| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
The shim review board (which is the secure boot base loader) recommends using
ephemeral keys when signing the Linux Kernel. This commit enables the Kernel
build system to generate a one-time ephemeral key that is used to:
* sign all build-in Kernel modules
* sign all other out-of-tree Kernel modules
The key lives in /tmp and is destroyed after the build container exits and is
named: "VyOS build time autogenerated kernel key".
In addition the Kernel now uses CONFIG_MODULE_SIG_FORCE. This now makes it
unable to load any Kernel Module to the image that is NOT signed by the
ephemeral key.
|
|
|
|
Same as T6078 but we now wan't to make use of ethtool --json eth0 to drop out
own text based parsing of ethtool options in [1]. This is the base for moving
to a better, machine readable interface
1: https://github.com/vyos/vyos-1x/blob/e47d4fd385631236da68/python/vyos/ethtool.py#L77-L105
|
|
Kernel: T861: use find over ls when probing for Kernel signing public keys
|
|
|
|
T861: add UEFI Secure Boot support
|
|
This adds support for UEFI Secure Boot. It adds the missing pieces to the Linux
Kernel and enforces module signing. This results in an additional security
layer where untrusted (unsigned) Kernel modules can no longer be loaded into
the live system.
NOTE: This commit will not work unless signing keys are present. Arbitrary
keys can be generated using instructions found in:
data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
|
|
|
|
|
|
|
|
|
|
linux-kernel: T6485: build modules for thunderbolt and thunderbolt-net
|
|
Push OFED to 24.07-0.6.1.0
Replace bash syntax for conditional check with sh syntax in OFED
build script.
|
|
|
|
|
|
This is required as the dependency will add /etc/containers/policy.json
|
|
Dependency already exists in vyos-1x for live-system, but it does not hurt to
also define the dependency here where it's needed by the filesystem layer.
|
|
As part of "T5792: Upgrade to ddclient 3.11.2" in commit 368b89ef056,
ddclient was built using build system from Debian Salsa and source code
from upstream GitHub.
This was subsequently modified in commit 7f7030d9281 to use both build
system and source code from Debian Salsa.
Now that Debian finally has ddclient 3.11.2 release, we can use the
release tag to build the package.
|
|
|
|
T6231: Mellanox OFED
|
|
|
|
All VyOS kernel modules must live in the appropriate module directory,
example: /lib/modules/6.6.41-amd64-vyos/
In addition we do not abbreviate script options to make reading easier,
without call --help all the time.
|
|
|
|
|
|
|
|
Revert "frr: T6600: apply pending upstream patch for ospfd ldp-sync"
|
|
|
|
|
|
frr: T6600: apply pending upstream patch for ospfd ldp-sync
|
|
|
|
Using a discrete commit ID as there has not been a release in a longer time.
|
|
This reverts commit dbf7e47a27537a9c298afd665244b7bc2b6cf5f6.
|
|
ddclient: T5797: switch to Debian SALSA repository
|
|
Commit 368b89ef05 ("ddclient: T5797: Upgrade to ddclient 3.11.2") bumped the
ddclient version by using the build system from Debian SALSA repo and the
upstream ddclient source code.
Debian now provides the same version from the SALSA repos.
|
|
|
|
|
|
|
|
Build OFED drivers and userspace components against the kernel
source tree similar to Intel's NIC drivers.
OFED installers create Debian packages of their own tageting the
kernel version defined in the build invocation if DKMS is omitted.
Script builds with supporting components for VPP to permit handoff
of function to the underlying hardware as appropriate. Updating the
version is fairly trivial along with adding patching as needed to
handle kCFI and hardening measures as they are introduced.
Testing:
Tested against GCC-built Linux Hardened kernel with the various
additions from PR 132 - sustained line-rate testing against 4x100g
links on a single machine at a hair below 200g for each LACP pair.
|
|
|
|
ARM64 build is not necessary, because waagent has one build for all platforms.
|
|
Added execution permissions to a build script.
|
|
We need a version newer than in the Debian repository.
This commit adds instructions to build a version from sid.
|
|
|
|
|
|
VFIO No-IOMMU support is required for environments where IOMMU is not available
but we still want to use VFIO.
|
|
frr: T6250: T6283: revert local patches merged upstream
|
|
This reverts commit 1b61973b9143aa8a04cc7c857ec567fa962e4e43.
Upstream Patch merged
|
|
This reverts commit 38cae97177191ad6876a4ce7afb4f53b21bf746c.
Upstream patch merged
|
