diff options
| -rw-r--r-- | .gitignore | 3 | ||||
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | data/certificates/.gitignore | 1 | ||||
| -rw-r--r-- | data/live-build-config/hooks/live/100-remove-dropbear-keys.chroot | 7 | ||||
| -rwxr-xr-x | data/live-build-config/hooks/live/18-enable-disable_services.chroot | 1 | ||||
| -rwxr-xr-x | data/live-build-config/hooks/live/93-sb-sign-kernel.chroot | 17 | ||||
| -rw-r--r-- | data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md | 11 | ||||
| -rw-r--r-- | docker/Dockerfile | 3 | ||||
| -rwxr-xr-x | scripts/check-qemu-install | 12 | ||||
| -rwxr-xr-x | scripts/image-build/build-vyos-image | 6 | ||||
| -rw-r--r-- | scripts/package-build/frr/patches/frr/0001-ldpd-Option-for-disabled-LDP-hello-message-during-TC.patch (renamed from scripts/package-build/frr/patches/frr/0001-T7226-Option-for-disabled-LDP-hello-message-during-T.patch) | 10 | ||||
| -rwxr-xr-x | scripts/package-build/linux-kernel/build-kernel.sh | 5 |
12 files changed, 53 insertions, 25 deletions
@@ -1,11 +1,12 @@ +.build/config build/* +config/* *.pyc packer_build/* packer_cache/* key/* packages/* !packages/*/ -data/live-build-config/includes.chroot/var/lib/shim-signed/mok/* /testinstall*.img /testinstall*.efivars /*.qcow2 @@ -79,7 +79,7 @@ clean: rm -f config/binary config/bootstrap config/chroot config/common config/source rm -f build.log rm -f vyos-*.iso - rm -f *.img + rm -f *.img *.efivars rm -f *.xz rm -f *.vhd rm -f *.raw diff --git a/data/certificates/.gitignore b/data/certificates/.gitignore new file mode 100644 index 00000000..c996e507 --- /dev/null +++ b/data/certificates/.gitignore @@ -0,0 +1 @@ +*.key diff --git a/data/live-build-config/hooks/live/100-remove-dropbear-keys.chroot b/data/live-build-config/hooks/live/100-remove-dropbear-keys.chroot new file mode 100644 index 00000000..20d8a670 --- /dev/null +++ b/data/live-build-config/hooks/live/100-remove-dropbear-keys.chroot @@ -0,0 +1,7 @@ +#!/bin/sh + +# Delete Dropbear SSH keys that might be generated +# by postinst scripts +# to prevent non-unique keys from appearing in images + +rm -f /etc/dropbear/dropbear_*_host_key diff --git a/data/live-build-config/hooks/live/18-enable-disable_services.chroot b/data/live-build-config/hooks/live/18-enable-disable_services.chroot index 463abf09..3b4efe38 100755 --- a/data/live-build-config/hooks/live/18-enable-disable_services.chroot +++ b/data/live-build-config/hooks/live/18-enable-disable_services.chroot @@ -71,6 +71,7 @@ systemctl disable zabbix-agent2.service systemctl disable suricata.service systemctl disable vyconfd.service systemctl disable vpp.service +systemctl disable vyos-commitd.service echo I: Enabling services systemctl enable vyos-hostsd.service diff --git a/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot b/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot index 1dc03186..8494a5c8 100755 --- a/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot +++ b/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot @@ -1,7 +1,7 @@ #!/bin/sh SIGN_FILE=$(find /usr/lib -name sign-file) -MOK_KEY="/var/lib/shim-signed/mok/MOK.key" -MOK_CERT="/var/lib/shim-signed/mok/MOK.pem" +KERNEL_KEY="/var/lib/shim-signed/mok/vyos-dev-2025-linux.key" +KERNEL_CERT="/var/lib/shim-signed/mok/vyos-dev-2025-linux.pem" VMLINUZ=$(readlink /boot/vmlinuz) # All Linux Kernel modules need to be cryptographically signed @@ -13,10 +13,19 @@ find /lib/modules -type f -name \*.ko | while read MODULE; do fi done -if [ ! -f ${MOK_KEY} ]; then +if [ ! -f ${KERNEL_KEY} ] && [ ! -f ${KERNEL_CERT} ]; then echo "I: Signing key for Linux Kernel not found - Secure Boot not possible" else echo "I: Signing Linux Kernel for Secure Boot" - sbsign --key ${MOK_KEY} --cert ${MOK_CERT} /boot/${VMLINUZ} --output /boot/${VMLINUZ} + sbsign --key ${KERNEL_KEY} --cert ${KERNEL_CERT} /boot/${VMLINUZ} --output /boot/${VMLINUZ} sbverify --list /boot/${VMLINUZ} + rm -f ${KERNEL_KEY} fi + +for cert in $(ls /var/lib/shim-signed/mok/); do + if grep -rq "BEGIN PRIVATE KEY" /var/lib/shim-signed/mok/${cert}; then + echo "Found private key - bailing out" + exit 1 + fi +done + diff --git a/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md b/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md deleted file mode 100644 index abaaa97a..00000000 --- a/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md +++ /dev/null @@ -1,11 +0,0 @@ -# Secure Boot - -## CA - -Create Certificate Authority used for Kernel signing. CA is loaded into the -Machine Owner Key store on the target system. - -```bash -openssl req -new -x509 -newkey rsa:4096 -keyout MOK.key -outform DER -out MOK.der -days 36500 -subj "/CN=VyOS Secure Boot CA/" -nodes -openssl x509 -inform der -in MOK.der -out MOK.pem -``` diff --git a/docker/Dockerfile b/docker/Dockerfile index a1553737..71b1084b 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -18,7 +18,7 @@ # This Dockerfile is installable on both x86, x86-64, armhf and arm64 systems ARG ARCH= -FROM ${ARCH}debian:bookworm +FROM ${ARCH}debian:bookworm-slim RUN grep "VERSION_ID" /etc/os-release || (echo 'VERSION_ID="12"' >> /etc/os-release) @@ -237,6 +237,7 @@ RUN pip install --break-system-packages \ iproute2 \ libzmq3-dev \ procps \ + protobuf-compiler \ python3 \ python3-setuptools \ python3-inotify \ diff --git a/scripts/check-qemu-install b/scripts/check-qemu-install index 551d1e7e..ab6e1b1f 100755 --- a/scripts/check-qemu-install +++ b/scripts/check-qemu-install @@ -399,6 +399,16 @@ try: loginVM(c, log) ################################################# + # Check for no private key contents within the image + ################################################# + msg = 'Found private key - bailing out' + c.sendline(f'if sudo grep -rq "BEGIN PRIVATE KEY" /var/lib/shim-signed/mok; then echo {msg}; exit 1; fi') + tmp = c.expect([f'\n{msg}', op_mode_prompt]) + if tmp == 0: + log.error(msg) + exit(1) + + ################################################# # Installing into VyOS system ################################################# log.info('Starting installer') @@ -879,7 +889,7 @@ except pexpect.exceptions.ExceptionPexpect: EXCEPTION = 1 except Exception: - log.error('Unknown error occured while VyOS!') + log.error('Unknown error occured!') traceback.print_exc() EXCEPTION = 1 diff --git a/scripts/image-build/build-vyos-image b/scripts/image-build/build-vyos-image index d969c157..aab5ed13 100755 --- a/scripts/image-build/build-vyos-image +++ b/scripts/image-build/build-vyos-image @@ -367,6 +367,11 @@ if __name__ == "__main__": shutil.copytree("data/live-build-config/", lb_config_dir) os.makedirs(lb_config_dir, exist_ok=True) + ## Secure Boot - Copy public Keys to image + sb_certs = 'data/certificates' + if os.path.isdir(sb_certs): + shutil.copytree(sb_certs, f'{lb_config_dir}/includes.chroot/var/lib/shim-signed/mok') + # Switch to the build directory, this is crucial for the live-build work # because the efective build config files etc. are there. # @@ -611,6 +616,7 @@ DOCUMENTATION_URL="{build_config['documentation_url']}" ## Configure live-build lb_config_tmpl = jinja2.Template(""" lb config noauto \ + --no-color \ --apt-indices false \ --apt-options "--yes -oAPT::Get::allow-downgrades=true" \ --apt-recommends false \ diff --git a/scripts/package-build/frr/patches/frr/0001-T7226-Option-for-disabled-LDP-hello-message-during-T.patch b/scripts/package-build/frr/patches/frr/0001-ldpd-Option-for-disabled-LDP-hello-message-during-TC.patch index 4d17f777..67f85d01 100644 --- a/scripts/package-build/frr/patches/frr/0001-T7226-Option-for-disabled-LDP-hello-message-during-T.patch +++ b/scripts/package-build/frr/patches/frr/0001-ldpd-Option-for-disabled-LDP-hello-message-during-TC.patch @@ -1,12 +1,14 @@ -From 9f0dc1829119ea180c2ee2ebe7dcd847556c6fda Mon Sep 17 00:00:00 2001 +From 945eff42df61982585011fa8427050c74ca90c6b Mon Sep 17 00:00:00 2001 From: Andrii Melnychenko <a.melnychenko@vyos.io> Date: Mon, 17 Mar 2025 13:25:20 +0100 -Subject: [PATCH 1/1] T7226 Option for disabled LDP hello message during TCP +Subject: [PATCH 1/1] ldpd: Option for disabled LDP hello message during TCP Added option "disable-establish-hello" that disableds sending additional LDP hello multicast messages during TCP session establishment. This option enables per interface: "(config-ldp-af-if)". + +Signed-off-by: Andrii Melnychenko <a.melnychenko@vyos.io> --- ldpd/interface.c | 2 ++ ldpd/ldp_vty.h | 1 + @@ -154,7 +156,7 @@ index ad831a6ea..40a1e8c3c 100644 struct iface_ldp_sync { diff --git a/ldpd/neighbor.c b/ldpd/neighbor.c -index 2596c7948..b9199f0d9 100644 +index 2596c7948..00a809186 100644 --- a/ldpd/neighbor.c +++ b/ldpd/neighbor.c @@ -630,8 +630,9 @@ nbr_establish_connection(struct nbr *nbr) @@ -163,7 +165,7 @@ index 2596c7948..b9199f0d9 100644 RB_FOREACH(adj, nbr_adj_head, &nbr->adj_tree) - send_hello(adj->source.type, adj->source.link.ia, - adj->source.target); -+ if (!adj->source.link.ia->disable_establish_hello) ++ if (!(adj->source.type == HELLO_LINK && adj->source.link.ia->disable_establish_hello)) + send_hello(adj->source.type, adj->source.link.ia, + adj->source.target); diff --git a/scripts/package-build/linux-kernel/build-kernel.sh b/scripts/package-build/linux-kernel/build-kernel.sh index e3efd127..62dd7829 100755 --- a/scripts/package-build/linux-kernel/build-kernel.sh +++ b/scripts/package-build/linux-kernel/build-kernel.sh @@ -36,12 +36,13 @@ do done # Change name of Signing Cert -sed -i -e "s/CN =.*/CN=VyOS build time autogenerated kernel key/" certs/default_x509.genkey +sed -i -e "s/CN =.*/CN=VyOS Networks build time autogenerated Kernel key/" certs/default_x509.genkey TRUSTED_KEYS_FILE=trusted_keys.pem # start with empty key file echo -n "" > $TRUSTED_KEYS_FILE -CERTS=$(find ../../../../data/live-build-config/includes.chroot/var/lib/shim-signed/mok -name "*.pem" -type f || true) +GIT_ROOT=$(git rev-parse --show-toplevel) +CERTS=$(find ${GIT_ROOT}/data/certificates -name "*.pem" -type f || true) if [ ! -z "${CERTS}" ]; then # add known public keys to Kernel certificate chain for file in $CERTS; do |