diff options
20 files changed, 339 insertions, 123 deletions
@@ -5,6 +5,8 @@ packer_cache/* key/* packages/* !packages/*/ -testinstall*.img -*.qcow2 -*.tar +data/live-build-config/includes.chroot/var/lib/shim-signed/mok/* +/testinstall*.img +/testinstall*.efivars +/*.qcow2 +/*.tar @@ -21,12 +21,12 @@ checkiso: .PHONY: test .ONESHELL: test: checkiso - scripts/check-qemu-install --debug --configd --match="$(MATCH)" --uefi build/live-image-amd64.hybrid.iso + scripts/check-qemu-install --debug --configd --match="$(MATCH)" --smoketest --uefi build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS)) .PHONY: test-no-interfaces .ONESHELL: test-no-interfaces: checkiso - scripts/check-qemu-install --debug --configd --match="$(MATCH)" --uefi --no-interfaces build/live-image-amd64.hybrid.iso + scripts/check-qemu-install --debug --configd --match="$(MATCH)" --smoketest --uefi --no-interfaces build/live-image-amd64.hybrid.iso .PHONY: testc .ONESHELL: @@ -36,7 +36,12 @@ testc: checkiso .PHONY: testraid .ONESHELL: testraid: checkiso - scripts/check-qemu-install --debug --configd --raid --configtest build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS)) + scripts/check-qemu-install --debug --configd --raid build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS)) + +.PHONY: testsb +.ONESHELL: +testsb: checkiso + scripts/check-qemu-install --debug --uefi --sbtest build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS)) .PHONY: testtpm .ONESHELL: diff --git a/data/architectures/amd64.toml b/data/architectures/amd64.toml index 44a203a2..e85b4158 100644 --- a/data/architectures/amd64.toml +++ b/data/architectures/amd64.toml @@ -2,8 +2,6 @@ additional_repositories = [ "deb [arch=amd64] https://repo.saltproject.io/py3/debian/11/amd64/3005 bullseye main" ] -kernel_flavor = "amd64-vyos" - # Packages added to images for x86 by default packages = [ "grub2", diff --git a/data/architectures/arm64.toml b/data/architectures/arm64.toml index 22f1fd10..228d0f3f 100644 --- a/data/architectures/arm64.toml +++ b/data/architectures/arm64.toml @@ -2,8 +2,6 @@ additional_repositories = [ "deb [arch=arm64] https://repo.saltproject.io/py3/debian/11/arm64/3005 bullseye main" ] -kernel_flavor = "arm64-vyos" - # Packages included in ARM64 images by default packages = [ "grub-efi-arm64", diff --git a/data/defaults.toml b/data/defaults.toml index e6654c43..efe6399f 100644 --- a/data/defaults.toml +++ b/data/defaults.toml @@ -14,7 +14,8 @@ vyos_mirror = "https://rolling-packages.vyos.net/current" vyos_branch = "current" release_train = "current" -kernel_version = "6.6.49" +kernel_version = "6.6.51" +kernel_flavor = "vyos" bootloaders = "syslinux,grub-efi" squashfs_compression_type = "xz -Xbcj x86 -b 256k -always-use-fragments -no-recovery" diff --git a/data/live-build-config/hooks/live/99-strip-symbols.chroot b/data/live-build-config/hooks/live/92-strip-symbols.chroot index 704f9cb3..704f9cb3 100755 --- a/data/live-build-config/hooks/live/99-strip-symbols.chroot +++ b/data/live-build-config/hooks/live/92-strip-symbols.chroot diff --git a/data/live-build-config/hooks/live/93-sign-kernel.chroot b/data/live-build-config/hooks/live/93-sign-kernel.chroot new file mode 100755 index 00000000..031db10d --- /dev/null +++ b/data/live-build-config/hooks/live/93-sign-kernel.chroot @@ -0,0 +1,18 @@ +#!/bin/sh +SIGN_FILE=$(find /usr/lib -name sign-file) +MOK_KEY="/var/lib/shim-signed/mok/kernel.key" +MOK_CERT="/var/lib/shim-signed/mok/kernel.pem" +kernel_elf=$(readlink /boot/vmlinuz) + +if [ ! -f ${MOK_KEY} ]; then + echo "I: Signing key for Linux Kernel not found - Secure Boot not possible" +else + echo "I: Signing Linux Kernel for Secure Boot" + + sbsign --key $MOK_KEY --cert $MOK_CERT /boot/${kernel_elf} --output /boot/${kernel_elf} + sbverify --list /boot/${kernel_elf} + + find /lib/modules -type f -name \*.ko -o -name \*.ko.xz | while read module; do + $SIGN_FILE sha512 $MOK_KEY $MOK_CERT $module + done +fi diff --git a/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md b/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md new file mode 100644 index 00000000..5a6edbba --- /dev/null +++ b/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md @@ -0,0 +1,22 @@ +# Secure Boot + +## CA + +Create Certificate Authority used for Kernel signing. CA is loaded into the +Machine Owner Key store on the target system. + +```bash +openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -outform DER -out MOK.der -days 36500 -subj "/CN=VyOS Secure Boot CA/" -nodes +openssl x509 -inform der -in MOK.der -out MOK.pem +``` + +## Kernel Module Signing Key + +We do not make use of ephemeral keys for Kernel module signing. Instead a key +is generated and signed by the VyOS Secure Boot CA which signs all the Kernel +modules during ISO assembly if present. + +```bash +openssl req -newkey rsa:2048 -keyout kernel.key -out kernel.csr -subj "/CN=VyOS Secure Boot Signer 2024 - linux/" -nodes +openssl x509 -req -in kernel.csr -CA MOK.pem -CAkey MOK.key -CAcreateserial -out kernel.pem -days 730 -sha256 +``` diff --git a/docker/Dockerfile b/docker/Dockerfile index 2824bcb0..576d1085 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -384,6 +384,11 @@ RUN sed "s/^%sudo.*/%sudo\tALL=(ALL) NOPASSWD:ALL/g" -i /etc/sudoers && \ RUN echo "$(opam env --root=/opt/opam --set-root)" >> /etc/skel/.bashrc && \ echo "export PATH=/opt/go/bin:\$PATH" >> /etc/skel/.bashrc +# Rise upper limit for UID when working in an Active Direcotry integrated +# environment. This solves the warning: vyos_bld's uid 1632000007 outside of the +# UID_MIN 1000 and UID_MAX 60000 range. +RUN sed -i 's/UID_MAX\t\t\t60000/UID_MAX\t\t\t2000000000/g' /etc/login.defs + # Cleanup RUN rm -rf /tmp/* diff --git a/packages/linux-kernel/Jenkinsfile b/packages/linux-kernel/Jenkinsfile index 986780e0..c354200e 100644 --- a/packages/linux-kernel/Jenkinsfile +++ b/packages/linux-kernel/Jenkinsfile @@ -63,7 +63,7 @@ def pkgList = [ ['name': 'ixgbevf', 'buildCmd': 'cd ..; ./build-intel-ixgbevf.sh'], // Mellanox OFED - ['name': 'ofed', 'buildCmd': 'cd ..; ./build-mellanox-ofed.sh'], + ['name': 'ofed', 'buildCmd': 'cd ..; sudo ./build-mellanox-ofed.sh'], // Jool ['name': 'jool', 'buildCmd': 'cd ..; ./build-jool.py'], diff --git a/packages/linux-kernel/arch/x86/configs/vyos_defconfig b/packages/linux-kernel/arch/x86/configs/vyos_defconfig index 9726ea4b..37becb4c 100644 --- a/packages/linux-kernel/arch/x86/configs/vyos_defconfig +++ b/packages/linux-kernel/arch/x86/configs/vyos_defconfig @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 6.6.16 Kernel Configuration +# Linux/x86 6.6.48 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (Debian 12.2.0-14) 12.2.0" CONFIG_CC_IS_GCC=y @@ -15,6 +15,7 @@ CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT=y +CONFIG_GCC_ASM_GOTO_OUTPUT_WORKAROUND=y CONFIG_TOOLS_SUPPORT_RELR=y CONFIG_CC_HAS_ASM_INLINE=y CONFIG_CC_HAS_NO_PROFILE_FN_ATTR=y @@ -181,7 +182,7 @@ CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y CONFIG_CC_HAS_INT128=y CONFIG_CC_IMPLICIT_FALLTHROUGH="-Wimplicit-fallthrough=5" -CONFIG_GCC11_NO_ARRAY_BOUNDS=y +CONFIG_GCC10_NO_ARRAY_BOUNDS=y CONFIG_CC_NO_ARRAY_BOUNDS=y CONFIG_ARCH_SUPPORTS_INT128=y CONFIG_NUMA_BALANCING=y @@ -193,13 +194,16 @@ CONFIG_MEMCG=y CONFIG_MEMCG_KMEM=y # CONFIG_BLK_CGROUP is not set CONFIG_CGROUP_SCHED=y +CONFIG_FAIR_GROUP_SCHED=y CONFIG_CFS_BANDWIDTH=y +# CONFIG_RT_GROUP_SCHED is not set CONFIG_SCHED_MM_CID=y CONFIG_CGROUP_PIDS=y # CONFIG_CGROUP_RDMA is not set # CONFIG_CGROUP_FREEZER is not set # CONFIG_CGROUP_HUGETLB is not set CONFIG_CPUSETS=y +CONFIG_PROC_PID_CPUSET=y # CONFIG_CGROUP_DEVICE is not set CONFIG_CGROUP_CPUACCT=y # CONFIG_CGROUP_PERF is not set @@ -439,7 +443,6 @@ CONFIG_X86_64_ACPI_NUMA=y CONFIG_NODES_SHIFT=6 CONFIG_ARCH_SPARSEMEM_ENABLE=y CONFIG_ARCH_SPARSEMEM_DEFAULT=y -# CONFIG_ARCH_MEMORY_PROBE is not set CONFIG_ARCH_PROC_KCORE_TEXT=y CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000 CONFIG_X86_PMEM_LEGACY_DEVICE=y @@ -509,7 +512,7 @@ CONFIG_CALL_PADDING=y CONFIG_HAVE_CALL_THUNKS=y CONFIG_CALL_THUNKS=y CONFIG_PREFIX_SYMBOLS=y -CONFIG_SPECULATION_MITIGATIONS=y +CONFIG_CPU_MITIGATIONS=y CONFIG_PAGE_TABLE_ISOLATION=y CONFIG_RETPOLINE=y CONFIG_RETHUNK=y @@ -521,6 +524,8 @@ CONFIG_CPU_IBRS_ENTRY=y CONFIG_CPU_SRSO=y # CONFIG_SLS is not set # CONFIG_GDS_FORCE_MITIGATION is not set +CONFIG_MITIGATION_RFDS=y +CONFIG_MITIGATION_SPECTRE_BHI=y CONFIG_ARCH_HAS_ADD_PAGES=y # @@ -573,7 +578,6 @@ CONFIG_ACPI_TABLE_UPGRADE=y # CONFIG_ACPI_DEBUG is not set CONFIG_ACPI_PCI_SLOT=y CONFIG_ACPI_CONTAINER=y -CONFIG_ACPI_HOTPLUG_MEMORY=y CONFIG_ACPI_HOTPLUG_IOAPIC=y # CONFIG_ACPI_SBS is not set CONFIG_ACPI_HED=y @@ -687,6 +691,7 @@ CONFIG_AS_SHA256_NI=y CONFIG_AS_TPAUSE=y CONFIG_AS_GFNI=y CONFIG_AS_WRUSS=y +CONFIG_ARCH_CONFIGURES_CPU_MITIGATIONS=y # # General architecture-dependent options @@ -971,13 +976,8 @@ CONFIG_HAVE_FAST_GUP=y CONFIG_NUMA_KEEP_MEMINFO=y CONFIG_MEMORY_ISOLATION=y CONFIG_EXCLUSIVE_SYSTEM_RAM=y -CONFIG_HAVE_BOOTMEM_INFO_NODE=y CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y -CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y -CONFIG_MEMORY_HOTPLUG=y -# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set -CONFIG_MEMORY_HOTREMOVE=y -CONFIG_MHP_MEMMAP_ON_MEMORY=y +# CONFIG_MEMORY_HOTPLUG is not set CONFIG_ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE=y CONFIG_SPLIT_PTLOCK_CPUS=4 CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y @@ -990,6 +990,7 @@ CONFIG_MIGRATION=y CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION=y CONFIG_ARCH_ENABLE_THP_MIGRATION=y CONFIG_CONTIG_ALLOC=y +CONFIG_PCP_BATCH_SCALE_MAX=5 CONFIG_PHYS_ADDR_T_64BIT=y CONFIG_MMU_NOTIFIER=y CONFIG_KSM=y @@ -1021,7 +1022,6 @@ CONFIG_ARCH_HAS_PTE_DEVMAP=y CONFIG_ARCH_HAS_ZONE_DMA_SET=y CONFIG_ZONE_DMA=y CONFIG_ZONE_DMA32=y -# CONFIG_ZONE_DEVICE is not set CONFIG_HMM_MIRROR=y CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y CONFIG_ARCH_HAS_PKEYS=y @@ -3076,6 +3076,7 @@ CONFIG_XEN_NETDEV_FRONTEND=m CONFIG_XEN_NETDEV_BACKEND=m CONFIG_VMXNET3=m # CONFIG_FUJITSU_ES is not set +CONFIG_USB4_NET=m CONFIG_HYPERV_NET=m # CONFIG_NETDEVSIM is not set CONFIG_NET_FAILOVER=m @@ -4202,6 +4203,7 @@ CONFIG_REGULATOR_TPS65132=m # Graphics support # CONFIG_APERTURE_HELPERS=y +CONFIG_SCREEN_INFO=y CONFIG_VIDEO_CMDLINE=y # CONFIG_AUXDISPLAY is not set # CONFIG_PANEL is not set @@ -4269,6 +4271,7 @@ CONFIG_FB_CFB_FILLRECT=y CONFIG_FB_CFB_COPYAREA=y CONFIG_FB_CFB_IMAGEBLIT=y # CONFIG_FB_FOREIGN_ENDIAN is not set +CONFIG_FB_IOMEM_FOPS=y CONFIG_FB_IOMEM_HELPERS=y # CONFIG_FB_MODE_HELPERS is not set # CONFIG_FB_TILEBLITTING is not set @@ -5009,7 +5012,6 @@ CONFIG_VIRTIO_PCI=m CONFIG_VIRTIO_PCI_LEGACY=y # CONFIG_VIRTIO_PMEM is not set CONFIG_VIRTIO_BALLOON=m -CONFIG_VIRTIO_MEM=m CONFIG_VIRTIO_INPUT=m CONFIG_VIRTIO_MMIO=m CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y @@ -5036,8 +5038,6 @@ CONFIG_HYPERV_BALLOON=m # Xen driver support # CONFIG_XEN_BALLOON=y -CONFIG_XEN_BALLOON_MEMORY_HOTPLUG=y -CONFIG_XEN_MEMORY_HOTPLUG_LIMIT=512 CONFIG_XEN_SCRUB_PAGES_DEFAULT=y CONFIG_XEN_DEV_EVTCHN=m CONFIG_XEN_BACKEND=y @@ -5317,7 +5317,8 @@ CONFIG_IDLE_INJECT=y CONFIG_RAS=y # CONFIG_RAS_CEC is not set CONFIG_USB4=m -CONFIG_USB4_NET=m +# CONFIG_USB4_DEBUGFS_WRITE is not set +# CONFIG_USB4_DMA_TEST is not set # # Android @@ -5639,6 +5640,7 @@ CONFIG_CRYPTO_ALGAPI=y CONFIG_CRYPTO_ALGAPI2=y CONFIG_CRYPTO_AEAD=y CONFIG_CRYPTO_AEAD2=y +CONFIG_CRYPTO_SIG=y CONFIG_CRYPTO_SIG2=y CONFIG_CRYPTO_SKCIPHER=y CONFIG_CRYPTO_SKCIPHER2=y @@ -5751,7 +5753,7 @@ CONFIG_CRYPTO_POLY1305=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_SHA1=y CONFIG_CRYPTO_SHA256=y -CONFIG_CRYPTO_SHA512=m +CONFIG_CRYPTO_SHA512=y CONFIG_CRYPTO_SHA3=m # CONFIG_CRYPTO_SM3_GENERIC is not set CONFIG_CRYPTO_STREEBOG=m @@ -6008,7 +6010,6 @@ CONFIG_SWIOTLB=y CONFIG_SGL_ALLOC=y CONFIG_IOMMU_HELPER=y CONFIG_CHECK_SIGNATURE=y -# CONFIG_FORCE_NR_CPUS is not set CONFIG_CPU_RMAP=y CONFIG_DQL=y CONFIG_GLOB=y @@ -6034,7 +6035,6 @@ CONFIG_ARCH_HAS_CPU_CACHE_INVALIDATE_MEMREGION=y CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE=y CONFIG_ARCH_HAS_COPY_MC=y CONFIG_ARCH_STACKWALK=y -CONFIG_STACKDEPOT=y CONFIG_SBITMAP=y CONFIG_PARMAN=m CONFIG_OBJAGG=m @@ -6118,8 +6118,7 @@ CONFIG_HAVE_KCSAN_COMPILER=y # CONFIG_PAGE_EXTENSION=y # CONFIG_DEBUG_PAGEALLOC is not set -CONFIG_SLUB_DEBUG=y -# CONFIG_SLUB_DEBUG_ON is not set +# CONFIG_SLUB_DEBUG is not set # CONFIG_PAGE_OWNER is not set # CONFIG_PAGE_TABLE_CHECK is not set CONFIG_PAGE_POISONING=y @@ -6332,6 +6331,7 @@ CONFIG_X86_DEBUG_FPU=y # CONFIG_PUNIT_ATOM_DEBUG is not set CONFIG_UNWINDER_ORC=y # CONFIG_UNWINDER_FRAME_POINTER is not set +# CONFIG_UNWINDER_GUESS is not set # end of x86 Debugging # diff --git a/packages/linux-kernel/build-intel-ixgbe.sh b/packages/linux-kernel/build-intel-ixgbe.sh index 5f45c62a..ab44f551 100755 --- a/packages/linux-kernel/build-intel-ixgbe.sh +++ b/packages/linux-kernel/build-intel-ixgbe.sh @@ -105,3 +105,6 @@ fi if [ -d ${DEBIAN_DIR} ]; then rm -rf ${DEBIAN_DIR} fi +if [ -f ${DEBIAN_POSTINST} ]; then + rm -f ${DEBIAN_POSTINST} +fi diff --git a/packages/linux-kernel/build-intel-ixgbevf.sh b/packages/linux-kernel/build-intel-ixgbevf.sh index a965e0de..39803852 100755 --- a/packages/linux-kernel/build-intel-ixgbevf.sh +++ b/packages/linux-kernel/build-intel-ixgbevf.sh @@ -97,4 +97,6 @@ fi if [ -d ${DEBIAN_DIR} ]; then rm -rf ${DEBIAN_DIR} fi - +if [ -f ${DEBIAN_POSTINST} ]; then + rm -f ${DEBIAN_POSTINST} +fi diff --git a/packages/linux-kernel/build-intel-qat.sh b/packages/linux-kernel/build-intel-qat.sh index 765cea3f..5b0e023f 100755 --- a/packages/linux-kernel/build-intel-qat.sh +++ b/packages/linux-kernel/build-intel-qat.sh @@ -109,3 +109,6 @@ fi if [ -d ${DEBIAN_DIR} ]; then rm -rf ${DEBIAN_DIR} fi +if [ -f ${DEBIAN_POSTINST} ]; then + rm -f ${DEBIAN_POSTINST} +fi diff --git a/packages/linux-kernel/build-jool.py b/packages/linux-kernel/build-jool.py index 1781a6c8..3f8fd3a5 100755 --- a/packages/linux-kernel/build-jool.py +++ b/packages/linux-kernel/build-jool.py @@ -29,9 +29,8 @@ def add_depends(package_dir: str, package_name: str, # find kernel version and source path arch: str = find_arch() defaults_file: str = Path('../../data/defaults.toml').read_text() -architecture_file: str = Path(f'../../data/architectures/{arch}.toml').read_text() KERNEL_VER: str = toml_loads(defaults_file).get('kernel_version') -KERNEL_FLAVOR: str = toml_loads(architecture_file).get('kernel_flavor') +KERNEL_FLAVOR: str = toml_loads(defaults_file).get('kernel_flavor') KERNEL_SRC: str = Path.cwd().as_posix() + '/linux' # define variables diff --git a/packages/linux-kernel/build-kernel.sh b/packages/linux-kernel/build-kernel.sh index 2c02f5c3..3ccb15e9 100755 --- a/packages/linux-kernel/build-kernel.sh +++ b/packages/linux-kernel/build-kernel.sh @@ -18,7 +18,8 @@ echo "I: clean modified files" git reset --hard HEAD KERNEL_VERSION=$(make kernelversion) -KERNEL_SUFFIX=-$(dpkg --print-architecture)-vyos +KERNEL_SUFFIX=-$(awk -F "= " '/kernel_flavor/ {print $2}' ../../../data/defaults.toml | tr -d \") +KERNEL_CONFIG=arch/x86/configs/vyos_defconfig # VyOS requires some small Kernel Patches - apply them here # It's easier to habe them here and make use of the upstream @@ -31,6 +32,28 @@ do patch -p1 < ${PATCH_DIR}/${patch} done +TRUSTED_KEYS_FILE=trusted_keys.pem +# start with empty key file +echo -n "" > $TRUSTED_KEYS_FILE +CERTS=$(ls ../../../data/live-build-config/includes.chroot/var/lib/shim-signed/mok/*.pem) +if [ ! -z "${CERTS}" ]; then + # add known public keys to Kernel certificate chain + for file in $CERTS; do + cat $file >> $TRUSTED_KEYS_FILE + done + + # Force Kernel module signing and embed public keys + echo "CONFIG_MODULE_SIG_FORMAT=y" >> $KERNEL_CONFIG + echo "CONFIG_MODULE_SIG=y" >> $KERNEL_CONFIG + echo "CONFIG_MODULE_SIG_FORCE=y" >> $KERNEL_CONFIG + echo "# CONFIG_MODULE_SIG_ALL is not set" >> $KERNEL_CONFIG + echo "CONFIG_MODULE_SIG_SHA512=y" >> $KERNEL_CONFIG + echo "CONFIG_MODULE_SIG_HASH=\"sha512\"" >> $KERNEL_CONFIG + echo "CONFIG_MODULE_SIG_KEY=\"\"" >> $KERNEL_CONFIG + echo "CONFIG_MODULE_SIG_KEY_TYPE_RSA=y" >> $KERNEL_CONFIG + echo "CONFIG_SYSTEM_TRUSTED_KEYS=\"$TRUSTED_KEYS_FILE\"" >> $KERNEL_CONFIG +fi + echo "I: make vyos_defconfig" # Select Kernel configuration - currently there is only one make vyos_defconfig diff --git a/packages/linux-kernel/build-mellanox-ofed.sh b/packages/linux-kernel/build-mellanox-ofed.sh index 51e4d4ca..a157ee61 100755 --- a/packages/linux-kernel/build-mellanox-ofed.sh +++ b/packages/linux-kernel/build-mellanox-ofed.sh @@ -4,6 +4,11 @@ DEB_DISTRO='debian12.1' CWD=$(pwd) KERNEL_VAR_FILE=${CWD}/kernel-vars +if [ $(id -u) -ne 0 ]; then + echo "Mellanox OFED script needs to be run as root" + exit +fi + if ! dpkg-architecture -iamd64; then echo "Mellanox OFED is only buildable on amd64 platforms" exit 0 @@ -66,34 +71,33 @@ if [ -z $KERNEL_DIR ]; then exit 1 fi -rm -f SOURCES/ibarr_0.1.3.orig.tar.gz -rm -f SOURCES/ibdump_6.0.0.orig.tar.gz -rm -f SOURCES/ibsim_0.12.orig.tar.gz -rm -f SOURCES/iser_24.04.OFED.24.04.0.6.6.1.orig.tar.gz -rm -f SOURCES/isert_24.04.OFED.24.04.0.6.6.1.orig.tar.gz -rm -f SOURCES/kernel-mft_4.28.0.92.orig.tar.gz -rm -f SOURCES/knem_1.1.4.90mlnx3.orig.tar.gz -rm -f SOURCES/libvma_9.8.60.orig.tar.gz -rm -f SOURCES/libxlio_3.30.5.orig.tar.gz -rm -f SOURCES/mlnx-ethtool_6.7.orig.tar.gz -rm -f SOURCES/mlnx-iproute2_6.7.0.orig.tar.gz -rm -f SOURCES/mlnx-nfsrdma_24.04.OFED.24.04.0.6.6.1.orig.tar.gz -rm -f SOURCES/mlnx-nvme_24.04.OFED.24.04.0.6.6.1.orig.tar.gz -rm -f SOURCES/mlx-steering-dump_1.0.0.orig.tar.gz -rm -f SOURCES/mpitests_3.2.23.orig.tar.gz -rm -f SOURCES/mstflint_4.16.1.orig.tar.gz -rm -f SOURCES/ofed-scripts_24.04.OFED.24.04.0.6.6.orig.tar.gz -rm -f SOURCES/openmpi_4.1.7a1.orig.tar.gz -rm -f SOURCES/openvswitch_2.17.8.orig.tar.gz -rm -f SOURCES/perftest_24.04.0.orig.tar.gz -rm -f SOURCES/rdma-core_2404mlnx51.orig.tar.gz -rm -f SOURCES/rshim_2.0.28.orig.tar.gz -rm -f SOURCES/sockperf_3.10.orig.tar.gz -rm -f SOURCES/srp_24.04.OFED.24.04.0.6.6.1.orig.tar.gz -rm -f SOURCES/ucx_1.17.0.orig.tar.gz - - -sudo ./install.pl \ +rm -f SOURCES/ibarr_*.tar.gz +rm -f SOURCES/ibdump_*.tar.gz +rm -f SOURCES/ibsim_*.tar.gz +rm -f SOURCES/iser_*.tar.gz +rm -f SOURCES/isert_*.tar.gz +rm -f SOURCES/kernel-mft_*.tar.gz +rm -f SOURCES/knem_*.tar.gz +rm -f SOURCES/libvma_*.tar.gz +rm -f SOURCES/libxlio_*.tar.gz +rm -f SOURCES/mlnx-ethtool_*.tar.gz +rm -f SOURCES/mlnx-iproute2_*.tar.gz +rm -f SOURCES/mlnx-nfsrdma_*.tar.gz +rm -f SOURCES/mlnx-nvme_*.tar.gz +rm -f SOURCES/mlx-steering-dump_*.tar.gz +rm -f SOURCES/mpitests_*.tar.gz +rm -f SOURCES/mstflint_*.tar.gz +rm -f SOURCES/ofed-scripts_*.tar.gz +rm -f SOURCES/openmpi_*.tar.gz +rm -f SOURCES/openvswitch_*.tar.gz +rm -f SOURCES/perftest_*.tar.gz +rm -f SOURCES/rdma-core_*.tar.gz +rm -f SOURCES/rshim_*.tar.gz +rm -f SOURCES/sockperf_*.tar.gz +rm -f SOURCES/srp_*.tar.gz +rm -f SOURCES/ucx_*.tar.gz + +./install.pl \ --basic --dpdk \ --without-dkms \ --without-mlnx-nvme-modules \ @@ -106,19 +110,19 @@ sudo ./install.pl \ if [ $DROP_DEV_DBG_DEBS -eq 1 ]; then echo "I: Removing development and debug packages" - sudo rm $(find $CWD/$DRIVER_DIR/DEBS/$DEB_DISTRO -type f | grep -E '\-dev|\-dbg') + rm -f $(find $CWD/$DRIVER_DIR/DEBS/$DEB_DISTRO -type f | grep -E '\-dev|\-dbg') fi cp $(find $CWD/$DRIVER_DIR/DEBS/$DEB_DISTRO -type f | grep '\.deb$') "$CWD/" echo "I: Cleanup ${DRIVER_NAME} source" cd ${CWD} -if [ -e ${DRIVER_FILE} ]; then +if [ -f ${DRIVER_FILE} ]; then rm -f ${DRIVER_FILE} fi if [ -d ${DRIVER_DIR} ]; then - sudo rm -rf ${DRIVER_DIR} + rm -rf ${DRIVER_DIR} fi if [ -d ${DEBIAN_DIR} ]; then - sudo rm -rf ${DEBIAN_DIR} + rm -rf ${DEBIAN_DIR} fi diff --git a/packages/linux-kernel/build-nat-rtsp.sh b/packages/linux-kernel/build-nat-rtsp.sh index ec7d19a6..40018cfb 100755 --- a/packages/linux-kernel/build-nat-rtsp.sh +++ b/packages/linux-kernel/build-nat-rtsp.sh @@ -36,3 +36,7 @@ fpm --input-type dir --output-type deb --name nat-rtsp \ --license "GPL2" --chdir tmp mv *.deb .. + +if [ -f ${DEBIAN_POSTINST} ]; then + rm -f ${DEBIAN_POSTINST} +fi diff --git a/scripts/check-qemu-install b/scripts/check-qemu-install index ea3aef63..e1fd45f1 100755 --- a/scripts/check-qemu-install +++ b/scripts/check-qemu-install @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2019-2023, VyOS maintainers and contributors +# Copyright (C) 2019-2024, VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -43,14 +43,26 @@ import traceback import logging import re import tomli +import shutil from io import BytesIO -from io import StringIO from datetime import datetime EXCEPTION = 0 now = datetime.now() tpm_folder = '/tmp/vyos_tpm_test' +qemu_name = 'VyOS-QEMU' + +# getch.py +KEY_F2 = chr(27) + chr(91) + chr(49) + chr(50) + chr(126) +KEY_F10 = chr(27) + chr(91) + chr(50) + chr(49) + chr(126) +KEY_DOWN = chr(27) + chr(91) + chr(66) +KEY_SPACE = chr(32) +KEY_RETURN = chr(13) +KEY_ESC = chr(27) +KEY_Y = chr(121) + +mok_password = '1234' parser = argparse.ArgumentParser(description='Install and start a test VyOS vm.') parser.add_argument('iso', help='ISO file to install') @@ -66,20 +78,23 @@ parser.add_argument('--debug', help='Send all debug output to stdout', parser.add_argument('--logfile', help='Log to file') parser.add_argument('--match', help='Smoketests to run') parser.add_argument('--uefi', help='Boot using UEFI', action='store_true', default=False) +parser.add_argument('--vnc', help='Enable VNC', action='store_true', default=False) parser.add_argument('--raid', help='Perform a RAID-1 install', action='store_true', default=False) -parser.add_argument('--no-kvm', help='Disable use of kvm', action='store_true', default=False) parser.add_argument('--configd', help='Execute testsuite with config daemon', action='store_true', default=False) parser.add_argument('--no-interfaces', help='Execute testsuite without interface tests to save time', action='store_true', default=False) +parser.add_argument('--smoketest', help='Execute script based CLI smoketests', + action='store_true', default=False) parser.add_argument('--configtest', help='Execute load/commit config tests', action='store_true', default=False) parser.add_argument('--tpmtest', help='Execute TPM encrypted config tests', action='store_true', default=False) +parser.add_argument('--sbtest', help='Execute Secure Boot tests', + action='store_true', default=False) parser.add_argument('--qemu-cmd', help='Only generate QEMU launch command', action='store_true', default=False) - args = parser.parse_args() with open('data/defaults.toml', 'rb') as f: @@ -97,14 +112,11 @@ class StreamToLogger(object): def write(self, buf): self.linebuf += buf - #print('.') while b'\n' in self.linebuf: f = self.linebuf.split(b'\n', 1) if len(f) == 2: self.logger.debug(self.ansi_escape.sub('', f[0].decode(errors="replace").rstrip())) self.linebuf = f[1] - #print(f) - def flush(self): pass @@ -116,30 +128,39 @@ def get_half_cpus(): cpu /= 2 return int(cpu) -def get_qemu_cmd(name, enable_kvm, enable_uefi, disk_img, raid=None, iso_img=None, tpm=False): - kvm = "-enable-kvm" - cpu = "-cpu host" - if not enable_kvm: - kvm = "--no-kvm" - cpu = "" +OVMF_CODE = '/usr/share/OVMF/OVMF_CODE_4M.secboot.fd' +OVMF_VARS_TMP = args.disk.replace('.img', '.efivars') +if args.sbtest: + shutil.copy('/usr/share/OVMF/OVMF_VARS_4M.ms.fd', OVMF_VARS_TMP) +def get_qemu_cmd(name, enable_uefi, disk_img, raid=None, iso_img=None, tpm=False, vnc_enabled=False, secure_boot=False): uefi = "" uuid = "f48b60b2-e6ad-49ef-9d09-4245d0585e52" + machine = 'pc' + vga = '-vga none' + vnc = '' + if vnc_enabled: + vga = '-vga virtio' + vnc = '-vnc :0' + if enable_uefi: uefi = '-bios /usr/share/OVMF/OVMF_CODE.fd' name = f'{name}-UEFI' - uuid = 'd27cf29e-4419-4407-8f82-dc73d1acd184' - bootindex = '1' + if secure_boot: + name = f'{name}-SECURE-BOOT' + machine = 'q35,smm=on' + + uefi = f'-drive "if=pflash,unit=0,format=raw,readonly=on,file={OVMF_CODE}" ' \ + f'-drive "if=pflash,unit=1,format=raw,file={OVMF_VARS_TMP}"' + # Changing UEFI settings require a display + vga = '-vga virtio' + cdrom = "" if iso_img: - cdrom = f' -boot d' \ - f' -drive file={iso_img},format=raw,if=none,media=cdrom,id=drive-cd1,readonly=on' \ + cdrom = f' -drive file={iso_img},format=raw,if=none,media=cdrom,id=drive-cd1,readonly=on' \ f' -device ahci,id=achi0' \ - f' -device ide-cd,bus=achi0.0,drive=drive-cd1,id=cd1,bootindex={bootindex}' - - # Set regular harddisk bootindex to 2 as we boot from a CDROM drive - bootindex = '2' + f' -device ide-cd,bus=achi0.0,drive=drive-cd1,id=cd1,bootindex=10' # test using half of the available CPUs on the system cpucount = get_half_cpus() @@ -149,15 +170,17 @@ def get_qemu_cmd(name, enable_kvm, enable_uefi, disk_img, raid=None, iso_img=Non -name "{name}" \ -smp {cpucount},sockets=1,cores={cpucount},threads=1 \ -cpu host \ + -machine {machine},accel=kvm \ {uefi} \ -m 4G \ -vga none \ -nographic \ - -machine accel=kvm \ + {vga} {vnc}\ -uuid {uuid} \ - {cpu} \ + -cpu host \ {cdrom} \ - {kvm} \ + -enable-kvm \ + -monitor unix:/tmp/qemu-monitor-socket-{disk_img},server,nowait \ -netdev user,id=n0,net=192.0.2.0/24,dhcpstart=192.0.2.101,dns=192.0.2.10 -device virtio-net-pci,netdev=n0,mac={macbase}:00,romfile="" \ -netdev user,id=n1 -device virtio-net-pci,netdev=n1,mac={macbase}:01,romfile="" \ -netdev user,id=n2 -device virtio-net-pci,netdev=n2,mac={macbase}:02,romfile="" \ @@ -168,13 +191,11 @@ def get_qemu_cmd(name, enable_kvm, enable_uefi, disk_img, raid=None, iso_img=Non -netdev user,id=n7 -device virtio-net-pci,netdev=n7,mac={macbase}:07,romfile="" \ -device virtio-scsi-pci,id=scsi0 \ -drive format=raw,file={disk_img},if=none,media=disk,id=drive-hd1,readonly=off \ - -device scsi-hd,bus=scsi0.0,drive=drive-hd1,id=hd1,bootindex={bootindex}' + -device scsi-hd,bus=scsi0.0,drive=drive-hd1,id=hd1,bootindex=1' - # dynamically increment bootindex - required for RAID system - bootindex = str(int(bootindex) + 1) if raid: cmd += f' -drive format=raw,file={raid},if=none,media=disk,id=drive-hd2,readonly=off' \ - f' -device scsi-hd,bus=scsi0.0,drive=drive-hd2,id=hd2,bootindex={bootindex}' + f' -device scsi-hd,bus=scsi0.0,drive=drive-hd2,id=hd2,bootindex=2' if tpm: cmd += f' -chardev socket,id=chrtpm,path={tpm_folder}/swtpm-sock' \ @@ -249,14 +270,9 @@ if not os.path.isfile(args.iso): log.error('Unable to find iso image to install') sys.exit(1) -if args.no_kvm: - log.error('KVM forced off by command line') - kvm=False -elif not os.path.exists('/dev/kvm'): +if not os.path.exists('/dev/kvm'): log.error('KVM not enabled on host, proceeding with software emulation') - kvm=False -else: - kvm=True + sys.exit(1) # Creating diskimage!! diskname_raid = None @@ -294,8 +310,50 @@ def start_swtpm(): tpm_process.start() return tpm_process +def toggleUEFISecureBoot(c): + def UEFIKeyPress(c, key): + UEFI_SLEEP = 1 + c.send(key) + time.sleep(UEFI_SLEEP) + + # Enter UEFI + for ii in range(1, 10): + c.send(KEY_F2) + time.sleep(0.250) + + time.sleep(10) + + # Device Manager + UEFIKeyPress(c, KEY_DOWN) + UEFIKeyPress(c, KEY_RETURN) + + # Secure Boot Configuration + UEFIKeyPress(c, KEY_DOWN) + UEFIKeyPress(c, KEY_DOWN) + UEFIKeyPress(c, KEY_RETURN) + + # Attempt Secure Boot Toggle + UEFIKeyPress(c, KEY_DOWN) + UEFIKeyPress(c, KEY_RETURN) + UEFIKeyPress(c, KEY_RETURN) + + # Save Secure Boot + UEFIKeyPress(c, KEY_F10) + UEFIKeyPress(c, KEY_Y) + + # Go Back to Menu + UEFIKeyPress(c, KEY_ESC) + UEFIKeyPress(c, KEY_ESC) + + # Go Down for reset + UEFIKeyPress(c, KEY_DOWN) + UEFIKeyPress(c, KEY_DOWN) + UEFIKeyPress(c, KEY_DOWN) + UEFIKeyPress(c, KEY_DOWN) + UEFIKeyPress(c, KEY_RETURN) + if args.qemu_cmd: - tmp = get_qemu_cmd('TESTVM', kvm, args.uefi, args.disk, diskname_raid, args.iso) + tmp = get_qemu_cmd(qemu_name, args.uefi, args.disk, raid=diskname_raid, iso_img=args.iso, vnc_enabled=args.vnc, secure_boot=args.sbtest) os.system(tmp) exit(0) @@ -306,7 +364,7 @@ try: # Installing image to disk ################################################# log.info('Installing system') - cmd = get_qemu_cmd('TESTVM', kvm, args.uefi, args.disk, diskname_raid, args.iso) + cmd = get_qemu_cmd(qemu_name, args.uefi, args.disk, raid=diskname_raid, iso_img=args.iso, vnc_enabled=args.vnc, secure_boot=args.sbtest) log.debug(f'Executing command: {cmd}') c = pexpect.spawn(cmd, logfile=stl, timeout=60) @@ -318,6 +376,10 @@ try: default_user = 'vyos' default_password = 'vyos' + if args.sbtest: + log.info('Disable UEFI Secure Boot for initial installation') + toggleUEFISecureBoot(c) + try: c.expect('Automatic boot in', timeout=10) c.sendline('') @@ -361,14 +423,74 @@ try: c.expect('\nWhich file would you like as boot config?.*') c.sendline('') - log.info('system installed, shutting down') + c.expect(op_mode_prompt) + + if args.sbtest: + c.sendline('install mok') + c.expect('input password:.*') + c.sendline(mok_password) + c.expect('input password again:.*') + c.sendline(mok_password) + c.expect(op_mode_prompt) + + log.info('system installed, rebooting') + c.sendline('reboot now') ################################################# - # Powering down installer + # SHIM Mok Manager ################################################# - shutdownVM(c, log, 'Shutting down installation system') - c.close() + if args.sbtest: + log.info('Install Secure Boot Machine Owner Key') + MOK_SLEEP = 0.5 + c.expect('BdsDxe: starting Boot00.*') + time.sleep(3) + # press any key + c.send(KEY_RETURN) + time.sleep(MOK_SLEEP) + + # Enroll MOK + c.send(KEY_DOWN) + time.sleep(MOK_SLEEP) + c.send(KEY_RETURN) + time.sleep(MOK_SLEEP) + + # Continue + c.send(KEY_DOWN) + time.sleep(MOK_SLEEP) + c.send(KEY_RETURN) + time.sleep(MOK_SLEEP) + + # Enroll Keys + c.send(KEY_DOWN) + time.sleep(MOK_SLEEP) + c.send(KEY_RETURN) + time.sleep(MOK_SLEEP) + + c.sendline(mok_password) + c.send(KEY_RETURN) + time.sleep(MOK_SLEEP) + + # Reboot + c.send(KEY_RETURN) + time.sleep(MOK_SLEEP) + + ################################################# + # Re-Enable Secure Boot + ################################################# + if args.sbtest: + log.info('Enable UEFI Secure Boot for initial installation') + toggleUEFISecureBoot(c) + + ################################################# + # Removing CD installation media + ################################################# + time.sleep(2) + log.info('eject installation media') + os.system(f'echo "eject -f drive-cd1" | socat - unix-connect:/tmp/qemu-monitor-socket-{args.disk}') + ################################################# + # Powering down installer + ################################################# if args.tpmtest: tpm_process = start_swtpm() @@ -376,9 +498,6 @@ try: # Booting installed system ################################################# log.info('Booting installed system') - cmd = get_qemu_cmd('TESTVM', kvm, args.uefi, args.disk, diskname_raid, tpm=args.tpmtest) - log.debug(f'Executing command: {cmd}') - c = pexpect.spawn(cmd, logfile=stl) ################################################# # Logging into VyOS system @@ -410,6 +529,7 @@ try: # Basic Configmode/Opmode switch ################################################# log.info('Basic CLI configuration mode test') + c.sendline('configure') c.expect(cfg_mode_prompt) c.sendline('exit') @@ -417,7 +537,7 @@ try: c.sendline('show version') c.expect(op_mode_prompt) c.sendline('show version kernel') - c.expect(f'{vyos_defaults["kernel_version"]}-{vyos_defaults["architecture"]}-vyos') + c.expect(f'{vyos_defaults["kernel_version"]}-{vyos_defaults["kernel_flavor"]}') c.expect(op_mode_prompt) c.sendline('show version frr') c.expect(op_mode_prompt) @@ -500,7 +620,7 @@ try: # Booting back into VM log.info('Booting TPM-backed system') - cmd = get_qemu_cmd('TESTVM', kvm, args.uefi, args.disk, diskname_raid, tpm=args.tpmtest) + cmd = get_qemu_cmd(qemu_name, args.uefi, args.disk, raid=diskname_raid, tpm=args.tpmtest, vnc_enabled=args.vnc) log.debug(f'Executing command: {cmd}') c = pexpect.spawn(cmd, logfile=stl) @@ -535,7 +655,7 @@ try: # Booting back into VM log.info('Booting system with cleared TPM') - cmd = get_qemu_cmd('TESTVM', kvm, args.uefi, args.disk, diskname_raid, tpm=args.tpmtest) + cmd = get_qemu_cmd(qemu_name, args.uefi, args.disk, raid=diskname_raid, tpm=args.tpmtest, vnc_enabled=args.vnc) log.debug(f'Executing command: {cmd}') c = pexpect.spawn(cmd, logfile=stl) @@ -587,7 +707,7 @@ try: # Booting RAID-1 system with one missing disk ################################################# log.info('Booting RAID-1 system') - cmd = get_qemu_cmd('TESTVM', kvm, args.uefi, args.disk, diskname_raid) + cmd = get_qemu_cmd(qemu_name, args.uefi, args.disk, raid=diskname_raid, vnc_enabled=args.vnc) # We need to swap boot indexes to boot from second harddisk so we can # recreate the RAID on the first disk @@ -598,7 +718,6 @@ try: log.debug(f'Executing command: {cmd}') c = pexpect.spawn(cmd, logfile=stl) - ################################################# # Logging into VyOS system ################################################# @@ -637,7 +756,7 @@ try: shutdownVM(c, log, f'Shutdown VM and start from recovered RAID member "{args.disk}"') log.info('Booting RAID-1 system') - cmd = get_qemu_cmd('TESTVM', kvm, args.uefi, args.disk, diskname_raid) + cmd = get_qemu_cmd(qemu_name, args.uefi, args.disk, raid=diskname_raid, vnc_enabled=args.vnc) log.debug(f'Executing command: {cmd}') c = pexpect.spawn(cmd, logfile=stl) @@ -646,7 +765,7 @@ try: c.sendline('cat /proc/mdstat') c.expect(op_mode_prompt) - elif not args.configtest: + elif args.smoketest: # run default smoketest suite if args.match: # Remove tests that we don't want to run @@ -682,7 +801,7 @@ try: raise Exception("Smoketest-failed, please look into debug output") # else, run configtest suite - else: + elif args.configtest: log.info('Adding a legacy WireGuard default keypair for migrations') c.sendline('sudo mkdir -p /config/auth/wireguard/default') c.expect(op_mode_prompt) @@ -707,7 +826,7 @@ try: if i==0: raise Exception('Invalid command detected') elif i==1: - tmp = '(W)hy (T)he (F)ace? VyOS smoketest not found!' + tmp = 'VyOS smoketest not found!' log.error(tmp) raise Exception(tmp) @@ -720,6 +839,12 @@ try: tmp = 'Configtest failed :/ - check debug output' log.error(tmp) raise Exception(tmp) + elif args.sbtest: + c.sendline('show secure-boot') + c.expect('SecureBoot enabled') + c.expect(op_mode_prompt) + else: + log.info('No testcase selected!') shutdownVM(c, log, 'Powering off system') c.close() @@ -755,6 +880,8 @@ if not args.keep: os.remove(args.disk) if diskname_raid: os.remove(diskname_raid) + if args.sbtest: + os.remove(OVMF_VARS_TMP) except Exception: log.error('Exception while removing diskimage!') log.error(traceback.format_exc()) @@ -764,3 +891,5 @@ if EXCEPTION: log.error('Hmm... system got an exception while processing.') log.error('The ISO image is not considered usable!') sys.exit(1) + +sys.exit(0) diff --git a/scripts/image-build/build-vyos-image b/scripts/image-build/build-vyos-image index a0acd184..566c6a8b 100755 --- a/scripts/image-build/build-vyos-image +++ b/scripts/image-build/build-vyos-image @@ -571,7 +571,7 @@ if __name__ == "__main__": --checksums 'sha256 md5' \ --chroot-squashfs-compression-type "{{squashfs_compression_type}}" \ --debian-installer none \ - --debootstrap-options "--variant=minbase --exclude=isc-dhcp-client,isc-dhcp-common,ifupdown --include=apt-utils,ca-certificates,gnupg2" \ + --debootstrap-options "--variant=minbase --exclude=isc-dhcp-client,isc-dhcp-common,ifupdown --include=apt-utils,ca-certificates,gnupg2,linux-kbuild-6.1" \ --distribution {{debian_distribution}} \ --firmware-binary false \ --firmware-chroot false \ |