summaryrefslogtreecommitdiff
path: root/packages
diff options
context:
space:
mode:
Diffstat (limited to 'packages')
-rw-r--r--packages/linux-kernel/.gitignore2
-rw-r--r--packages/linux-kernel/arch/x86/configs/vyos_defconfig18
-rwxr-xr-xpackages/linux-kernel/build-accel-ppp.sh8
-rwxr-xr-xpackages/linux-kernel/build-intel-ixgbe.sh3
-rwxr-xr-xpackages/linux-kernel/build-intel-ixgbevf.sh3
-rwxr-xr-xpackages/linux-kernel/build-intel-qat.sh3
-rwxr-xr-xpackages/linux-kernel/build-jool.py4
-rwxr-xr-xpackages/linux-kernel/build-kernel.sh46
-rwxr-xr-xpackages/linux-kernel/build-mellanox-ofed.sh12
-rwxr-xr-xpackages/linux-kernel/build-nat-rtsp.sh8
-rwxr-xr-xpackages/linux-kernel/build-openvpn-dco.sh8
-rwxr-xr-xpackages/linux-kernel/sign-modules.sh15
12 files changed, 104 insertions, 26 deletions
diff --git a/packages/linux-kernel/.gitignore b/packages/linux-kernel/.gitignore
index a3e9257c..4b2ab254 100644
--- a/packages/linux-kernel/.gitignore
+++ b/packages/linux-kernel/.gitignore
@@ -13,6 +13,8 @@
/QAT*
*.tar.xz
/*.postinst
+/ephemeral.key
+/ephemeral.pem
# Intel Driver source
i40e-*/
diff --git a/packages/linux-kernel/arch/x86/configs/vyos_defconfig b/packages/linux-kernel/arch/x86/configs/vyos_defconfig
index e4daa23b..4c1a4adc 100644
--- a/packages/linux-kernel/arch/x86/configs/vyos_defconfig
+++ b/packages/linux-kernel/arch/x86/configs/vyos_defconfig
@@ -842,6 +842,7 @@ CONFIG_FUNCTION_ALIGNMENT=16
CONFIG_RT_MUTEXES=y
CONFIG_BASE_SMALL=0
+CONFIG_MODULE_SIG_FORMAT=y
CONFIG_MODULES=y
# CONFIG_MODULE_DEBUG is not set
CONFIG_MODULE_FORCE_LOAD=y
@@ -851,7 +852,15 @@ CONFIG_MODULE_FORCE_UNLOAD=y
CONFIG_MODVERSIONS=y
CONFIG_ASM_MODVERSIONS=y
# CONFIG_MODULE_SRCVERSION_ALL is not set
-# CONFIG_MODULE_SIG is not set
+CONFIG_MODULE_SIG=y
+CONFIG_MODULE_SIG_FORCE=y
+CONFIG_MODULE_SIG_ALL=y
+# CONFIG_MODULE_SIG_SHA1 is not set
+# CONFIG_MODULE_SIG_SHA224 is not set
+# CONFIG_MODULE_SIG_SHA256 is not set
+# CONFIG_MODULE_SIG_SHA384 is not set
+CONFIG_MODULE_SIG_SHA512=y
+CONFIG_MODULE_SIG_HASH="sha512"
CONFIG_MODULE_COMPRESS_NONE=y
# CONFIG_MODULE_COMPRESS_GZIP is not set
# CONFIG_MODULE_COMPRESS_XZ is not set
@@ -5888,8 +5897,11 @@ CONFIG_SIGNED_PE_FILE_VERIFICATION=y
#
# Certificates for signature checking
#
-CONFIG_SYSTEM_TRUSTED_KEYRING=y
-CONFIG_SYSTEM_TRUSTED_KEYS=""
+CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
+CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
+# CONFIG_MODULE_SIG_KEY_TYPE_ECDSA is not set
+# CONFIG_SYSTEM_TRUSTED_KEYRING is not set
+# CONFIG_SYSTEM_TRUSTED_KEYS is not set
# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set
# CONFIG_SECONDARY_TRUSTED_KEYRING is not set
# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set
diff --git a/packages/linux-kernel/build-accel-ppp.sh b/packages/linux-kernel/build-accel-ppp.sh
index 1685ff8d..a2f8df52 100755
--- a/packages/linux-kernel/build-accel-ppp.sh
+++ b/packages/linux-kernel/build-accel-ppp.sh
@@ -13,6 +13,10 @@ if [ ! -f ${KERNEL_VAR_FILE} ]; then
exit 1
fi
+cd ${ACCEL_SRC}
+git reset --hard HEAD
+git clean --force -d -x
+
PATCH_DIR=${CWD}/patches/accel-ppp
if [ -d $PATCH_DIR ]; then
cd ${ACCEL_SRC}
@@ -36,6 +40,10 @@ cmake -DBUILD_IPOE_DRIVER=TRUE \
-DMODULES_KDIR=${KERNEL_VERSION}${KERNEL_SUFFIX} \
-DCPACK_TYPE=Debian12 ..
make
+
+# Sign generated Kernel modules
+${CWD}/sign-modules.sh .
+
cpack -G DEB
# rename resulting Debian package according git description
diff --git a/packages/linux-kernel/build-intel-ixgbe.sh b/packages/linux-kernel/build-intel-ixgbe.sh
index ab44f551..797ed60f 100755
--- a/packages/linux-kernel/build-intel-ixgbe.sh
+++ b/packages/linux-kernel/build-intel-ixgbe.sh
@@ -80,6 +80,9 @@ fi
echo "I: Building Debian package vyos-intel-${DRIVER_NAME}"
cd ${CWD}
+# Sign generated Kernel modules
+${CWD}/sign-modules.sh ${DEBIAN_DIR}
+
# delete non required files which are also present in the kernel package
# und thus lead to duplicated files
find ${DEBIAN_DIR} -name "modules.*" | xargs rm -f
diff --git a/packages/linux-kernel/build-intel-ixgbevf.sh b/packages/linux-kernel/build-intel-ixgbevf.sh
index 39803852..7d389832 100755
--- a/packages/linux-kernel/build-intel-ixgbevf.sh
+++ b/packages/linux-kernel/build-intel-ixgbevf.sh
@@ -72,6 +72,9 @@ fi
echo "I: Building Debian package vyos-intel-${DRIVER_NAME}"
cd ${CWD}
+# Sign generated Kernel modules
+${CWD}/sign-modules.sh ${DEBIAN_DIR}
+
# delete non required files which are also present in the kernel package
# und thus lead to duplicated files
find ${DEBIAN_DIR} -name "modules.*" | xargs rm -f
diff --git a/packages/linux-kernel/build-intel-qat.sh b/packages/linux-kernel/build-intel-qat.sh
index 5b0e023f..708398d7 100755
--- a/packages/linux-kernel/build-intel-qat.sh
+++ b/packages/linux-kernel/build-intel-qat.sh
@@ -84,6 +84,9 @@ fi
echo "I: Building Debian package vyos-intel-${DRIVER_NAME}"
cd ${CWD}
+# Sign generated Kernel modules
+${CWD}/sign-modules.sh ${DEBIAN_DIR}
+
# delete non required files which are also present in the kernel package
# und thus lead to duplicated files
find ${DEBIAN_DIR} -name "modules.*" | xargs rm -f
diff --git a/packages/linux-kernel/build-jool.py b/packages/linux-kernel/build-jool.py
index 3f8fd3a5..21363c04 100755
--- a/packages/linux-kernel/build-jool.py
+++ b/packages/linux-kernel/build-jool.py
@@ -65,7 +65,7 @@ MODULES_DIR := extra
# main packaging script based on dh7 syntax
%:
- dh $@
+ dh $@
override_dh_clean:
dh_clean --exclude=debian/{PACKAGE_NAME}.substvars
@@ -87,7 +87,7 @@ override_dh_auto_install:
install -D -m 644 src/mod/common/jool_common.ko ${{PACKAGE_BUILD_DIR}}/lib/modules/${{KVER}}/${{MODULES_DIR}}/jool_common.ko
install -D -m 644 src/mod/nat64/jool.ko ${{PACKAGE_BUILD_DIR}}/lib/modules/${{KVER}}/${{MODULES_DIR}}/jool.ko
install -D -m 644 src/mod/siit/jool_siit.ko ${{PACKAGE_BUILD_DIR}}/lib/modules/${{KVER}}/${{MODULES_DIR}}/jool_siit.ko
-
+ ${{KERNEL_DIR}}/../sign-modules.sh ${{PACKAGE_BUILD_DIR}}/lib
'''
bild_rules = Path(f'{PACKAGE_DIR}/debian/rules')
bild_rules.write_text(build_rules_text)
diff --git a/packages/linux-kernel/build-kernel.sh b/packages/linux-kernel/build-kernel.sh
index f7b0c597..f9298c28 100755
--- a/packages/linux-kernel/build-kernel.sh
+++ b/packages/linux-kernel/build-kernel.sh
@@ -9,13 +9,16 @@ if [ ! -d ${KERNEL_SRC} ]; then
exit 1
fi
-echo "I: Copy Kernel config (x86_64_vyos_defconfig) to Kernel Source"
-cp -rv arch/ ${KERNEL_SRC}/
-
cd ${KERNEL_SRC}
-echo "I: clean modified files"
-git reset --hard HEAD
+if [ -d .git ]; then
+ echo "I: Clean modified files - reset Git repo"
+ git reset --hard HEAD
+ git clean --force -d -x
+fi
+
+echo "I: Copy Kernel config (x86_64_vyos_defconfig) to Kernel Source"
+cp -rv ${CWD}/arch/ .
KERNEL_VERSION=$(make kernelversion)
KERNEL_SUFFIX=-$(awk -F "= " '/kernel_flavor/ {print $2}' ../../../data/defaults.toml | tr -d \")
@@ -32,6 +35,9 @@ do
patch -p1 < ${PATCH_DIR}/${patch}
done
+# Change name of Signing Cert
+sed -i -e "s/CN =.*/CN=VyOS build time autogenerated kernel key/" certs/default_x509.genkey
+
TRUSTED_KEYS_FILE=trusted_keys.pem
# start with empty key file
echo -n "" > $TRUSTED_KEYS_FILE
@@ -41,16 +47,8 @@ if [ ! -z "${CERTS}" ]; then
for file in $CERTS; do
cat $file >> $TRUSTED_KEYS_FILE
done
-
# Force Kernel module signing and embed public keys
- echo "CONFIG_MODULE_SIG_FORMAT=y" >> $KERNEL_CONFIG
- echo "CONFIG_MODULE_SIG=y" >> $KERNEL_CONFIG
- echo "CONFIG_MODULE_SIG_FORCE=y" >> $KERNEL_CONFIG
- echo "# CONFIG_MODULE_SIG_ALL is not set" >> $KERNEL_CONFIG
- echo "CONFIG_MODULE_SIG_SHA512=y" >> $KERNEL_CONFIG
- echo "CONFIG_MODULE_SIG_HASH=\"sha512\"" >> $KERNEL_CONFIG
- echo "CONFIG_MODULE_SIG_KEY=\"\"" >> $KERNEL_CONFIG
- echo "CONFIG_MODULE_SIG_KEY_TYPE_RSA=y" >> $KERNEL_CONFIG
+ echo "CONFIG_SYSTEM_TRUSTED_KEYRING" >> $KERNEL_CONFIG
echo "CONFIG_SYSTEM_TRUSTED_KEYS=\"$TRUSTED_KEYS_FILE\"" >> $KERNEL_CONFIG
fi
@@ -59,21 +57,31 @@ echo "I: make vyos_defconfig"
make vyos_defconfig
echo "I: Generate environment file containing Kernel variable"
+EPHEMERAL_KEY="/tmp/ephemeral.key"
+EPHEMERAL_PEM="/tmp/ephemeral.pem"
cat << EOF >${CWD}/kernel-vars
#!/bin/sh
export KERNEL_VERSION=${KERNEL_VERSION}
export KERNEL_SUFFIX=${KERNEL_SUFFIX}
export KERNEL_DIR=${CWD}/${KERNEL_SRC}
+export EPHEMERAL_KEY=${EPHEMERAL_KEY}
+export EPHEMERAL_CERT=${EPHEMERAL_PEM}
EOF
echo "I: Build Debian Kernel package"
touch .scmversion
make bindeb-pkg BUILD_TOOLS=1 LOCALVERSION=${KERNEL_SUFFIX} KDEB_PKGVERSION=${KERNEL_VERSION}-1 -j $(getconf _NPROCESSORS_ONLN)
+# Back to the old Kernel build-scripts directory
cd $CWD
-if [[ $? == 0 ]]; then
- for package in $(ls linux-*.deb)
- do
- ln -sf linux-kernel/$package ..
- done
+EPHEMERAL_KERNEL_KEY=$(grep -E "^CONFIG_MODULE_SIG_KEY=" ${KERNEL_SRC}/$KERNEL_CONFIG | awk -F= '{print $2}' | tr -d \")
+if test -f "${EPHEMERAL_KEY}"; then
+ rm -f ${EPHEMERAL_KEY}
+fi
+if test -f "${EPHEMERAL_PEM}"; then
+ rm -f ${EPHEMERAL_PEM}
+fi
+if test -f "${KERNEL_SRC}/${EPHEMERAL_KERNEL_KEY}"; then
+ openssl rsa -in ${KERNEL_SRC}/${EPHEMERAL_KERNEL_KEY} -out ${EPHEMERAL_KEY}
+ openssl x509 -in ${KERNEL_SRC}/${EPHEMERAL_KERNEL_KEY} -out ${EPHEMERAL_PEM}
fi
diff --git a/packages/linux-kernel/build-mellanox-ofed.sh b/packages/linux-kernel/build-mellanox-ofed.sh
index a157ee61..3f8a50f0 100755
--- a/packages/linux-kernel/build-mellanox-ofed.sh
+++ b/packages/linux-kernel/build-mellanox-ofed.sh
@@ -117,6 +117,18 @@ cp $(find $CWD/$DRIVER_DIR/DEBS/$DEB_DISTRO -type f | grep '\.deb$') "$CWD/"
echo "I: Cleanup ${DRIVER_NAME} source"
cd ${CWD}
+
+# Sign modules
+DEB_NAME=$(ls mlnx-ofed-kernel-modules_*)
+TMP_DIR="tmp-ofed-sign"
+dpkg-deb --raw-extract ${DEB_NAME} ${TMP_DIR}
+# Sign generated Kernel modules
+${CWD}/sign-modules.sh ${TMP_DIR}
+# Cleanup and repack DEB
+rm -f ${DEB_NAME}
+dpkg-deb --build ${TMP_DIR} ${DEB_NAME}
+rm -rf ${TMP_DIR}
+
if [ -f ${DRIVER_FILE} ]; then
rm -f ${DRIVER_FILE}
fi
diff --git a/packages/linux-kernel/build-nat-rtsp.sh b/packages/linux-kernel/build-nat-rtsp.sh
index 40018cfb..33f1311d 100755
--- a/packages/linux-kernel/build-nat-rtsp.sh
+++ b/packages/linux-kernel/build-nat-rtsp.sh
@@ -15,7 +15,10 @@ fi
. ${KERNEL_VAR_FILE}
-cd ${SRC} && make KERNELDIR=$KERNEL_DIR
+cd ${SRC}
+git reset --hard HEAD
+git clean --force -d -x
+make KERNELDIR=$KERNEL_DIR
# Copy binary to package directory
DEBIAN_DIR=tmp/lib/modules/${KERNEL_VERSION}${KERNEL_SUFFIX}/extra
@@ -26,6 +29,9 @@ DEBIAN_POSTINST="${CWD}/vyos-nat-rtsp.postinst"
echo "#!/bin/sh" > ${DEBIAN_POSTINST}
echo "/sbin/depmod -a ${KERNEL_VERSION}${KERNEL_SUFFIX}" >> ${DEBIAN_POSTINST}
+# Sign generated Kernel modules
+${CWD}/sign-modules.sh ${DEBIAN_DIR}
+
# Build Debian Package
fpm --input-type dir --output-type deb --name nat-rtsp \
--version $(git describe --tags --always) --deb-compression gz \
diff --git a/packages/linux-kernel/build-openvpn-dco.sh b/packages/linux-kernel/build-openvpn-dco.sh
index fd427825..518729ee 100755
--- a/packages/linux-kernel/build-openvpn-dco.sh
+++ b/packages/linux-kernel/build-openvpn-dco.sh
@@ -15,13 +15,19 @@ fi
. ${KERNEL_VAR_FILE}
-cd ${SRC} && make KERNEL_SRC=$KERNEL_DIR
+cd ${SRC}
+git reset --hard HEAD
+git clean --force -d -x
+make KERNEL_SRC=$KERNEL_DIR
# Copy binary to package directory
DEBIAN_DIR=tmp/lib/modules/${KERNEL_VERSION}${KERNEL_SUFFIX}/extra
mkdir -p ${DEBIAN_DIR}
cp drivers/net/ovpn-dco/ovpn-dco-v2.ko ${DEBIAN_DIR}
+# Sign generated Kernel modules
+${CWD}/sign-modules.sh ${DEBIAN_DIR}
+
# Build Debian Package
fpm --input-type dir --output-type deb --name openvpn-dco \
--version $(git describe | sed s/^v//) --deb-compression gz \
diff --git a/packages/linux-kernel/sign-modules.sh b/packages/linux-kernel/sign-modules.sh
new file mode 100755
index 00000000..cfb368eb
--- /dev/null
+++ b/packages/linux-kernel/sign-modules.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+BASE_DIR=$(dirname $0)
+MODULE_DIR=$1
+. ${BASE_DIR}/kernel-vars
+
+SIGN_FILE="${KERNEL_DIR}/scripts/sign-file"
+
+if [ -f ${EPHEMERAL_KEY} ] && [ -f ${EPHEMERAL_CERT} ]; then
+ find ${MODULE_DIR} -type f -name \*.ko | while read MODULE; do
+ echo "I: Signing ${MODULE} ..."
+ ${SIGN_FILE} sha512 ${EPHEMERAL_KEY} ${EPHEMERAL_CERT} ${MODULE}
+ done
+fi
+
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-16 10:41:33 +0000