| Age | Commit message (Collapse) | Author |
|---|
|
|
|
The shim review board (which is the secure boot base loader) recommends using
ephemeral keys when signing the Linux Kernel. This commit enables the Kernel
build system to generate a one-time ephemeral key that is used to:
* sign all build-in Kernel modules
* sign all other out-of-tree Kernel modules
The key lives in /tmp and is destroyed after the build container exits and is
named: "VyOS build time autogenerated kernel key".
In addition the Kernel now uses CONFIG_MODULE_SIG_FORCE. This now makes it
unable to load any Kernel Module to the image that is NOT signed by the
ephemeral key.
|
|
|
|
Push OFED to 24.07-0.6.1.0
Replace bash syntax for conditional check with sh syntax in OFED
build script.
|
|
|
|
All VyOS kernel modules must live in the appropriate module directory,
example: /lib/modules/6.6.41-amd64-vyos/
In addition we do not abbreviate script options to make reading easier,
without call --help all the time.
|
|
|
|
Build OFED drivers and userspace components against the kernel
source tree similar to Intel's NIC drivers.
OFED installers create Debian packages of their own tageting the
kernel version defined in the build invocation if DKMS is omitted.
Script builds with supporting components for VPP to permit handoff
of function to the underlying hardware as appropriate. Updating the
version is fairly trivial along with adding patching as needed to
handle kCFI and hardening measures as they are introduced.
Testing:
Tested against GCC-built Linux Hardened kernel with the various
additions from PR 132 - sustained line-rate testing against 4x100g
links on a single machine at a hair below 200g for each LACP pair.
|
