diff options
| -rw-r--r-- | .gitignore | 3 | ||||
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | data/certificates/.gitignore | 1 | ||||
| -rwxr-xr-x | data/live-build-config/hooks/live/93-sb-sign-kernel.chroot | 17 | ||||
| -rw-r--r-- | data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md | 11 | ||||
| -rw-r--r-- | docker/Dockerfile | 2 | ||||
| -rwxr-xr-x | scripts/check-qemu-install | 12 | ||||
| -rwxr-xr-x | scripts/image-build/build-vyos-image | 6 | ||||
| -rw-r--r-- | scripts/package-build/frr/patches/frr/0001-ldpd-Option-for-disabled-LDP-hello-message-during-TC.patch | 176 | ||||
| -rwxr-xr-x | scripts/package-build/linux-kernel/build-kernel.sh | 5 |
10 files changed, 214 insertions, 21 deletions
@@ -1,11 +1,12 @@ +.build/config build/* +config/* *.pyc packer_build/* packer_cache/* key/* packages/* !packages/*/ -data/live-build-config/includes.chroot/var/lib/shim-signed/mok/* /testinstall*.img /testinstall*.efivars /*.qcow2 @@ -79,7 +79,7 @@ clean: rm -f config/binary config/bootstrap config/chroot config/common config/source rm -f build.log rm -f vyos-*.iso - rm -f *.img + rm -f *.img *.efivars rm -f *.xz rm -f *.vhd rm -f *.raw diff --git a/data/certificates/.gitignore b/data/certificates/.gitignore new file mode 100644 index 00000000..c996e507 --- /dev/null +++ b/data/certificates/.gitignore @@ -0,0 +1 @@ +*.key diff --git a/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot b/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot index 1dc03186..8494a5c8 100755 --- a/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot +++ b/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot @@ -1,7 +1,7 @@ #!/bin/sh SIGN_FILE=$(find /usr/lib -name sign-file) -MOK_KEY="/var/lib/shim-signed/mok/MOK.key" -MOK_CERT="/var/lib/shim-signed/mok/MOK.pem" +KERNEL_KEY="/var/lib/shim-signed/mok/vyos-dev-2025-linux.key" +KERNEL_CERT="/var/lib/shim-signed/mok/vyos-dev-2025-linux.pem" VMLINUZ=$(readlink /boot/vmlinuz) # All Linux Kernel modules need to be cryptographically signed @@ -13,10 +13,19 @@ find /lib/modules -type f -name \*.ko | while read MODULE; do fi done -if [ ! -f ${MOK_KEY} ]; then +if [ ! -f ${KERNEL_KEY} ] && [ ! -f ${KERNEL_CERT} ]; then echo "I: Signing key for Linux Kernel not found - Secure Boot not possible" else echo "I: Signing Linux Kernel for Secure Boot" - sbsign --key ${MOK_KEY} --cert ${MOK_CERT} /boot/${VMLINUZ} --output /boot/${VMLINUZ} + sbsign --key ${KERNEL_KEY} --cert ${KERNEL_CERT} /boot/${VMLINUZ} --output /boot/${VMLINUZ} sbverify --list /boot/${VMLINUZ} + rm -f ${KERNEL_KEY} fi + +for cert in $(ls /var/lib/shim-signed/mok/); do + if grep -rq "BEGIN PRIVATE KEY" /var/lib/shim-signed/mok/${cert}; then + echo "Found private key - bailing out" + exit 1 + fi +done + diff --git a/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md b/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md deleted file mode 100644 index abaaa97a..00000000 --- a/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md +++ /dev/null @@ -1,11 +0,0 @@ -# Secure Boot - -## CA - -Create Certificate Authority used for Kernel signing. CA is loaded into the -Machine Owner Key store on the target system. - -```bash -openssl req -new -x509 -newkey rsa:4096 -keyout MOK.key -outform DER -out MOK.der -days 36500 -subj "/CN=VyOS Secure Boot CA/" -nodes -openssl x509 -inform der -in MOK.der -out MOK.pem -``` diff --git a/docker/Dockerfile b/docker/Dockerfile index 13aac0a0..71b1084b 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -18,7 +18,7 @@ # This Dockerfile is installable on both x86, x86-64, armhf and arm64 systems ARG ARCH= -FROM ${ARCH}debian:bookworm +FROM ${ARCH}debian:bookworm-slim RUN grep "VERSION_ID" /etc/os-release || (echo 'VERSION_ID="12"' >> /etc/os-release) diff --git a/scripts/check-qemu-install b/scripts/check-qemu-install index 551d1e7e..ab6e1b1f 100755 --- a/scripts/check-qemu-install +++ b/scripts/check-qemu-install @@ -399,6 +399,16 @@ try: loginVM(c, log) ################################################# + # Check for no private key contents within the image + ################################################# + msg = 'Found private key - bailing out' + c.sendline(f'if sudo grep -rq "BEGIN PRIVATE KEY" /var/lib/shim-signed/mok; then echo {msg}; exit 1; fi') + tmp = c.expect([f'\n{msg}', op_mode_prompt]) + if tmp == 0: + log.error(msg) + exit(1) + + ################################################# # Installing into VyOS system ################################################# log.info('Starting installer') @@ -879,7 +889,7 @@ except pexpect.exceptions.ExceptionPexpect: EXCEPTION = 1 except Exception: - log.error('Unknown error occured while VyOS!') + log.error('Unknown error occured!') traceback.print_exc() EXCEPTION = 1 diff --git a/scripts/image-build/build-vyos-image b/scripts/image-build/build-vyos-image index d969c157..aab5ed13 100755 --- a/scripts/image-build/build-vyos-image +++ b/scripts/image-build/build-vyos-image @@ -367,6 +367,11 @@ if __name__ == "__main__": shutil.copytree("data/live-build-config/", lb_config_dir) os.makedirs(lb_config_dir, exist_ok=True) + ## Secure Boot - Copy public Keys to image + sb_certs = 'data/certificates' + if os.path.isdir(sb_certs): + shutil.copytree(sb_certs, f'{lb_config_dir}/includes.chroot/var/lib/shim-signed/mok') + # Switch to the build directory, this is crucial for the live-build work # because the efective build config files etc. are there. # @@ -611,6 +616,7 @@ DOCUMENTATION_URL="{build_config['documentation_url']}" ## Configure live-build lb_config_tmpl = jinja2.Template(""" lb config noauto \ + --no-color \ --apt-indices false \ --apt-options "--yes -oAPT::Get::allow-downgrades=true" \ --apt-recommends false \ diff --git a/scripts/package-build/frr/patches/frr/0001-ldpd-Option-for-disabled-LDP-hello-message-during-TC.patch b/scripts/package-build/frr/patches/frr/0001-ldpd-Option-for-disabled-LDP-hello-message-during-TC.patch new file mode 100644 index 00000000..67f85d01 --- /dev/null +++ b/scripts/package-build/frr/patches/frr/0001-ldpd-Option-for-disabled-LDP-hello-message-during-TC.patch @@ -0,0 +1,176 @@ +From 945eff42df61982585011fa8427050c74ca90c6b Mon Sep 17 00:00:00 2001 +From: Andrii Melnychenko <a.melnychenko@vyos.io> +Date: Mon, 17 Mar 2025 13:25:20 +0100 +Subject: [PATCH 1/1] ldpd: Option for disabled LDP hello message during TCP + +Added option "disable-establish-hello" that disableds +sending additional LDP hello multicast messages during +TCP session establishment. +This option enables per interface: "(config-ldp-af-if)". + +Signed-off-by: Andrii Melnychenko <a.melnychenko@vyos.io> +--- + ldpd/interface.c | 2 ++ + ldpd/ldp_vty.h | 1 + + ldpd/ldp_vty_cmds.c | 11 +++++++++++ + ldpd/ldp_vty_conf.c | 32 ++++++++++++++++++++++++++++++++ + ldpd/ldpd.c | 1 + + ldpd/ldpd.h | 1 + + ldpd/neighbor.c | 5 +++-- + 7 files changed, 51 insertions(+), 2 deletions(-) + +diff --git a/ldpd/interface.c b/ldpd/interface.c +index f0e70cbac..6fccd4af5 100644 +--- a/ldpd/interface.c ++++ b/ldpd/interface.c +@@ -63,11 +63,13 @@ if_new(const char *name) + iface->ipv4.af = AF_INET; + iface->ipv4.iface = iface; + iface->ipv4.enabled = 0; ++ iface->ipv4.disable_establish_hello = 0; + + /* ipv6 */ + iface->ipv6.af = AF_INET6; + iface->ipv6.iface = iface; + iface->ipv6.enabled = 0; ++ iface->ipv6.disable_establish_hello = 0; + + return (iface); + } +diff --git a/ldpd/ldp_vty.h b/ldpd/ldp_vty.h +index 5c83d1c56..196d05c93 100644 +--- a/ldpd/ldp_vty.h ++++ b/ldpd/ldp_vty.h +@@ -24,6 +24,7 @@ int ldp_vty_allow_broken_lsp(struct vty *, const char *); + int ldp_vty_address_family (struct vty *, const char *, const char *); + int ldp_vty_disc_holdtime(struct vty *, const char *, enum hello_type, long); + int ldp_vty_disc_interval(struct vty *, const char *, enum hello_type, long); ++int ldp_vty_disable_establish_hello(struct vty *, const char *); + int ldp_vty_targeted_hello_accept(struct vty *, const char *, const char *); + int ldp_vty_nbr_session_holdtime(struct vty *, const char *, struct in_addr, long); + int ldp_vty_af_session_holdtime(struct vty *, const char *, long); +diff --git a/ldpd/ldp_vty_cmds.c b/ldpd/ldp_vty_cmds.c +index e046ae996..d6c36c35b 100644 +--- a/ldpd/ldp_vty_cmds.c ++++ b/ldpd/ldp_vty_cmds.c +@@ -122,6 +122,15 @@ DEFPY (ldp_discovery_link_interval, + return (ldp_vty_disc_interval(vty, no, HELLO_LINK, interval)); + } + ++DEFPY (ldp_disable_establish_hello, ++ ldp_disable_establish_hello_cmd, ++ "[no] disable-establish-hello", ++ NO_STR ++ "Disable sending additional LDP hello message on establishing LDP tcp connection\n") ++{ ++ return ldp_vty_disable_establish_hello(vty, no); ++} ++ + DEFPY (ldp_discovery_targeted_interval, + ldp_discovery_targeted_interval_cmd, + "[no] discovery targeted-hello interval (1-65535)$interval", +@@ -866,9 +875,11 @@ ldp_vty_init (void) + + install_element(LDP_IPV4_IFACE_NODE, &ldp_discovery_link_holdtime_cmd); + install_element(LDP_IPV4_IFACE_NODE, &ldp_discovery_link_interval_cmd); ++ install_element(LDP_IPV4_IFACE_NODE, &ldp_disable_establish_hello_cmd); + + install_element(LDP_IPV6_IFACE_NODE, &ldp_discovery_link_holdtime_cmd); + install_element(LDP_IPV6_IFACE_NODE, &ldp_discovery_link_interval_cmd); ++ install_element(LDP_IPV6_IFACE_NODE, &ldp_disable_establish_hello_cmd); + + install_element(LDP_L2VPN_NODE, &ldp_bridge_cmd); + install_element(LDP_L2VPN_NODE, &ldp_mtu_cmd); +diff --git a/ldpd/ldp_vty_conf.c b/ldpd/ldp_vty_conf.c +index ffff67683..56ad071c8 100644 +--- a/ldpd/ldp_vty_conf.c ++++ b/ldpd/ldp_vty_conf.c +@@ -119,6 +119,8 @@ ldp_af_iface_config_write(struct vty *vty, int af) + ia->hello_interval != 0) + vty_out (vty, " discovery hello interval %u\n", + ia->hello_interval); ++ if (ia->disable_establish_hello) ++ vty_out (vty, " disable-establish-hello\n"); + + vty_out (vty, " exit\n"); + } +@@ -632,6 +634,36 @@ ldp_vty_disc_interval(struct vty *vty, const char *negate, + return (CMD_SUCCESS); + } + ++int ++ldp_vty_disable_establish_hello(struct vty *vty, ++ const char *negate) ++{ ++ struct iface *iface; ++ struct iface_af *ia; ++ int af; ++ ++ switch (vty->node) { ++ case LDP_IPV4_IFACE_NODE: ++ case LDP_IPV6_IFACE_NODE: ++ af = ldp_vty_get_af(vty); ++ iface = VTY_GET_CONTEXT(iface); ++ VTY_CHECK_CONTEXT(iface); ++ ++ ia = iface_af_get(iface, af); ++ if (negate) ++ ia->disable_establish_hello = 0; ++ else ++ ia->disable_establish_hello = 1; ++ ++ ldp_config_apply(vty, vty_conf); ++ break; ++ default: ++ fatalx("ldp_vty_disable_establish_hello: unexpected node"); ++ } ++ ++ return (CMD_SUCCESS); ++} ++ + int + ldp_vty_targeted_hello_accept(struct vty *vty, const char *negate, + const char *acl_from_str) +diff --git a/ldpd/ldpd.c b/ldpd/ldpd.c +index 4d38fdcd0..9a5667c26 100644 +--- a/ldpd/ldpd.c ++++ b/ldpd/ldpd.c +@@ -1604,6 +1604,7 @@ merge_iface_af(struct iface_af *ia, struct iface_af *xi) + } + ia->hello_holdtime = xi->hello_holdtime; + ia->hello_interval = xi->hello_interval; ++ ia->disable_establish_hello = xi->disable_establish_hello; + } + + static void +diff --git a/ldpd/ldpd.h b/ldpd/ldpd.h +index ad831a6ea..40a1e8c3c 100644 +--- a/ldpd/ldpd.h ++++ b/ldpd/ldpd.h +@@ -332,6 +332,7 @@ struct iface_af { + struct event *hello_timer; + uint16_t hello_holdtime; + uint16_t hello_interval; ++ int disable_establish_hello; + }; + + struct iface_ldp_sync { +diff --git a/ldpd/neighbor.c b/ldpd/neighbor.c +index 2596c7948..00a809186 100644 +--- a/ldpd/neighbor.c ++++ b/ldpd/neighbor.c +@@ -630,8 +630,9 @@ nbr_establish_connection(struct nbr *nbr) + * an adjacency as well. + */ + RB_FOREACH(adj, nbr_adj_head, &nbr->adj_tree) +- send_hello(adj->source.type, adj->source.link.ia, +- adj->source.target); ++ if (!(adj->source.type == HELLO_LINK && adj->source.link.ia->disable_establish_hello)) ++ send_hello(adj->source.type, adj->source.link.ia, ++ adj->source.target); + + if (connect(nbr->fd, &remote_su.sa, sockaddr_len(&remote_su.sa)) == -1) { + if (errno == EINPROGRESS) { +-- +2.43.0 + diff --git a/scripts/package-build/linux-kernel/build-kernel.sh b/scripts/package-build/linux-kernel/build-kernel.sh index e3efd127..62dd7829 100755 --- a/scripts/package-build/linux-kernel/build-kernel.sh +++ b/scripts/package-build/linux-kernel/build-kernel.sh @@ -36,12 +36,13 @@ do done # Change name of Signing Cert -sed -i -e "s/CN =.*/CN=VyOS build time autogenerated kernel key/" certs/default_x509.genkey +sed -i -e "s/CN =.*/CN=VyOS Networks build time autogenerated Kernel key/" certs/default_x509.genkey TRUSTED_KEYS_FILE=trusted_keys.pem # start with empty key file echo -n "" > $TRUSTED_KEYS_FILE -CERTS=$(find ../../../../data/live-build-config/includes.chroot/var/lib/shim-signed/mok -name "*.pem" -type f || true) +GIT_ROOT=$(git rev-parse --show-toplevel) +CERTS=$(find ${GIT_ROOT}/data/certificates -name "*.pem" -type f || true) if [ ! -z "${CERTS}" ]; then # add known public keys to Kernel certificate chain for file in $CERTS; do |