| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2025-03-18 | T861: use secure-boot certificates from data/certificates | Christian Breunig | |
| 2024-09-25 | T861: sign all Kernel modules with an ephemeral key | Christian Breunig | |
| The shim review board (which is the secure boot base loader) recommends using ephemeral keys when signing the Linux Kernel. This commit enables the Kernel build system to generate a one-time ephemeral key that is used to: * sign all build-in Kernel modules * sign all other out-of-tree Kernel modules The key lives in /tmp and is destroyed after the build container exits and is named: "VyOS build time autogenerated kernel key". In addition the Kernel now uses CONFIG_MODULE_SIG_FORCE. This now makes it unable to load any Kernel Module to the image that is NOT signed by the ephemeral key. | |||
| 2024-09-14 | T861: add UEFI Secure Boot support | Christian Breunig | |
| This adds support for UEFI Secure Boot. It adds the missing pieces to the Linux Kernel and enforces module signing. This results in an additional security layer where untrusted (unsigned) Kernel modules can no longer be loaded into the live system. NOTE: This commit will not work unless signing keys are present. Arbitrary keys can be generated using instructions found in: data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md | |||
 |
index : vyos-build.git | |
| VyOS image build scripts (mirror of https://github.com/vyos/vyos-build.git) |
| summaryrefslogtreecommitdiff |