESC)
+    UEFIKeyPress(c, KEY_ESC)
+
+    # Go Down for reset
+    UEFIKeyPress(c, KEY_DOWN)
+    UEFIKeyPress(c, KEY_DOWN)
+    UEFIKeyPress(c, KEY_DOWN)
+    UEFIKeyPress(c, KEY_DOWN)
+    UEFIKeyPress(c, KEY_RETURN)
+
 if args.qemu_cmd:
-    tmp = get_qemu_cmd('TESTVM', kvm, args.uefi, args.disk, diskname_raid, args.iso)
+    tmp = get_qemu_cmd(qemu_name, args.uefi, args.disk, raid=diskname_raid, iso_img=args.iso, vnc_enabled=args.vnc, secure_boot=args.sbtest)
     os.system(tmp)
     exit(0)
 
@@ -306,7 +364,7 @@ try:
     # Installing image to disk
     #################################################
     log.info('Installing system')
-    cmd = get_qemu_cmd('TESTVM', kvm, args.uefi, args.disk, diskname_raid, args.iso)
+    cmd = get_qemu_cmd(qemu_name, args.uefi, args.disk, raid=diskname_raid, iso_img=args.iso, vnc_enabled=args.vnc, secure_boot=args.sbtest)
     log.debug(f'Executing command: {cmd}')
     c = pexpect.spawn(cmd, logfile=stl, timeout=60)
 
@@ -318,6 +376,10 @@ try:
     default_user = 'vyos'
     default_password = 'vyos'
 
+    if args.sbtest:
+        log.info('Disable UEFI Secure Boot for initial installation')
+        toggleUEFISecureBoot(c)
+
     try:
         c.expect('Automatic boot in', timeout=10)
         c.sendline('')
@@ -361,14 +423,74 @@ try:
         c.expect('\nWhich file would you like as boot config?.*')
         c.sendline('')
 
-    log.info('system installed, shutting down')
+    c.expect(op_mode_prompt)
+
+    if args.sbtest:
+        c.sendline('install mok')
+        c.expect('input password:.*')
+        c.sendline(mok_password)
+        c.expect('input password again:.*')
+        c.sendline(mok_password)
+        c.expect(op_mode_prompt)
+
+    log.info('system installed, rebooting')
+    c.sendline('reboot now')
 
     #################################################
-    # Powering down installer
+    # SHIM Mok Manager
     #################################################
-    shutdownVM(c, log, 'Shutting down installation system')
-    c.close()
+    if args.sbtest:
+        log.info('Install Secure Boot Machine Owner Key')
+        MOK_SLEEP = 0.5
+        c.expect('BdsDxe: starting Boot00.*')
+        time.sleep(3)
+        # press any key
+        c.send(KEY_RETURN)
+        time.sleep(MOK_SLEEP)
+
+        # Enroll MOK
+        c.send(KEY_DOWN)
+        time.sleep(MOK_SLEEP)
+        c.send(KEY_RETURN)
+        time.sleep(MOK_SLEEP)
+
+        # Continue
+        c.send(KEY_DOWN)
+        time.sleep(MOK_SLEEP)
+        c.send(KEY_RETURN)
+        time.sleep(MOK_SLEEP)
+
+        # Enroll Keys
+        c.send(KEY_DOWN)
+        time.sleep(MOK_SLEEP)
+        c.send(KEY_RETURN)
+        time.sleep(MOK_SLEEP)
+
+        c.sendline(mok_password)
+        c.send(KEY_RETURN)
+        time.sleep(MOK_SLEEP)
+
+        # Reboot
+        c.send(KEY_RETURN)
+        time.sleep(MOK_SLEEP)
+
+    #################################################
+    # Re-Enable Secure Boot
+    #################################################
+    if args.sbtest:
+        log.info('Enable UEFI Secure Boot for initial installation')
+        toggleUEFISecureBoot(c)
+
+    #################################################
+    # Removing CD installation media
+    #################################################
+    time.sleep(2)
+    log.info('eject installation media')
+    os.system(f'echo "eject -f drive-cd1" | socat - unix-connect:/tmp/qemu-monitor-socket-{args.disk}')
 
+    #################################################
+    # Powering down installer
+    #################################################
     if args.tpmtest:
         tpm_process = start_swtpm()
 
@@ -376,9 +498,6 @@ try:
     # Booting installed system
     #################################################
     log.info('Booting installed system')
-    cmd = get_qemu_cmd('TESTVM', kvm, args.uefi, args.disk, diskname_raid, tpm=args.tpmtest)
-    log.debug(f'Executing command: {cmd}')
-    c = pexpect.spawn(cmd, logfile=stl)
 
     #################################################
     # Logging into VyOS system
@@ -410,6 +529,7 @@ try:
     # Basic Configmode/Opmode switch
     #################################################
     log.info('Basic CLI configuration mode test')
+
     c.sendline('configure')
     c.expect(cfg_mode_prompt)
     c.sendline('exit')
@@ -417,7 +537,7 @@ try:
     c.sendline('show version')
     c.expect(op_mode_prompt)
     c.sendline('show version kernel')
-    c.expect(f'{vyos_defaults["kernel_version"]}-{vyos_defaults["architecture"]}-vyos')
+    c.expect(f'{vyos_defaults["kernel_version"]}-{vyos_defaults["kernel_flavor"]}')
     c.expect(op_mode_prompt)
     c.sendline('show version frr')
     c.expect(op_mode_prompt)
@@ -500,7 +620,7 @@ try:
 
         # Booting back into VM
         log.info('Booting TPM-backed system')
-        cmd = get_qemu_cmd('TESTVM', kvm, args.uefi, args.disk, diskname_raid, tpm=args.tpmtest)
+        cmd = get_qemu_cmd(qemu_name, args.uefi, args.disk, raid=diskname_raid, tpm=args.tpmtest, vnc_enabled=args.vnc)
         log.debug(f'Executing command: {cmd}')
         c = pexpect.spawn(cmd, logfile=stl)
 
@@ -535,7 +655,7 @@ try:
 
         # Booting back into VM
         log.info('Booting system with cleared TPM')
-        cmd = get_qemu_cmd('TESTVM', kvm, args.uefi, args.disk, diskname_raid, tpm=args.tpmtest)
+        cmd = get_qemu_cmd(qemu_name, args.uefi, args.disk, raid=diskname_raid, tpm=args.tpmtest, vnc_enabled=args.vnc)
         log.debug(f'Executing command: {cmd}')
         c = pexpect.spawn(cmd, logfile=stl)
 
@@ -587,7 +707,7 @@ try:
         # Booting RAID-1 system with one missing disk
         #################################################
         log.info('Booting RAID-1 system')
-        cmd = get_qemu_cmd('TESTVM', kvm, args.uefi, args.disk, diskname_raid)
+        cmd = get_qemu_cmd(qemu_name, args.uefi, args.disk, raid=diskname_raid, vnc_enabled=args.vnc)
 
         # We need to swap boot indexes to boot from second harddisk so we can
         # recreate the RAID on the first disk
@@ -598,7 +718,6 @@ try:
         log.debug(f'Executing command: {cmd}')
         c = pexpect.spawn(cmd, logfile=stl)
 
-
         #################################################
         # Logging into VyOS system
         #################################################
@@ -637,7 +756,7 @@ try:
         shutdownVM(c, log, f'Shutdown VM and start from recovered RAID member "{args.disk}"')
 
         log.info('Booting RAID-1 system')
-        cmd = get_qemu_cmd('TESTVM', kvm, args.uefi, args.disk, diskname_raid)
+        cmd = get_qemu_cmd(qemu_name, args.uefi, args.disk, raid=diskname_raid, vnc_enabled=args.vnc)
         log.debug(f'Executing command: {cmd}')
         c = pexpect.spawn(cmd, logfile=stl)
 
@@ -646,7 +765,7 @@ try:
         c.sendline('cat /proc/mdstat')
         c.expect(op_mode_prompt)
 
-    elif not args.configtest:
+    elif args.smoketest:
         # run default smoketest suite
         if args.match:
             # Remove tests that we don't want to run
@@ -682,7 +801,7 @@ try:
             raise Exception("Smoketest-failed, please look into debug output")
 
     # else, run configtest suite
-    else:
+    elif args.configtest:
         log.info('Adding a legacy WireGuard default keypair for migrations')
         c.sendline('sudo mkdir -p /config/auth/wireguard/default')
         c.expect(op_mode_prompt)
@@ -707,7 +826,7 @@ try:
         if i==0:
             raise Exception('Invalid command detected')
         elif i==1:
-            tmp = '(W)hy (T)he (F)ace? VyOS smoketest not found!'
+            tmp = 'VyOS smoketest not found!'
             log.error(tmp)
             raise Exception(tmp)
 
@@ -720,6 +839,12 @@ try:
             tmp = 'Configtest failed :/ - check debug output'
             log.error(tmp)
             raise Exception(tmp)
+    elif args.sbtest:
+        c.sendline('show secure-boot')
+        c.expect('SecureBoot enabled')
+        c.expect(op_mode_prompt)
+    else:
+        log.info('No testcase selected!')
 
     shutdownVM(c, log, 'Powering off system')
     c.close()
@@ -755,6 +880,8 @@ if not args.keep:
         os.remove(args.disk)
         if diskname_raid:
             os.remove(diskname_raid)
+        if args.sbtest:
+            os.remove(OVMF_VARS_TMP)
     except Exception:
         log.error('Exception while removing diskimage!')
         log.error(traceback.format_exc())
@@ -764,3 +891,5 @@ if EXCEPTION:
     log.error('Hmm... system got an exception while processing.')
     log.error('The ISO image is not considered usable!')
     sys.exit(1)
+
+sys.exit(0)
diff --git a/scripts/image-build/build-vyos-image b/scripts/image-build/build-vyos-image
index a0acd184..566c6a8b 100755
--- a/scripts/image-build/build-vyos-image
+++ b/scripts/image-build/build-vyos-image
@@ -571,7 +571,7 @@ if __name__ == "__main__":
                 --checksums 'sha256 md5' \
                 --chroot-squashfs-compression-type "{{squashfs_compression_type}}" \
                 --debian-installer none \
-                --debootstrap-options "--variant=minbase --exclude=isc-dhcp-client,isc-dhcp-common,ifupdown --include=apt-utils,ca-certificates,gnupg2" \
+                --debootstrap-options "--variant=minbase --exclude=isc-dhcp-client,isc-dhcp-common,ifupdown --include=apt-utils,ca-certificates,gnupg2,linux-kbuild-6.1" \
                 --distribution {{debian_distribution}} \
                 --firmware-binary false \
                 --firmware-chroot false \
author	Viacheslav Hletenko <v.gletenko@vyos.io>	2024-09-16 12:27:21 +0300
committer	GitHub <noreply@github.com>	2024-09-16 12:27:21 +0300
commit	5255ad102a0df86ccc251c7a9bf51f798cb95bf8 (patch)
tree	475fbba07feb4f9b1b8b0d953eb7abd4940f1da6
parent	300674c1444d361e31e9a5d3a05bd4e6cd409f17 (diff)
parent	928c1f505b95bb4b693b9e8eac5c73185d67515f (diff)
download	vyos-build-5255ad102a0df86ccc251c7a9bf51f798cb95bf8.tar.gz vyos-build-5255ad102a0df86ccc251c7a9bf51f798cb95bf8.zip