6 files changed, 42 insertions, 5 deletions

diff --git a/data/architectures/amd64.toml b/data/architectures/amd64.toml
index 44a203a2..e85b4158 100644
--- a/data/architectures/amd64.toml
+++ b/data/architectures/amd64.toml
@@ -2,8 +2,6 @@ additional_repositories = [
   "deb [arch=amd64] https://repo.saltproject.io/py3/debian/11/amd64/3005 bullseye main"
 ]
 
-kernel_flavor = "amd64-vyos"
-
 # Packages added to images for x86 by default
 packages = [
   "grub2",
diff --git a/data/architectures/arm64.toml b/data/architectures/arm64.toml
index 22f1fd10..228d0f3f 100644
--- a/data/architectures/arm64.toml
+++ b/data/architectures/arm64.toml
@@ -2,8 +2,6 @@ additional_repositories = [
   "deb [arch=arm64] https://repo.saltproject.io/py3/debian/11/arm64/3005 bullseye main"
 ]
 
-kernel_flavor = "arm64-vyos"
-
 # Packages included in ARM64 images by default
 packages = [
   "grub-efi-arm64",
diff --git a/data/defaults.toml b/data/defaults.toml
index e6654c43..efe6399f 100644
--- a/data/defaults.toml
+++ b/data/defaults.toml
@@ -14,7 +14,8 @@ vyos_mirror = "https://rolling-packages.vyos.net/current"
 vyos_branch = "current"
 release_train = "current"
 
-kernel_version = "6.6.49"
+kernel_version = "6.6.51"
+kernel_flavor = "vyos"
 bootloaders = "syslinux,grub-efi"
 
 squashfs_compression_type = "xz -Xbcj x86 -b 256k -always-use-fragments -no-recovery"
diff --git a/data/live-build-config/hooks/live/99-strip-symbols.chroot b/data/live-build-config/hooks/live/92-strip-symbols.chroot
index 704f9cb3..704f9cb3 100755
--- a/data/live-build-config/hooks/live/99-strip-symbols.chroot
+++ b/data/live-build-config/hooks/live/92-strip-symbols.chroot
diff --git a/data/live-build-config/hooks/live/93-sign-kernel.chroot b/data/live-build-config/hooks/live/93-sign-kernel.chroot
new file mode 100755
index 00000000..031db10d
--- /dev/null
+++ b/data/live-build-config/hooks/live/93-sign-kernel.chroot
@@ -0,0 +1,18 @@
+#!/bin/sh
+SIGN_FILE=$(find /usr/lib -name sign-file)
+MOK_KEY="/var/lib/shim-signed/mok/kernel.key"
+MOK_CERT="/var/lib/shim-signed/mok/kernel.pem"
+kernel_elf=$(readlink /boot/vmlinuz)
+
+if [ ! -f ${MOK_KEY} ]; then
+    echo "I: Signing key for Linux Kernel not found - Secure Boot not possible"
+else
+    echo "I: Signing Linux Kernel for Secure Boot"
+
+    sbsign --key $MOK_KEY --cert $MOK_CERT /boot/${kernel_elf} --output /boot/${kernel_elf}
+    sbverify --list /boot/${kernel_elf}
+
+    find /lib/modules -type f -name \*.ko -o -name \*.ko.xz | while read module; do
+      $SIGN_FILE sha512 $MOK_KEY $MOK_CERT $module
+    done
+fi
diff --git a/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md b/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
new file mode 100644
index 00000000..5a6edbba
--- /dev/null
+++ b/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
@@ -0,0 +1,22 @@
+# Secure Boot
+
+## CA
+
+Create Certificate Authority used for Kernel signing. CA is loaded into the
+Machine Owner Key store on the target system.
+
+```bash
+openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -outform DER -out MOK.der -days 36500 -subj "/CN=VyOS Secure Boot CA/" -nodes
+openssl x509 -inform der -in MOK.der -out MOK.pem
+```
+
+## Kernel Module Signing Key
+
+We do not make use of ephemeral keys for Kernel module signing. Instead a key
+is generated and signed by the VyOS Secure Boot CA which signs all the Kernel
+modules during ISO assembly if present.
+
+```bash
+openssl req -newkey rsa:2048 -keyout kernel.key -out kernel.csr -subj "/CN=VyOS Secure Boot Signer 2024 - linux/" -nodes
+openssl x509 -req -in kernel.csr -CA MOK.pem -CAkey MOK.key -CAcreateserial -out kernel.pem -days 730 -sha256
+```