From fd7d1d0d208f5857d84f1bc48577ff775a67b823 Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Wed, 4 Sep 2024 21:13:49 +0200
Subject: Kernel: T861: remove superfluous architecture from Kernel string
---
data/architectures/amd64.toml | 2 --
data/architectures/arm64.toml | 2 --
data/defaults.toml | 1 +
packages/linux-kernel/build-jool.py | 3 +--
packages/linux-kernel/build-kernel.sh | 2 +-
scripts/check-qemu-install | 9 +++++++--
6 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/data/architectures/amd64.toml b/data/architectures/amd64.toml
index 44a203a2..e85b4158 100644
--- a/data/architectures/amd64.toml
+++ b/data/architectures/amd64.toml
@@ -2,8 +2,6 @@ additional_repositories = [
"deb [arch=amd64] https://repo.saltproject.io/py3/debian/11/amd64/3005 bullseye main"
]
-kernel_flavor = "amd64-vyos"
-
# Packages added to images for x86 by default
packages = [
"grub2",
diff --git a/data/architectures/arm64.toml b/data/architectures/arm64.toml
index 22f1fd10..228d0f3f 100644
--- a/data/architectures/arm64.toml
+++ b/data/architectures/arm64.toml
@@ -2,8 +2,6 @@ additional_repositories = [
"deb [arch=arm64] https://repo.saltproject.io/py3/debian/11/arm64/3005 bullseye main"
]
-kernel_flavor = "arm64-vyos"
-
# Packages included in ARM64 images by default
packages = [
"grub-efi-arm64",
diff --git a/data/defaults.toml b/data/defaults.toml
index e6654c43..71889cf0 100644
--- a/data/defaults.toml
+++ b/data/defaults.toml
@@ -15,6 +15,7 @@ vyos_branch = "current"
release_train = "current"
kernel_version = "6.6.49"
+kernel_flavor = "vyos"
bootloaders = "syslinux,grub-efi"
squashfs_compression_type = "xz -Xbcj x86 -b 256k -always-use-fragments -no-recovery"
diff --git a/packages/linux-kernel/build-jool.py b/packages/linux-kernel/build-jool.py
index 1781a6c8..3f8fd3a5 100755
--- a/packages/linux-kernel/build-jool.py
+++ b/packages/linux-kernel/build-jool.py
@@ -29,9 +29,8 @@ def add_depends(package_dir: str, package_name: str,
# find kernel version and source path
arch: str = find_arch()
defaults_file: str = Path('../../data/defaults.toml').read_text()
-architecture_file: str = Path(f'../../data/architectures/{arch}.toml').read_text()
KERNEL_VER: str = toml_loads(defaults_file).get('kernel_version')
-KERNEL_FLAVOR: str = toml_loads(architecture_file).get('kernel_flavor')
+KERNEL_FLAVOR: str = toml_loads(defaults_file).get('kernel_flavor')
KERNEL_SRC: str = Path.cwd().as_posix() + '/linux'
# define variables
diff --git a/packages/linux-kernel/build-kernel.sh b/packages/linux-kernel/build-kernel.sh
index 2c02f5c3..c0a863c6 100755
--- a/packages/linux-kernel/build-kernel.sh
+++ b/packages/linux-kernel/build-kernel.sh
@@ -18,7 +18,7 @@ echo "I: clean modified files"
git reset --hard HEAD
KERNEL_VERSION=$(make kernelversion)
-KERNEL_SUFFIX=-$(dpkg --print-architecture)-vyos
+KERNEL_SUFFIX=-$(awk -F "= " '/kernel_flavor/ {print $2}' ../../../data/defaults.toml | tr -d \")
# VyOS requires some small Kernel Patches - apply them here
# It's easier to habe them here and make use of the upstream
diff --git a/scripts/check-qemu-install b/scripts/check-qemu-install
index ea3aef63..fe781b60 100755
--- a/scripts/check-qemu-install
+++ b/scripts/check-qemu-install
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2019-2023, VyOS maintainers and contributors
+# Copyright (C) 2019-2024, VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -47,6 +47,8 @@ import tomli
from io import BytesIO
from io import StringIO
from datetime import datetime
+from pathlib import Path
+from tomllib import loads as toml_loads
EXCEPTION = 0
now = datetime.now()
@@ -416,8 +418,11 @@ try:
c.expect(op_mode_prompt)
c.sendline('show version')
c.expect(op_mode_prompt)
+
c.sendline('show version kernel')
- c.expect(f'{vyos_defaults["kernel_version"]}-{vyos_defaults["architecture"]}-vyos')
+ kernel_flavor = toml_loads(Path('data/architectures/amd64.toml').read_text()).get('kernel_flavor')
+ c.expect(f'{vyos_defaults["kernel_version"]}-{kernel_flavor}')
+
c.expect(op_mode_prompt)
c.sendline('show version frr')
c.expect(op_mode_prompt)
--
cgit v1.2.3
From 7f23b57b190ca1436a006af271586e733ed3f48d Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Fri, 6 Sep 2024 20:21:14 +0200
Subject: Testsuite: T861: eject installation media CD-ROM over powercycle
When moving to UEFI and secure-boot it's better to just reboot the system
for Machine Owner Key installation, then powercycling the machine.
This commit will use `reboot now` over `poweroff` after base system installation
and boot into installed image for smoketest handling.
---
scripts/check-qemu-install | 23 +++++++++++++----------
1 file changed, 13 insertions(+), 10 deletions(-)
diff --git a/scripts/check-qemu-install b/scripts/check-qemu-install
index fe781b60..a9fea6ac 100755
--- a/scripts/check-qemu-install
+++ b/scripts/check-qemu-install
@@ -160,6 +160,7 @@ def get_qemu_cmd(name, enable_kvm, enable_uefi, disk_img, raid=None, iso_img=Non
{cpu} \
{cdrom} \
{kvm} \
+ -monitor unix:/tmp/qemu-monitor-socket-{disk_img},server,nowait \
-netdev user,id=n0,net=192.0.2.0/24,dhcpstart=192.0.2.101,dns=192.0.2.10 -device virtio-net-pci,netdev=n0,mac={macbase}:00,romfile="" \
-netdev user,id=n1 -device virtio-net-pci,netdev=n1,mac={macbase}:01,romfile="" \
-netdev user,id=n2 -device virtio-net-pci,netdev=n2,mac={macbase}:02,romfile="" \
@@ -363,14 +364,20 @@ try:
c.expect('\nWhich file would you like as boot config?.*')
c.sendline('')
- log.info('system installed, shutting down')
+ c.expect(op_mode_prompt)
+ log.info('system installed, rebooting')
+ c.sendline('reboot now')
#################################################
- # Powering down installer
+ # Removing CD installation media
#################################################
- shutdownVM(c, log, 'Shutting down installation system')
- c.close()
+ time.sleep(2)
+ log.info('eject installation media')
+ os.system(f'echo "eject -f drive-cd1" | socat - unix-connect:/tmp/qemu-monitor-socket-{args.disk}')
+ #################################################
+ # Powering down installer
+ #################################################
if args.tpmtest:
tpm_process = start_swtpm()
@@ -378,9 +385,6 @@ try:
# Booting installed system
#################################################
log.info('Booting installed system')
- cmd = get_qemu_cmd('TESTVM', kvm, args.uefi, args.disk, diskname_raid, tpm=args.tpmtest)
- log.debug(f'Executing command: {cmd}')
- c = pexpect.spawn(cmd, logfile=stl)
#################################################
# Logging into VyOS system
@@ -412,17 +416,16 @@ try:
# Basic Configmode/Opmode switch
#################################################
log.info('Basic CLI configuration mode test')
+ kernel_flavor = toml_loads(Path('data/defaults.toml').read_text()).get('kernel_flavor')
+
c.sendline('configure')
c.expect(cfg_mode_prompt)
c.sendline('exit')
c.expect(op_mode_prompt)
c.sendline('show version')
c.expect(op_mode_prompt)
-
c.sendline('show version kernel')
- kernel_flavor = toml_loads(Path('data/architectures/amd64.toml').read_text()).get('kernel_flavor')
c.expect(f'{vyos_defaults["kernel_version"]}-{kernel_flavor}')
-
c.expect(op_mode_prompt)
c.sendline('show version frr')
c.expect(op_mode_prompt)
--
cgit v1.2.3
From e5627bf050818f4f7b0ec9461ee66c285d244578 Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Fri, 6 Sep 2024 20:25:53 +0200
Subject: Testsuite: T861: remove option to disable KVM and use soft-emulation
This code path was unused during CI runs.
---
scripts/check-qemu-install | 34 +++++++++++-----------------------
1 file changed, 11 insertions(+), 23 deletions(-)
diff --git a/scripts/check-qemu-install b/scripts/check-qemu-install
index a9fea6ac..d90e3756 100755
--- a/scripts/check-qemu-install
+++ b/scripts/check-qemu-install
@@ -69,7 +69,6 @@ parser.add_argument('--logfile', help='Log to file')
parser.add_argument('--match', help='Smoketests to run')
parser.add_argument('--uefi', help='Boot using UEFI', action='store_true', default=False)
parser.add_argument('--raid', help='Perform a RAID-1 install', action='store_true', default=False)
-parser.add_argument('--no-kvm', help='Disable use of kvm', action='store_true', default=False)
parser.add_argument('--configd', help='Execute testsuite with config daemon', action='store_true',
default=False)
parser.add_argument('--no-interfaces', help='Execute testsuite without interface tests to save time',
@@ -118,13 +117,7 @@ def get_half_cpus():
cpu /= 2
return int(cpu)
-def get_qemu_cmd(name, enable_kvm, enable_uefi, disk_img, raid=None, iso_img=None, tpm=False):
- kvm = "-enable-kvm"
- cpu = "-cpu host"
- if not enable_kvm:
- kvm = "--no-kvm"
- cpu = ""
-
+def get_qemu_cmd(name, enable_uefi, disk_img, raid=None, iso_img=None, tpm=False):
uefi = ""
uuid = "f48b60b2-e6ad-49ef-9d09-4245d0585e52"
if enable_uefi:
@@ -157,9 +150,9 @@ def get_qemu_cmd(name, enable_kvm, enable_uefi, disk_img, raid=None, iso_img=Non
-nographic \
-machine accel=kvm \
-uuid {uuid} \
- {cpu} \
+ -cpu host \
{cdrom} \
- {kvm} \
+ -enable-kvm \
-monitor unix:/tmp/qemu-monitor-socket-{disk_img},server,nowait \
-netdev user,id=n0,net=192.0.2.0/24,dhcpstart=192.0.2.101,dns=192.0.2.10 -device virtio-net-pci,netdev=n0,mac={macbase}:00,romfile="" \
-netdev user,id=n1 -device virtio-net-pci,netdev=n1,mac={macbase}:01,romfile="" \
@@ -252,14 +245,9 @@ if not os.path.isfile(args.iso):
log.error('Unable to find iso image to install')
sys.exit(1)
-if args.no_kvm:
- log.error('KVM forced off by command line')
- kvm=False
-elif not os.path.exists('/dev/kvm'):
+if not os.path.exists('/dev/kvm'):
log.error('KVM not enabled on host, proceeding with software emulation')
- kvm=False
-else:
- kvm=True
+ sys.exit(1)
# Creating diskimage!!
diskname_raid = None
@@ -298,7 +286,7 @@ def start_swtpm():
return tpm_process
if args.qemu_cmd:
- tmp = get_qemu_cmd('TESTVM', kvm, args.uefi, args.disk, diskname_raid, args.iso)
+ tmp = get_qemu_cmd('TESTVM', args.uefi, args.disk, diskname_raid, args.iso)
os.system(tmp)
exit(0)
@@ -309,7 +297,7 @@ try:
# Installing image to disk
#################################################
log.info('Installing system')
- cmd = get_qemu_cmd('TESTVM', kvm, args.uefi, args.disk, diskname_raid, args.iso)
+ cmd = get_qemu_cmd('TESTVM', args.uefi, args.disk, diskname_raid, args.iso)
log.debug(f'Executing command: {cmd}')
c = pexpect.spawn(cmd, logfile=stl, timeout=60)
@@ -508,7 +496,7 @@ try:
# Booting back into VM
log.info('Booting TPM-backed system')
- cmd = get_qemu_cmd('TESTVM', kvm, args.uefi, args.disk, diskname_raid, tpm=args.tpmtest)
+ cmd = get_qemu_cmd('TESTVM', args.uefi, args.disk, diskname_raid, tpm=args.tpmtest)
log.debug(f'Executing command: {cmd}')
c = pexpect.spawn(cmd, logfile=stl)
@@ -543,7 +531,7 @@ try:
# Booting back into VM
log.info('Booting system with cleared TPM')
- cmd = get_qemu_cmd('TESTVM', kvm, args.uefi, args.disk, diskname_raid, tpm=args.tpmtest)
+ cmd = get_qemu_cmd('TESTVM', args.uefi, args.disk, diskname_raid, tpm=args.tpmtest)
log.debug(f'Executing command: {cmd}')
c = pexpect.spawn(cmd, logfile=stl)
@@ -595,7 +583,7 @@ try:
# Booting RAID-1 system with one missing disk
#################################################
log.info('Booting RAID-1 system')
- cmd = get_qemu_cmd('TESTVM', kvm, args.uefi, args.disk, diskname_raid)
+ cmd = get_qemu_cmd('TESTVM', args.uefi, args.disk, diskname_raid)
# We need to swap boot indexes to boot from second harddisk so we can
# recreate the RAID on the first disk
@@ -645,7 +633,7 @@ try:
shutdownVM(c, log, f'Shutdown VM and start from recovered RAID member "{args.disk}"')
log.info('Booting RAID-1 system')
- cmd = get_qemu_cmd('TESTVM', kvm, args.uefi, args.disk, diskname_raid)
+ cmd = get_qemu_cmd('TESTVM', args.uefi, args.disk, diskname_raid)
log.debug(f'Executing command: {cmd}')
c = pexpect.spawn(cmd, logfile=stl)
--
cgit v1.2.3
From aa6ca5c65bddb1b473421573710faa00a3e52dbc Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Fri, 6 Sep 2024 20:26:47 +0200
Subject: Testsuite: T861: cleanup imports and use "kernel_flavor" from
vyos_defaults
---
scripts/check-qemu-install | 10 +---------
1 file changed, 1 insertion(+), 9 deletions(-)
diff --git a/scripts/check-qemu-install b/scripts/check-qemu-install
index d90e3756..02487eb1 100755
--- a/scripts/check-qemu-install
+++ b/scripts/check-qemu-install
@@ -45,10 +45,7 @@ import re
import tomli
from io import BytesIO
-from io import StringIO
from datetime import datetime
-from pathlib import Path
-from tomllib import loads as toml_loads
EXCEPTION = 0
now = datetime.now()
@@ -80,7 +77,6 @@ parser.add_argument('--tpmtest', help='Execute TPM encrypted config tests',
parser.add_argument('--qemu-cmd', help='Only generate QEMU launch command',
action='store_true', default=False)
-
args = parser.parse_args()
with open('data/defaults.toml', 'rb') as f:
@@ -98,14 +94,11 @@ class StreamToLogger(object):
def write(self, buf):
self.linebuf += buf
- #print('.')
while b'\n' in self.linebuf:
f = self.linebuf.split(b'\n', 1)
if len(f) == 2:
self.logger.debug(self.ansi_escape.sub('', f[0].decode(errors="replace").rstrip()))
self.linebuf = f[1]
- #print(f)
-
def flush(self):
pass
@@ -404,7 +397,6 @@ try:
# Basic Configmode/Opmode switch
#################################################
log.info('Basic CLI configuration mode test')
- kernel_flavor = toml_loads(Path('data/defaults.toml').read_text()).get('kernel_flavor')
c.sendline('configure')
c.expect(cfg_mode_prompt)
@@ -413,7 +405,7 @@ try:
c.sendline('show version')
c.expect(op_mode_prompt)
c.sendline('show version kernel')
- c.expect(f'{vyos_defaults["kernel_version"]}-{kernel_flavor}')
+ c.expect(f'{vyos_defaults["kernel_version"]}-{vyos_defaults["kernel_flavor"]}')
c.expect(op_mode_prompt)
c.sendline('show version frr')
c.expect(op_mode_prompt)
--
cgit v1.2.3
From 986b71af2d72f3da4c7fcae4bd061e57734592b4 Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Fri, 6 Sep 2024 20:28:36 +0200
Subject: Testsuite: T861: use variable to define one single place for VM name
---
scripts/check-qemu-install | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/scripts/check-qemu-install b/scripts/check-qemu-install
index 02487eb1..a3d90a70 100755
--- a/scripts/check-qemu-install
+++ b/scripts/check-qemu-install
@@ -50,6 +50,7 @@ from datetime import datetime
EXCEPTION = 0
now = datetime.now()
tpm_folder = '/tmp/vyos_tpm_test'
+qemu_name = 'VyOS-QEMU'
parser = argparse.ArgumentParser(description='Install and start a test VyOS vm.')
parser.add_argument('iso', help='ISO file to install')
@@ -279,7 +280,7 @@ def start_swtpm():
return tpm_process
if args.qemu_cmd:
- tmp = get_qemu_cmd('TESTVM', args.uefi, args.disk, diskname_raid, args.iso)
+ tmp = get_qemu_cmd(qemu_name, args.uefi, args.disk, diskname_raid, args.iso)
os.system(tmp)
exit(0)
@@ -290,7 +291,7 @@ try:
# Installing image to disk
#################################################
log.info('Installing system')
- cmd = get_qemu_cmd('TESTVM', args.uefi, args.disk, diskname_raid, args.iso)
+ cmd = get_qemu_cmd(qemu_name, args.uefi, args.disk, diskname_raid, args.iso)
log.debug(f'Executing command: {cmd}')
c = pexpect.spawn(cmd, logfile=stl, timeout=60)
@@ -488,7 +489,7 @@ try:
# Booting back into VM
log.info('Booting TPM-backed system')
- cmd = get_qemu_cmd('TESTVM', args.uefi, args.disk, diskname_raid, tpm=args.tpmtest)
+ cmd = get_qemu_cmd(qemu_name, args.uefi, args.disk, diskname_raid, tpm=args.tpmtest)
log.debug(f'Executing command: {cmd}')
c = pexpect.spawn(cmd, logfile=stl)
@@ -523,7 +524,7 @@ try:
# Booting back into VM
log.info('Booting system with cleared TPM')
- cmd = get_qemu_cmd('TESTVM', args.uefi, args.disk, diskname_raid, tpm=args.tpmtest)
+ cmd = get_qemu_cmd(qemu_name, args.uefi, args.disk, diskname_raid, tpm=args.tpmtest)
log.debug(f'Executing command: {cmd}')
c = pexpect.spawn(cmd, logfile=stl)
@@ -575,7 +576,7 @@ try:
# Booting RAID-1 system with one missing disk
#################################################
log.info('Booting RAID-1 system')
- cmd = get_qemu_cmd('TESTVM', args.uefi, args.disk, diskname_raid)
+ cmd = get_qemu_cmd(qemu_name, args.uefi, args.disk, diskname_raid)
# We need to swap boot indexes to boot from second harddisk so we can
# recreate the RAID on the first disk
@@ -625,7 +626,7 @@ try:
shutdownVM(c, log, f'Shutdown VM and start from recovered RAID member "{args.disk}"')
log.info('Booting RAID-1 system')
- cmd = get_qemu_cmd('TESTVM', args.uefi, args.disk, diskname_raid)
+ cmd = get_qemu_cmd(qemu_name, args.uefi, args.disk, diskname_raid)
log.debug(f'Executing command: {cmd}')
c = pexpect.spawn(cmd, logfile=stl)
--
cgit v1.2.3
From 115fb522c8d814ceb72ce98b14181f5d6f95890b Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Fri, 6 Sep 2024 20:35:17 +0200
Subject: Testsuite: T861: add support to use VNC for a graphics console
To use VNC you could run "make test -- --vnc"
---
Makefile | 2 +-
scripts/check-qemu-install | 20 +++++++++++++-------
2 files changed, 14 insertions(+), 8 deletions(-)
diff --git a/Makefile b/Makefile
index 6d0f0d47..f084c442 100644
--- a/Makefile
+++ b/Makefile
@@ -21,7 +21,7 @@ checkiso:
.PHONY: test
.ONESHELL:
test: checkiso
- scripts/check-qemu-install --debug --configd --match="$(MATCH)" --uefi build/live-image-amd64.hybrid.iso
+ scripts/check-qemu-install --debug --configd --match="$(MATCH)" --uefi build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS))
.PHONY: test-no-interfaces
.ONESHELL:
diff --git a/scripts/check-qemu-install b/scripts/check-qemu-install
index a3d90a70..28741986 100755
--- a/scripts/check-qemu-install
+++ b/scripts/check-qemu-install
@@ -66,6 +66,7 @@ parser.add_argument('--debug', help='Send all debug output to stdout',
parser.add_argument('--logfile', help='Log to file')
parser.add_argument('--match', help='Smoketests to run')
parser.add_argument('--uefi', help='Boot using UEFI', action='store_true', default=False)
+parser.add_argument('--vnc', help='Enable VNC', action='store_true', default=False)
parser.add_argument('--raid', help='Perform a RAID-1 install', action='store_true', default=False)
parser.add_argument('--configd', help='Execute testsuite with config daemon', action='store_true',
default=False)
@@ -111,7 +112,7 @@ def get_half_cpus():
cpu /= 2
return int(cpu)
-def get_qemu_cmd(name, enable_uefi, disk_img, raid=None, iso_img=None, tpm=False):
+def get_qemu_cmd(name, enable_uefi, disk_img, raid=None, iso_img=None, tpm=False, vnc_enabled=False):
uefi = ""
uuid = "f48b60b2-e6ad-49ef-9d09-4245d0585e52"
if enable_uefi:
@@ -119,6 +120,10 @@ def get_qemu_cmd(name, enable_uefi, disk_img, raid=None, iso_img=None, tpm=False
name = f'{name}-UEFI'
uuid = 'd27cf29e-4419-4407-8f82-dc73d1acd184'
+ vga = '-vga none'
+ if vnc_enabled:
+ vga = ' -vga virtio -vnc :0'
+
bootindex = '1'
cdrom = ""
if iso_img:
@@ -142,6 +147,7 @@ def get_qemu_cmd(name, enable_uefi, disk_img, raid=None, iso_img=None, tpm=False
-m 4G \
-vga none \
-nographic \
+ {vga} \
-machine accel=kvm \
-uuid {uuid} \
-cpu host \
@@ -280,7 +286,7 @@ def start_swtpm():
return tpm_process
if args.qemu_cmd:
- tmp = get_qemu_cmd(qemu_name, args.uefi, args.disk, diskname_raid, args.iso)
+ tmp = get_qemu_cmd(qemu_name, args.uefi, args.disk, raid=diskname_raid, iso_img=args.iso, vnc_enabled=args.vnc)
os.system(tmp)
exit(0)
@@ -291,7 +297,7 @@ try:
# Installing image to disk
#################################################
log.info('Installing system')
- cmd = get_qemu_cmd(qemu_name, args.uefi, args.disk, diskname_raid, args.iso)
+ cmd = get_qemu_cmd(qemu_name, args.uefi, args.disk, raid=diskname_raid, iso_img=args.iso, vnc_enabled=args.vnc)
log.debug(f'Executing command: {cmd}')
c = pexpect.spawn(cmd, logfile=stl, timeout=60)
@@ -489,7 +495,7 @@ try:
# Booting back into VM
log.info('Booting TPM-backed system')
- cmd = get_qemu_cmd(qemu_name, args.uefi, args.disk, diskname_raid, tpm=args.tpmtest)
+ cmd = get_qemu_cmd(qemu_name, args.uefi, args.disk, raid=diskname_raid, tpm=args.tpmtest, vnc_enabled=args.vnc)
log.debug(f'Executing command: {cmd}')
c = pexpect.spawn(cmd, logfile=stl)
@@ -524,7 +530,7 @@ try:
# Booting back into VM
log.info('Booting system with cleared TPM')
- cmd = get_qemu_cmd(qemu_name, args.uefi, args.disk, diskname_raid, tpm=args.tpmtest)
+ cmd = get_qemu_cmd(qemu_name, args.uefi, args.disk, raid=diskname_raid, tpm=args.tpmtest, vnc_enabled=args.vnc)
log.debug(f'Executing command: {cmd}')
c = pexpect.spawn(cmd, logfile=stl)
@@ -576,7 +582,7 @@ try:
# Booting RAID-1 system with one missing disk
#################################################
log.info('Booting RAID-1 system')
- cmd = get_qemu_cmd(qemu_name, args.uefi, args.disk, diskname_raid)
+ cmd = get_qemu_cmd(qemu_name, args.uefi, args.disk, raid=diskname_raid, vnc_enabled=args.vnc)
# We need to swap boot indexes to boot from second harddisk so we can
# recreate the RAID on the first disk
@@ -626,7 +632,7 @@ try:
shutdownVM(c, log, f'Shutdown VM and start from recovered RAID member "{args.disk}"')
log.info('Booting RAID-1 system')
- cmd = get_qemu_cmd(qemu_name, args.uefi, args.disk, diskname_raid)
+ cmd = get_qemu_cmd(qemu_name, args.uefi, args.disk, raid=diskname_raid, vnc_enabled=args.vnc)
log.debug(f'Executing command: {cmd}')
c = pexpect.spawn(cmd, logfile=stl)
--
cgit v1.2.3
From 6ef7069098245cee78918b84821909fcdb42b39d Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Fri, 6 Sep 2024 20:41:43 +0200
Subject: Testsuite: T861: use fix bootindex for install medium and
non-volatile disks
This is required to support proper disk ejection and not reloading the disk on
system reboot when operation in BIOS mode.
---
scripts/check-qemu-install | 15 ++++-----------
1 file changed, 4 insertions(+), 11 deletions(-)
diff --git a/scripts/check-qemu-install b/scripts/check-qemu-install
index 28741986..eb126e92 100755
--- a/scripts/check-qemu-install
+++ b/scripts/check-qemu-install
@@ -124,16 +124,11 @@ def get_qemu_cmd(name, enable_uefi, disk_img, raid=None, iso_img=None, tpm=False
if vnc_enabled:
vga = ' -vga virtio -vnc :0'
- bootindex = '1'
cdrom = ""
if iso_img:
- cdrom = f' -boot d' \
- f' -drive file={iso_img},format=raw,if=none,media=cdrom,id=drive-cd1,readonly=on' \
+ cdrom = f' -drive file={iso_img},format=raw,if=none,media=cdrom,id=drive-cd1,readonly=on' \
f' -device ahci,id=achi0' \
- f' -device ide-cd,bus=achi0.0,drive=drive-cd1,id=cd1,bootindex={bootindex}'
-
- # Set regular harddisk bootindex to 2 as we boot from a CDROM drive
- bootindex = '2'
+ f' -device ide-cd,bus=achi0.0,drive=drive-cd1,id=cd1,bootindex=10'
# test using half of the available CPUs on the system
cpucount = get_half_cpus()
@@ -164,13 +159,11 @@ def get_qemu_cmd(name, enable_uefi, disk_img, raid=None, iso_img=None, tpm=False
-netdev user,id=n7 -device virtio-net-pci,netdev=n7,mac={macbase}:07,romfile="" \
-device virtio-scsi-pci,id=scsi0 \
-drive format=raw,file={disk_img},if=none,media=disk,id=drive-hd1,readonly=off \
- -device scsi-hd,bus=scsi0.0,drive=drive-hd1,id=hd1,bootindex={bootindex}'
+ -device scsi-hd,bus=scsi0.0,drive=drive-hd1,id=hd1,bootindex=1'
- # dynamically increment bootindex - required for RAID system
- bootindex = str(int(bootindex) + 1)
if raid:
cmd += f' -drive format=raw,file={raid},if=none,media=disk,id=drive-hd2,readonly=off' \
- f' -device scsi-hd,bus=scsi0.0,drive=drive-hd2,id=hd2,bootindex={bootindex}'
+ f' -device scsi-hd,bus=scsi0.0,drive=drive-hd2,id=hd2,bootindex=2'
if tpm:
cmd += f' -chardev socket,id=chrtpm,path={tpm_folder}/swtpm-sock' \
--
cgit v1.2.3
From e86bfd7ab96333fb3dec62a15b9e9720d95dbda8 Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Fri, 6 Sep 2024 20:54:38 +0200
Subject: Testsuite: T861: add explicit --smoketest argument
In the past the CLI based smoketest was always executed under an else branch in
the testcase if-statement. Instead of using negative logic move all testcases
to positive logic adding an empty "catch all" else path.
---
Makefile | 6 +++---
scripts/check-qemu-install | 13 ++++++++++---
2 files changed, 13 insertions(+), 6 deletions(-)
diff --git a/Makefile b/Makefile
index f084c442..85510131 100644
--- a/Makefile
+++ b/Makefile
@@ -21,12 +21,12 @@ checkiso:
.PHONY: test
.ONESHELL:
test: checkiso
- scripts/check-qemu-install --debug --configd --match="$(MATCH)" --uefi build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS))
+ scripts/check-qemu-install --debug --configd --match="$(MATCH)" --smoketest --uefi build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS))
.PHONY: test-no-interfaces
.ONESHELL:
test-no-interfaces: checkiso
- scripts/check-qemu-install --debug --configd --match="$(MATCH)" --uefi --no-interfaces build/live-image-amd64.hybrid.iso
+ scripts/check-qemu-install --debug --configd --match="$(MATCH)" --smoketest --uefi --no-interfaces build/live-image-amd64.hybrid.iso
.PHONY: testc
.ONESHELL:
@@ -36,7 +36,7 @@ testc: checkiso
.PHONY: testraid
.ONESHELL:
testraid: checkiso
- scripts/check-qemu-install --debug --configd --raid --configtest build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS))
+ scripts/check-qemu-install --debug --configd --raid build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS))
.PHONY: testtpm
.ONESHELL:
diff --git a/scripts/check-qemu-install b/scripts/check-qemu-install
index eb126e92..921384cc 100755
--- a/scripts/check-qemu-install
+++ b/scripts/check-qemu-install
@@ -72,6 +72,8 @@ parser.add_argument('--configd', help='Execute testsuite with config daemon', ac
default=False)
parser.add_argument('--no-interfaces', help='Execute testsuite without interface tests to save time',
action='store_true', default=False)
+parser.add_argument('--smoketest', help='Execute script based CLI smoketests',
+ action='store_true', default=False)
parser.add_argument('--configtest', help='Execute load/commit config tests',
action='store_true', default=False)
parser.add_argument('--tpmtest', help='Execute TPM encrypted config tests',
@@ -634,7 +636,7 @@ try:
c.sendline('cat /proc/mdstat')
c.expect(op_mode_prompt)
- elif not args.configtest:
+ elif args.smoketest:
# run default smoketest suite
if args.match:
# Remove tests that we don't want to run
@@ -670,7 +672,7 @@ try:
raise Exception("Smoketest-failed, please look into debug output")
# else, run configtest suite
- else:
+ elif args.configtest:
log.info('Adding a legacy WireGuard default keypair for migrations')
c.sendline('sudo mkdir -p /config/auth/wireguard/default')
c.expect(op_mode_prompt)
@@ -695,7 +697,7 @@ try:
if i==0:
raise Exception('Invalid command detected')
elif i==1:
- tmp = '(W)hy (T)he (F)ace? VyOS smoketest not found!'
+ tmp = 'VyOS smoketest not found!'
log.error(tmp)
raise Exception(tmp)
@@ -709,6 +711,9 @@ try:
log.error(tmp)
raise Exception(tmp)
+ else:
+ log.info('No testcase selected!')
+
shutdownVM(c, log, 'Powering off system')
c.close()
@@ -752,3 +757,5 @@ if EXCEPTION:
log.error('Hmm... system got an exception while processing.')
log.error('The ISO image is not considered usable!')
sys.exit(1)
+
+sys.exit(0)
--
cgit v1.2.3
From e4a2e22ced899fa3cedcd0c0188b4318060ab098 Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Sat, 14 Sep 2024 20:57:14 +0200
Subject: mellanox: T6231: execute build script with sudo
---
packages/linux-kernel/Jenkinsfile | 2 +-
packages/linux-kernel/build-mellanox-ofed.sh | 68 +++++++++++++++-------------
2 files changed, 37 insertions(+), 33 deletions(-)
diff --git a/packages/linux-kernel/Jenkinsfile b/packages/linux-kernel/Jenkinsfile
index 986780e0..c354200e 100644
--- a/packages/linux-kernel/Jenkinsfile
+++ b/packages/linux-kernel/Jenkinsfile
@@ -63,7 +63,7 @@ def pkgList = [
['name': 'ixgbevf', 'buildCmd': 'cd ..; ./build-intel-ixgbevf.sh'],
// Mellanox OFED
- ['name': 'ofed', 'buildCmd': 'cd ..; ./build-mellanox-ofed.sh'],
+ ['name': 'ofed', 'buildCmd': 'cd ..; sudo ./build-mellanox-ofed.sh'],
// Jool
['name': 'jool', 'buildCmd': 'cd ..; ./build-jool.py'],
diff --git a/packages/linux-kernel/build-mellanox-ofed.sh b/packages/linux-kernel/build-mellanox-ofed.sh
index 51e4d4ca..a157ee61 100755
--- a/packages/linux-kernel/build-mellanox-ofed.sh
+++ b/packages/linux-kernel/build-mellanox-ofed.sh
@@ -4,6 +4,11 @@ DEB_DISTRO='debian12.1'
CWD=$(pwd)
KERNEL_VAR_FILE=${CWD}/kernel-vars
+if [ $(id -u) -ne 0 ]; then
+ echo "Mellanox OFED script needs to be run as root"
+ exit
+fi
+
if ! dpkg-architecture -iamd64; then
echo "Mellanox OFED is only buildable on amd64 platforms"
exit 0
@@ -66,34 +71,33 @@ if [ -z $KERNEL_DIR ]; then
exit 1
fi
-rm -f SOURCES/ibarr_0.1.3.orig.tar.gz
-rm -f SOURCES/ibdump_6.0.0.orig.tar.gz
-rm -f SOURCES/ibsim_0.12.orig.tar.gz
-rm -f SOURCES/iser_24.04.OFED.24.04.0.6.6.1.orig.tar.gz
-rm -f SOURCES/isert_24.04.OFED.24.04.0.6.6.1.orig.tar.gz
-rm -f SOURCES/kernel-mft_4.28.0.92.orig.tar.gz
-rm -f SOURCES/knem_1.1.4.90mlnx3.orig.tar.gz
-rm -f SOURCES/libvma_9.8.60.orig.tar.gz
-rm -f SOURCES/libxlio_3.30.5.orig.tar.gz
-rm -f SOURCES/mlnx-ethtool_6.7.orig.tar.gz
-rm -f SOURCES/mlnx-iproute2_6.7.0.orig.tar.gz
-rm -f SOURCES/mlnx-nfsrdma_24.04.OFED.24.04.0.6.6.1.orig.tar.gz
-rm -f SOURCES/mlnx-nvme_24.04.OFED.24.04.0.6.6.1.orig.tar.gz
-rm -f SOURCES/mlx-steering-dump_1.0.0.orig.tar.gz
-rm -f SOURCES/mpitests_3.2.23.orig.tar.gz
-rm -f SOURCES/mstflint_4.16.1.orig.tar.gz
-rm -f SOURCES/ofed-scripts_24.04.OFED.24.04.0.6.6.orig.tar.gz
-rm -f SOURCES/openmpi_4.1.7a1.orig.tar.gz
-rm -f SOURCES/openvswitch_2.17.8.orig.tar.gz
-rm -f SOURCES/perftest_24.04.0.orig.tar.gz
-rm -f SOURCES/rdma-core_2404mlnx51.orig.tar.gz
-rm -f SOURCES/rshim_2.0.28.orig.tar.gz
-rm -f SOURCES/sockperf_3.10.orig.tar.gz
-rm -f SOURCES/srp_24.04.OFED.24.04.0.6.6.1.orig.tar.gz
-rm -f SOURCES/ucx_1.17.0.orig.tar.gz
-
-
-sudo ./install.pl \
+rm -f SOURCES/ibarr_*.tar.gz
+rm -f SOURCES/ibdump_*.tar.gz
+rm -f SOURCES/ibsim_*.tar.gz
+rm -f SOURCES/iser_*.tar.gz
+rm -f SOURCES/isert_*.tar.gz
+rm -f SOURCES/kernel-mft_*.tar.gz
+rm -f SOURCES/knem_*.tar.gz
+rm -f SOURCES/libvma_*.tar.gz
+rm -f SOURCES/libxlio_*.tar.gz
+rm -f SOURCES/mlnx-ethtool_*.tar.gz
+rm -f SOURCES/mlnx-iproute2_*.tar.gz
+rm -f SOURCES/mlnx-nfsrdma_*.tar.gz
+rm -f SOURCES/mlnx-nvme_*.tar.gz
+rm -f SOURCES/mlx-steering-dump_*.tar.gz
+rm -f SOURCES/mpitests_*.tar.gz
+rm -f SOURCES/mstflint_*.tar.gz
+rm -f SOURCES/ofed-scripts_*.tar.gz
+rm -f SOURCES/openmpi_*.tar.gz
+rm -f SOURCES/openvswitch_*.tar.gz
+rm -f SOURCES/perftest_*.tar.gz
+rm -f SOURCES/rdma-core_*.tar.gz
+rm -f SOURCES/rshim_*.tar.gz
+rm -f SOURCES/sockperf_*.tar.gz
+rm -f SOURCES/srp_*.tar.gz
+rm -f SOURCES/ucx_*.tar.gz
+
+./install.pl \
--basic --dpdk \
--without-dkms \
--without-mlnx-nvme-modules \
@@ -106,19 +110,19 @@ sudo ./install.pl \
if [ $DROP_DEV_DBG_DEBS -eq 1 ]; then
echo "I: Removing development and debug packages"
- sudo rm $(find $CWD/$DRIVER_DIR/DEBS/$DEB_DISTRO -type f | grep -E '\-dev|\-dbg')
+ rm -f $(find $CWD/$DRIVER_DIR/DEBS/$DEB_DISTRO -type f | grep -E '\-dev|\-dbg')
fi
cp $(find $CWD/$DRIVER_DIR/DEBS/$DEB_DISTRO -type f | grep '\.deb$') "$CWD/"
echo "I: Cleanup ${DRIVER_NAME} source"
cd ${CWD}
-if [ -e ${DRIVER_FILE} ]; then
+if [ -f ${DRIVER_FILE} ]; then
rm -f ${DRIVER_FILE}
fi
if [ -d ${DRIVER_DIR} ]; then
- sudo rm -rf ${DRIVER_DIR}
+ rm -rf ${DRIVER_DIR}
fi
if [ -d ${DEBIAN_DIR} ]; then
- sudo rm -rf ${DEBIAN_DIR}
+ rm -rf ${DEBIAN_DIR}
fi
--
cgit v1.2.3
From f523ae5cacfb162f2f30996777c81c0caf19a684 Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Sat, 14 Sep 2024 20:58:05 +0200
Subject: Kernel: T5887: update Linux Kernel to v6.6.51
---
data/defaults.toml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/data/defaults.toml b/data/defaults.toml
index 71889cf0..efe6399f 100644
--- a/data/defaults.toml
+++ b/data/defaults.toml
@@ -14,7 +14,7 @@ vyos_mirror = "https://rolling-packages.vyos.net/current"
vyos_branch = "current"
release_train = "current"
-kernel_version = "6.6.49"
+kernel_version = "6.6.51"
kernel_flavor = "vyos"
bootloaders = "syslinux,grub-efi"
--
cgit v1.2.3
From beb3df0733d8cf682291e19b0df0871da20ab5d4 Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Sat, 14 Sep 2024 20:58:27 +0200
Subject: Kernel: T5887: cleanup Debian postinst files after package build
---
packages/linux-kernel/build-intel-ixgbe.sh | 3 +++
packages/linux-kernel/build-intel-ixgbevf.sh | 4 +++-
packages/linux-kernel/build-intel-qat.sh | 3 +++
packages/linux-kernel/build-nat-rtsp.sh | 4 ++++
4 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/packages/linux-kernel/build-intel-ixgbe.sh b/packages/linux-kernel/build-intel-ixgbe.sh
index 5f45c62a..ab44f551 100755
--- a/packages/linux-kernel/build-intel-ixgbe.sh
+++ b/packages/linux-kernel/build-intel-ixgbe.sh
@@ -105,3 +105,6 @@ fi
if [ -d ${DEBIAN_DIR} ]; then
rm -rf ${DEBIAN_DIR}
fi
+if [ -f ${DEBIAN_POSTINST} ]; then
+ rm -f ${DEBIAN_POSTINST}
+fi
diff --git a/packages/linux-kernel/build-intel-ixgbevf.sh b/packages/linux-kernel/build-intel-ixgbevf.sh
index a965e0de..39803852 100755
--- a/packages/linux-kernel/build-intel-ixgbevf.sh
+++ b/packages/linux-kernel/build-intel-ixgbevf.sh
@@ -97,4 +97,6 @@ fi
if [ -d ${DEBIAN_DIR} ]; then
rm -rf ${DEBIAN_DIR}
fi
-
+if [ -f ${DEBIAN_POSTINST} ]; then
+ rm -f ${DEBIAN_POSTINST}
+fi
diff --git a/packages/linux-kernel/build-intel-qat.sh b/packages/linux-kernel/build-intel-qat.sh
index 765cea3f..5b0e023f 100755
--- a/packages/linux-kernel/build-intel-qat.sh
+++ b/packages/linux-kernel/build-intel-qat.sh
@@ -109,3 +109,6 @@ fi
if [ -d ${DEBIAN_DIR} ]; then
rm -rf ${DEBIAN_DIR}
fi
+if [ -f ${DEBIAN_POSTINST} ]; then
+ rm -f ${DEBIAN_POSTINST}
+fi
diff --git a/packages/linux-kernel/build-nat-rtsp.sh b/packages/linux-kernel/build-nat-rtsp.sh
index ec7d19a6..40018cfb 100755
--- a/packages/linux-kernel/build-nat-rtsp.sh
+++ b/packages/linux-kernel/build-nat-rtsp.sh
@@ -36,3 +36,7 @@ fpm --input-type dir --output-type deb --name nat-rtsp \
--license "GPL2" --chdir tmp
mv *.deb ..
+
+if [ -f ${DEBIAN_POSTINST} ]; then
+ rm -f ${DEBIAN_POSTINST}
+fi
--
cgit v1.2.3
From fd737172f1068870fe1ededbe9b2ed4a86663acd Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Wed, 4 Sep 2024 21:37:11 +0200
Subject: T861: add UEFI Secure Boot support
This adds support for UEFI Secure Boot. It adds the missing pieces to the Linux
Kernel and enforces module signing. This results in an additional security
layer where untrusted (unsigned) Kernel modules can no longer be loaded into
the live system.
NOTE: This commit will not work unless signing keys are present. Arbitrary
keys can be generated using instructions found in:
data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
---
.gitignore | 8 +-
Makefile | 5 +
.../hooks/live/92-strip-symbols.chroot | 76 ++++++++++
.../hooks/live/93-sign-kernel.chroot | 18 +++
.../hooks/live/99-strip-symbols.chroot | 76 ----------
.../var/lib/shim-signed/mok/README.md | 22 +++
.../linux-kernel/arch/x86/configs/vyos_defconfig | 42 +++---
packages/linux-kernel/build-kernel.sh | 23 +++
scripts/check-qemu-install | 156 +++++++++++++++++++--
scripts/image-build/build-vyos-image | 2 +-
10 files changed, 316 insertions(+), 112 deletions(-)
create mode 100755 data/live-build-config/hooks/live/92-strip-symbols.chroot
create mode 100755 data/live-build-config/hooks/live/93-sign-kernel.chroot
delete mode 100755 data/live-build-config/hooks/live/99-strip-symbols.chroot
create mode 100644 data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
diff --git a/.gitignore b/.gitignore
index 23101b27..e3724a9f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,6 +5,8 @@ packer_cache/*
key/*
packages/*
!packages/*/
-testinstall*.img
-*.qcow2
-*.tar
+data/live-build-config/includes.chroot/var/lib/shim-signed/mok/*
+/testinstall*.img
+/testinstall*.efivars
+/*.qcow2
+/*.tar
diff --git a/Makefile b/Makefile
index 85510131..2ff776c0 100644
--- a/Makefile
+++ b/Makefile
@@ -38,6 +38,11 @@ testc: checkiso
testraid: checkiso
scripts/check-qemu-install --debug --configd --raid build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS))
+.PHONY: testsb
+.ONESHELL:
+testsb: checkiso
+ scripts/check-qemu-install --debug --uefi --sbtest build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS))
+
.PHONY: testtpm
.ONESHELL:
testtpm: checkiso
diff --git a/data/live-build-config/hooks/live/92-strip-symbols.chroot b/data/live-build-config/hooks/live/92-strip-symbols.chroot
new file mode 100755
index 00000000..704f9cb3
--- /dev/null
+++ b/data/live-build-config/hooks/live/92-strip-symbols.chroot
@@ -0,0 +1,76 @@
+#!/bin/sh
+
+#
+# Discard symbols and other data from object files.
+#
+# Reference:
+# https://www.linuxfromscratch.org/lfs/view/systemd/chapter08/stripping.html
+# https://www.debian.org/doc/debian-policy/ch-files.html
+#
+
+# Set variables.
+STRIPCMD_REGULAR="strip --remove-section=.comment --remove-section=.note --preserve-dates"
+STRIPCMD_DEBUG="strip --strip-debug --remove-section=.comment --remove-section=.note --preserve-dates"
+STRIPCMD_UNNEEDED="strip --strip-unneeded --remove-section=.comment --remove-section=.note --preserve-dates"
+STRIPDIR_REGULAR="
+"
+STRIPDIR_DEBUG="
+/usr/lib/modules
+"
+STRIPDIR_UNNEEDED="
+/etc/hsflowd/modules
+/usr/bin
+/usr/lib/openvpn
+/usr/lib/x86_64-linux-gnu
+/usr/lib32
+/usr/lib64
+/usr/libx32
+/usr/sbin
+"
+STRIP_EXCLUDE=`dpkg-query -L libbinutils | grep '.so'`
+
+# Perform stuff.
+echo "Stripping symbols..."
+
+# List excluded files.
+echo "Exclude files: ${STRIP_EXCLUDE}"
+
+# CMD: strip
+for DIR in ${STRIPDIR_REGULAR}; do
+ echo "Parse dir (strip): ${DIR}"
+ find ${DIR} -type f -exec file {} \; | grep 'not stripped' | cut -d ":" -f 1 | while read FILE; do
+ echo "${STRIP_EXCLUDE}" | grep -F -q -w "${FILE}"
+ if [ $? -ne 0 ]; then
+ echo "Strip file (strip): ${FILE}"
+ ${STRIPCMD_REGULAR} ${FILE}
+ fi
+ done
+done
+
+# CMD: strip --strip-debug
+for DIR in ${STRIPDIR_DEBUG}; do
+ echo "Parse dir (strip-debug): ${DIR}"
+ find ${DIR} -type f -exec file {} \; | grep 'not stripped' | cut -d ":" -f 1 | while read FILE; do
+ echo "${STRIP_EXCLUDE}" | grep -F -q -w "${FILE}"
+ if [ $? -ne 0 ]; then
+ echo "Strip file (strip-debug): ${FILE}"
+ ${STRIPCMD_DEBUG} ${FILE}
+ fi
+ done
+done
+
+# CMD: strip --strip-unneeded
+for DIR in ${STRIPDIR_UNNEEDED}; do
+ echo "Parse dir (strip-unneeded: ${DIR}"
+ find ${DIR} -type f -exec file {} \; | grep 'not stripped' | cut -d ":" -f 1 | while read FILE; do
+ echo "${STRIP_EXCLUDE}" | grep -F -q -w "${FILE}"
+ if [ $? -ne 0 ]; then
+ echo "Strip file (strip-unneeded): ${FILE}"
+ ${STRIPCMD_UNNEEDED} ${FILE}
+ fi
+ done
+done
+
+# Remove binutils package.
+apt-get -y purge --autoremove binutils
+
diff --git a/data/live-build-config/hooks/live/93-sign-kernel.chroot b/data/live-build-config/hooks/live/93-sign-kernel.chroot
new file mode 100755
index 00000000..031db10d
--- /dev/null
+++ b/data/live-build-config/hooks/live/93-sign-kernel.chroot
@@ -0,0 +1,18 @@
+#!/bin/sh
+SIGN_FILE=$(find /usr/lib -name sign-file)
+MOK_KEY="/var/lib/shim-signed/mok/kernel.key"
+MOK_CERT="/var/lib/shim-signed/mok/kernel.pem"
+kernel_elf=$(readlink /boot/vmlinuz)
+
+if [ ! -f ${MOK_KEY} ]; then
+ echo "I: Signing key for Linux Kernel not found - Secure Boot not possible"
+else
+ echo "I: Signing Linux Kernel for Secure Boot"
+
+ sbsign --key $MOK_KEY --cert $MOK_CERT /boot/${kernel_elf} --output /boot/${kernel_elf}
+ sbverify --list /boot/${kernel_elf}
+
+ find /lib/modules -type f -name \*.ko -o -name \*.ko.xz | while read module; do
+ $SIGN_FILE sha512 $MOK_KEY $MOK_CERT $module
+ done
+fi
diff --git a/data/live-build-config/hooks/live/99-strip-symbols.chroot b/data/live-build-config/hooks/live/99-strip-symbols.chroot
deleted file mode 100755
index 704f9cb3..00000000
--- a/data/live-build-config/hooks/live/99-strip-symbols.chroot
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/bin/sh
-
-#
-# Discard symbols and other data from object files.
-#
-# Reference:
-# https://www.linuxfromscratch.org/lfs/view/systemd/chapter08/stripping.html
-# https://www.debian.org/doc/debian-policy/ch-files.html
-#
-
-# Set variables.
-STRIPCMD_REGULAR="strip --remove-section=.comment --remove-section=.note --preserve-dates"
-STRIPCMD_DEBUG="strip --strip-debug --remove-section=.comment --remove-section=.note --preserve-dates"
-STRIPCMD_UNNEEDED="strip --strip-unneeded --remove-section=.comment --remove-section=.note --preserve-dates"
-STRIPDIR_REGULAR="
-"
-STRIPDIR_DEBUG="
-/usr/lib/modules
-"
-STRIPDIR_UNNEEDED="
-/etc/hsflowd/modules
-/usr/bin
-/usr/lib/openvpn
-/usr/lib/x86_64-linux-gnu
-/usr/lib32
-/usr/lib64
-/usr/libx32
-/usr/sbin
-"
-STRIP_EXCLUDE=`dpkg-query -L libbinutils | grep '.so'`
-
-# Perform stuff.
-echo "Stripping symbols..."
-
-# List excluded files.
-echo "Exclude files: ${STRIP_EXCLUDE}"
-
-# CMD: strip
-for DIR in ${STRIPDIR_REGULAR}; do
- echo "Parse dir (strip): ${DIR}"
- find ${DIR} -type f -exec file {} \; | grep 'not stripped' | cut -d ":" -f 1 | while read FILE; do
- echo "${STRIP_EXCLUDE}" | grep -F -q -w "${FILE}"
- if [ $? -ne 0 ]; then
- echo "Strip file (strip): ${FILE}"
- ${STRIPCMD_REGULAR} ${FILE}
- fi
- done
-done
-
-# CMD: strip --strip-debug
-for DIR in ${STRIPDIR_DEBUG}; do
- echo "Parse dir (strip-debug): ${DIR}"
- find ${DIR} -type f -exec file {} \; | grep 'not stripped' | cut -d ":" -f 1 | while read FILE; do
- echo "${STRIP_EXCLUDE}" | grep -F -q -w "${FILE}"
- if [ $? -ne 0 ]; then
- echo "Strip file (strip-debug): ${FILE}"
- ${STRIPCMD_DEBUG} ${FILE}
- fi
- done
-done
-
-# CMD: strip --strip-unneeded
-for DIR in ${STRIPDIR_UNNEEDED}; do
- echo "Parse dir (strip-unneeded: ${DIR}"
- find ${DIR} -type f -exec file {} \; | grep 'not stripped' | cut -d ":" -f 1 | while read FILE; do
- echo "${STRIP_EXCLUDE}" | grep -F -q -w "${FILE}"
- if [ $? -ne 0 ]; then
- echo "Strip file (strip-unneeded): ${FILE}"
- ${STRIPCMD_UNNEEDED} ${FILE}
- fi
- done
-done
-
-# Remove binutils package.
-apt-get -y purge --autoremove binutils
-
diff --git a/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md b/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
new file mode 100644
index 00000000..5a6edbba
--- /dev/null
+++ b/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
@@ -0,0 +1,22 @@
+# Secure Boot
+
+## CA
+
+Create Certificate Authority used for Kernel signing. CA is loaded into the
+Machine Owner Key store on the target system.
+
+```bash
+openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -outform DER -out MOK.der -days 36500 -subj "/CN=VyOS Secure Boot CA/" -nodes
+openssl x509 -inform der -in MOK.der -out MOK.pem
+```
+
+## Kernel Module Signing Key
+
+We do not make use of ephemeral keys for Kernel module signing. Instead a key
+is generated and signed by the VyOS Secure Boot CA which signs all the Kernel
+modules during ISO assembly if present.
+
+```bash
+openssl req -newkey rsa:2048 -keyout kernel.key -out kernel.csr -subj "/CN=VyOS Secure Boot Signer 2024 - linux/" -nodes
+openssl x509 -req -in kernel.csr -CA MOK.pem -CAkey MOK.key -CAcreateserial -out kernel.pem -days 730 -sha256
+```
diff --git a/packages/linux-kernel/arch/x86/configs/vyos_defconfig b/packages/linux-kernel/arch/x86/configs/vyos_defconfig
index 7f513878..12538a9e 100644
--- a/packages/linux-kernel/arch/x86/configs/vyos_defconfig
+++ b/packages/linux-kernel/arch/x86/configs/vyos_defconfig
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 6.6.16 Kernel Configuration
+# Linux/x86 6.6.48 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Debian 12.2.0-14) 12.2.0"
CONFIG_CC_IS_GCC=y
@@ -15,6 +15,7 @@ CONFIG_CC_CAN_LINK=y
CONFIG_CC_CAN_LINK_STATIC=y
CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y
CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT=y
+CONFIG_GCC_ASM_GOTO_OUTPUT_WORKAROUND=y
CONFIG_TOOLS_SUPPORT_RELR=y
CONFIG_CC_HAS_ASM_INLINE=y
CONFIG_CC_HAS_NO_PROFILE_FN_ATTR=y
@@ -181,7 +182,7 @@ CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y
CONFIG_CC_HAS_INT128=y
CONFIG_CC_IMPLICIT_FALLTHROUGH="-Wimplicit-fallthrough=5"
-CONFIG_GCC11_NO_ARRAY_BOUNDS=y
+CONFIG_GCC10_NO_ARRAY_BOUNDS=y
CONFIG_CC_NO_ARRAY_BOUNDS=y
CONFIG_ARCH_SUPPORTS_INT128=y
CONFIG_NUMA_BALANCING=y
@@ -193,13 +194,16 @@ CONFIG_MEMCG=y
CONFIG_MEMCG_KMEM=y
# CONFIG_BLK_CGROUP is not set
CONFIG_CGROUP_SCHED=y
+CONFIG_FAIR_GROUP_SCHED=y
CONFIG_CFS_BANDWIDTH=y
+# CONFIG_RT_GROUP_SCHED is not set
CONFIG_SCHED_MM_CID=y
CONFIG_CGROUP_PIDS=y
# CONFIG_CGROUP_RDMA is not set
# CONFIG_CGROUP_FREEZER is not set
# CONFIG_CGROUP_HUGETLB is not set
CONFIG_CPUSETS=y
+CONFIG_PROC_PID_CPUSET=y
# CONFIG_CGROUP_DEVICE is not set
CONFIG_CGROUP_CPUACCT=y
# CONFIG_CGROUP_PERF is not set
@@ -439,7 +443,6 @@ CONFIG_X86_64_ACPI_NUMA=y
CONFIG_NODES_SHIFT=6
CONFIG_ARCH_SPARSEMEM_ENABLE=y
CONFIG_ARCH_SPARSEMEM_DEFAULT=y
-# CONFIG_ARCH_MEMORY_PROBE is not set
CONFIG_ARCH_PROC_KCORE_TEXT=y
CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
CONFIG_X86_PMEM_LEGACY_DEVICE=y
@@ -509,7 +512,7 @@ CONFIG_CALL_PADDING=y
CONFIG_HAVE_CALL_THUNKS=y
CONFIG_CALL_THUNKS=y
CONFIG_PREFIX_SYMBOLS=y
-CONFIG_SPECULATION_MITIGATIONS=y
+CONFIG_CPU_MITIGATIONS=y
CONFIG_PAGE_TABLE_ISOLATION=y
CONFIG_RETPOLINE=y
CONFIG_RETHUNK=y
@@ -521,6 +524,8 @@ CONFIG_CPU_IBRS_ENTRY=y
CONFIG_CPU_SRSO=y
# CONFIG_SLS is not set
# CONFIG_GDS_FORCE_MITIGATION is not set
+CONFIG_MITIGATION_RFDS=y
+CONFIG_MITIGATION_SPECTRE_BHI=y
CONFIG_ARCH_HAS_ADD_PAGES=y
#
@@ -573,7 +578,6 @@ CONFIG_ACPI_TABLE_UPGRADE=y
# CONFIG_ACPI_DEBUG is not set
CONFIG_ACPI_PCI_SLOT=y
CONFIG_ACPI_CONTAINER=y
-CONFIG_ACPI_HOTPLUG_MEMORY=y
CONFIG_ACPI_HOTPLUG_IOAPIC=y
# CONFIG_ACPI_SBS is not set
CONFIG_ACPI_HED=y
@@ -686,6 +690,7 @@ CONFIG_AS_SHA256_NI=y
CONFIG_AS_TPAUSE=y
CONFIG_AS_GFNI=y
CONFIG_AS_WRUSS=y
+CONFIG_ARCH_CONFIGURES_CPU_MITIGATIONS=y
#
# General architecture-dependent options
@@ -970,13 +975,8 @@ CONFIG_HAVE_FAST_GUP=y
CONFIG_NUMA_KEEP_MEMINFO=y
CONFIG_MEMORY_ISOLATION=y
CONFIG_EXCLUSIVE_SYSTEM_RAM=y
-CONFIG_HAVE_BOOTMEM_INFO_NODE=y
CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
-CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
-CONFIG_MEMORY_HOTPLUG=y
-# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set
-CONFIG_MEMORY_HOTREMOVE=y
-CONFIG_MHP_MEMMAP_ON_MEMORY=y
+# CONFIG_MEMORY_HOTPLUG is not set
CONFIG_ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE=y
CONFIG_SPLIT_PTLOCK_CPUS=4
CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
@@ -989,6 +989,7 @@ CONFIG_MIGRATION=y
CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION=y
CONFIG_ARCH_ENABLE_THP_MIGRATION=y
CONFIG_CONTIG_ALLOC=y
+CONFIG_PCP_BATCH_SCALE_MAX=5
CONFIG_PHYS_ADDR_T_64BIT=y
CONFIG_MMU_NOTIFIER=y
CONFIG_KSM=y
@@ -1020,7 +1021,6 @@ CONFIG_ARCH_HAS_PTE_DEVMAP=y
CONFIG_ARCH_HAS_ZONE_DMA_SET=y
CONFIG_ZONE_DMA=y
CONFIG_ZONE_DMA32=y
-# CONFIG_ZONE_DEVICE is not set
CONFIG_HMM_MIRROR=y
CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y
CONFIG_ARCH_HAS_PKEYS=y
@@ -3075,6 +3075,7 @@ CONFIG_XEN_NETDEV_FRONTEND=m
CONFIG_XEN_NETDEV_BACKEND=m
CONFIG_VMXNET3=m
# CONFIG_FUJITSU_ES is not set
+CONFIG_USB4_NET=m
CONFIG_HYPERV_NET=m
# CONFIG_NETDEVSIM is not set
CONFIG_NET_FAILOVER=m
@@ -4201,6 +4202,7 @@ CONFIG_REGULATOR_TPS65132=m
# Graphics support
#
CONFIG_APERTURE_HELPERS=y
+CONFIG_SCREEN_INFO=y
CONFIG_VIDEO_CMDLINE=y
# CONFIG_AUXDISPLAY is not set
# CONFIG_PANEL is not set
@@ -4268,6 +4270,7 @@ CONFIG_FB_CFB_FILLRECT=y
CONFIG_FB_CFB_COPYAREA=y
CONFIG_FB_CFB_IMAGEBLIT=y
# CONFIG_FB_FOREIGN_ENDIAN is not set
+CONFIG_FB_IOMEM_FOPS=y
CONFIG_FB_IOMEM_HELPERS=y
# CONFIG_FB_MODE_HELPERS is not set
# CONFIG_FB_TILEBLITTING is not set
@@ -5008,7 +5011,6 @@ CONFIG_VIRTIO_PCI=m
CONFIG_VIRTIO_PCI_LEGACY=y
# CONFIG_VIRTIO_PMEM is not set
CONFIG_VIRTIO_BALLOON=m
-CONFIG_VIRTIO_MEM=m
CONFIG_VIRTIO_INPUT=m
CONFIG_VIRTIO_MMIO=m
CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y
@@ -5035,8 +5037,6 @@ CONFIG_HYPERV_BALLOON=m
# Xen driver support
#
CONFIG_XEN_BALLOON=y
-CONFIG_XEN_BALLOON_MEMORY_HOTPLUG=y
-CONFIG_XEN_MEMORY_HOTPLUG_LIMIT=512
CONFIG_XEN_SCRUB_PAGES_DEFAULT=y
CONFIG_XEN_DEV_EVTCHN=m
CONFIG_XEN_BACKEND=y
@@ -5316,7 +5316,8 @@ CONFIG_IDLE_INJECT=y
CONFIG_RAS=y
# CONFIG_RAS_CEC is not set
CONFIG_USB4=m
-CONFIG_USB4_NET=m
+# CONFIG_USB4_DEBUGFS_WRITE is not set
+# CONFIG_USB4_DMA_TEST is not set
#
# Android
@@ -5638,6 +5639,7 @@ CONFIG_CRYPTO_ALGAPI=y
CONFIG_CRYPTO_ALGAPI2=y
CONFIG_CRYPTO_AEAD=y
CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_SIG=y
CONFIG_CRYPTO_SIG2=y
CONFIG_CRYPTO_SKCIPHER=y
CONFIG_CRYPTO_SKCIPHER2=y
@@ -5750,7 +5752,7 @@ CONFIG_CRYPTO_POLY1305=m
CONFIG_CRYPTO_RMD160=m
CONFIG_CRYPTO_SHA1=y
CONFIG_CRYPTO_SHA256=y
-CONFIG_CRYPTO_SHA512=m
+CONFIG_CRYPTO_SHA512=y
CONFIG_CRYPTO_SHA3=m
# CONFIG_CRYPTO_SM3_GENERIC is not set
CONFIG_CRYPTO_STREEBOG=m
@@ -6007,7 +6009,6 @@ CONFIG_SWIOTLB=y
CONFIG_SGL_ALLOC=y
CONFIG_IOMMU_HELPER=y
CONFIG_CHECK_SIGNATURE=y
-# CONFIG_FORCE_NR_CPUS is not set
CONFIG_CPU_RMAP=y
CONFIG_DQL=y
CONFIG_GLOB=y
@@ -6033,7 +6034,6 @@ CONFIG_ARCH_HAS_CPU_CACHE_INVALIDATE_MEMREGION=y
CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE=y
CONFIG_ARCH_HAS_COPY_MC=y
CONFIG_ARCH_STACKWALK=y
-CONFIG_STACKDEPOT=y
CONFIG_SBITMAP=y
CONFIG_PARMAN=m
CONFIG_OBJAGG=m
@@ -6117,8 +6117,7 @@ CONFIG_HAVE_KCSAN_COMPILER=y
#
CONFIG_PAGE_EXTENSION=y
# CONFIG_DEBUG_PAGEALLOC is not set
-CONFIG_SLUB_DEBUG=y
-# CONFIG_SLUB_DEBUG_ON is not set
+# CONFIG_SLUB_DEBUG is not set
# CONFIG_PAGE_OWNER is not set
# CONFIG_PAGE_TABLE_CHECK is not set
CONFIG_PAGE_POISONING=y
@@ -6331,6 +6330,7 @@ CONFIG_X86_DEBUG_FPU=y
# CONFIG_PUNIT_ATOM_DEBUG is not set
CONFIG_UNWINDER_ORC=y
# CONFIG_UNWINDER_FRAME_POINTER is not set
+# CONFIG_UNWINDER_GUESS is not set
# end of x86 Debugging
#
diff --git a/packages/linux-kernel/build-kernel.sh b/packages/linux-kernel/build-kernel.sh
index c0a863c6..3ccb15e9 100755
--- a/packages/linux-kernel/build-kernel.sh
+++ b/packages/linux-kernel/build-kernel.sh
@@ -19,6 +19,7 @@ git reset --hard HEAD
KERNEL_VERSION=$(make kernelversion)
KERNEL_SUFFIX=-$(awk -F "= " '/kernel_flavor/ {print $2}' ../../../data/defaults.toml | tr -d \")
+KERNEL_CONFIG=arch/x86/configs/vyos_defconfig
# VyOS requires some small Kernel Patches - apply them here
# It's easier to habe them here and make use of the upstream
@@ -31,6 +32,28 @@ do
patch -p1 < ${PATCH_DIR}/${patch}
done
+TRUSTED_KEYS_FILE=trusted_keys.pem
+# start with empty key file
+echo -n "" > $TRUSTED_KEYS_FILE
+CERTS=$(ls ../../../data/live-build-config/includes.chroot/var/lib/shim-signed/mok/*.pem)
+if [ ! -z "${CERTS}" ]; then
+ # add known public keys to Kernel certificate chain
+ for file in $CERTS; do
+ cat $file >> $TRUSTED_KEYS_FILE
+ done
+
+ # Force Kernel module signing and embed public keys
+ echo "CONFIG_MODULE_SIG_FORMAT=y" >> $KERNEL_CONFIG
+ echo "CONFIG_MODULE_SIG=y" >> $KERNEL_CONFIG
+ echo "CONFIG_MODULE_SIG_FORCE=y" >> $KERNEL_CONFIG
+ echo "# CONFIG_MODULE_SIG_ALL is not set" >> $KERNEL_CONFIG
+ echo "CONFIG_MODULE_SIG_SHA512=y" >> $KERNEL_CONFIG
+ echo "CONFIG_MODULE_SIG_HASH=\"sha512\"" >> $KERNEL_CONFIG
+ echo "CONFIG_MODULE_SIG_KEY=\"\"" >> $KERNEL_CONFIG
+ echo "CONFIG_MODULE_SIG_KEY_TYPE_RSA=y" >> $KERNEL_CONFIG
+ echo "CONFIG_SYSTEM_TRUSTED_KEYS=\"$TRUSTED_KEYS_FILE\"" >> $KERNEL_CONFIG
+fi
+
echo "I: make vyos_defconfig"
# Select Kernel configuration - currently there is only one
make vyos_defconfig
diff --git a/scripts/check-qemu-install b/scripts/check-qemu-install
index 921384cc..e1fd45f1 100755
--- a/scripts/check-qemu-install
+++ b/scripts/check-qemu-install
@@ -43,6 +43,7 @@ import traceback
import logging
import re
import tomli
+import shutil
from io import BytesIO
from datetime import datetime
@@ -52,6 +53,17 @@ now = datetime.now()
tpm_folder = '/tmp/vyos_tpm_test'
qemu_name = 'VyOS-QEMU'
+# getch.py
+KEY_F2 = chr(27) + chr(91) + chr(49) + chr(50) + chr(126)
+KEY_F10 = chr(27) + chr(91) + chr(50) + chr(49) + chr(126)
+KEY_DOWN = chr(27) + chr(91) + chr(66)
+KEY_SPACE = chr(32)
+KEY_RETURN = chr(13)
+KEY_ESC = chr(27)
+KEY_Y = chr(121)
+
+mok_password = '1234'
+
parser = argparse.ArgumentParser(description='Install and start a test VyOS vm.')
parser.add_argument('iso', help='ISO file to install')
parser.add_argument('disk', help='name of disk image file', nargs='?',
@@ -78,6 +90,8 @@ parser.add_argument('--configtest', help='Execute load/commit config tests',
action='store_true', default=False)
parser.add_argument('--tpmtest', help='Execute TPM encrypted config tests',
action='store_true', default=False)
+parser.add_argument('--sbtest', help='Execute Secure Boot tests',
+ action='store_true', default=False)
parser.add_argument('--qemu-cmd', help='Only generate QEMU launch command',
action='store_true', default=False)
@@ -114,17 +128,33 @@ def get_half_cpus():
cpu /= 2
return int(cpu)
-def get_qemu_cmd(name, enable_uefi, disk_img, raid=None, iso_img=None, tpm=False, vnc_enabled=False):
+OVMF_CODE = '/usr/share/OVMF/OVMF_CODE_4M.secboot.fd'
+OVMF_VARS_TMP = args.disk.replace('.img', '.efivars')
+if args.sbtest:
+ shutil.copy('/usr/share/OVMF/OVMF_VARS_4M.ms.fd', OVMF_VARS_TMP)
+
+def get_qemu_cmd(name, enable_uefi, disk_img, raid=None, iso_img=None, tpm=False, vnc_enabled=False, secure_boot=False):
uefi = ""
uuid = "f48b60b2-e6ad-49ef-9d09-4245d0585e52"
+ machine = 'pc'
+ vga = '-vga none'
+ vnc = ''
+ if vnc_enabled:
+ vga = '-vga virtio'
+ vnc = '-vnc :0'
+
if enable_uefi:
uefi = '-bios /usr/share/OVMF/OVMF_CODE.fd'
name = f'{name}-UEFI'
- uuid = 'd27cf29e-4419-4407-8f82-dc73d1acd184'
- vga = '-vga none'
- if vnc_enabled:
- vga = ' -vga virtio -vnc :0'
+ if secure_boot:
+ name = f'{name}-SECURE-BOOT'
+ machine = 'q35,smm=on'
+
+ uefi = f'-drive "if=pflash,unit=0,format=raw,readonly=on,file={OVMF_CODE}" ' \
+ f'-drive "if=pflash,unit=1,format=raw,file={OVMF_VARS_TMP}"'
+ # Changing UEFI settings require a display
+ vga = '-vga virtio'
cdrom = ""
if iso_img:
@@ -140,12 +170,12 @@ def get_qemu_cmd(name, enable_uefi, disk_img, raid=None, iso_img=None, tpm=False
-name "{name}" \
-smp {cpucount},sockets=1,cores={cpucount},threads=1 \
-cpu host \
+ -machine {machine},accel=kvm \
{uefi} \
-m 4G \
-vga none \
-nographic \
- {vga} \
- -machine accel=kvm \
+ {vga} {vnc}\
-uuid {uuid} \
-cpu host \
{cdrom} \
@@ -280,8 +310,50 @@ def start_swtpm():
tpm_process.start()
return tpm_process
+def toggleUEFISecureBoot(c):
+ def UEFIKeyPress(c, key):
+ UEFI_SLEEP = 1
+ c.send(key)
+ time.sleep(UEFI_SLEEP)
+
+ # Enter UEFI
+ for ii in range(1, 10):
+ c.send(KEY_F2)
+ time.sleep(0.250)
+
+ time.sleep(10)
+
+ # Device Manager
+ UEFIKeyPress(c, KEY_DOWN)
+ UEFIKeyPress(c, KEY_RETURN)
+
+ # Secure Boot Configuration
+ UEFIKeyPress(c, KEY_DOWN)
+ UEFIKeyPress(c, KEY_DOWN)
+ UEFIKeyPress(c, KEY_RETURN)
+
+ # Attempt Secure Boot Toggle
+ UEFIKeyPress(c, KEY_DOWN)
+ UEFIKeyPress(c, KEY_RETURN)
+ UEFIKeyPress(c, KEY_RETURN)
+
+ # Save Secure Boot
+ UEFIKeyPress(c, KEY_F10)
+ UEFIKeyPress(c, KEY_Y)
+
+ # Go Back to Menu
+ UEFIKeyPress(c, KEY_ESC)
+ UEFIKeyPress(c, KEY_ESC)
+
+ # Go Down for reset
+ UEFIKeyPress(c, KEY_DOWN)
+ UEFIKeyPress(c, KEY_DOWN)
+ UEFIKeyPress(c, KEY_DOWN)
+ UEFIKeyPress(c, KEY_DOWN)
+ UEFIKeyPress(c, KEY_RETURN)
+
if args.qemu_cmd:
- tmp = get_qemu_cmd(qemu_name, args.uefi, args.disk, raid=diskname_raid, iso_img=args.iso, vnc_enabled=args.vnc)
+ tmp = get_qemu_cmd(qemu_name, args.uefi, args.disk, raid=diskname_raid, iso_img=args.iso, vnc_enabled=args.vnc, secure_boot=args.sbtest)
os.system(tmp)
exit(0)
@@ -292,7 +364,7 @@ try:
# Installing image to disk
#################################################
log.info('Installing system')
- cmd = get_qemu_cmd(qemu_name, args.uefi, args.disk, raid=diskname_raid, iso_img=args.iso, vnc_enabled=args.vnc)
+ cmd = get_qemu_cmd(qemu_name, args.uefi, args.disk, raid=diskname_raid, iso_img=args.iso, vnc_enabled=args.vnc, secure_boot=args.sbtest)
log.debug(f'Executing command: {cmd}')
c = pexpect.spawn(cmd, logfile=stl, timeout=60)
@@ -304,6 +376,10 @@ try:
default_user = 'vyos'
default_password = 'vyos'
+ if args.sbtest:
+ log.info('Disable UEFI Secure Boot for initial installation')
+ toggleUEFISecureBoot(c)
+
try:
c.expect('Automatic boot in', timeout=10)
c.sendline('')
@@ -348,9 +424,63 @@ try:
c.sendline('')
c.expect(op_mode_prompt)
+
+ if args.sbtest:
+ c.sendline('install mok')
+ c.expect('input password:.*')
+ c.sendline(mok_password)
+ c.expect('input password again:.*')
+ c.sendline(mok_password)
+ c.expect(op_mode_prompt)
+
log.info('system installed, rebooting')
c.sendline('reboot now')
+ #################################################
+ # SHIM Mok Manager
+ #################################################
+ if args.sbtest:
+ log.info('Install Secure Boot Machine Owner Key')
+ MOK_SLEEP = 0.5
+ c.expect('BdsDxe: starting Boot00.*')
+ time.sleep(3)
+ # press any key
+ c.send(KEY_RETURN)
+ time.sleep(MOK_SLEEP)
+
+ # Enroll MOK
+ c.send(KEY_DOWN)
+ time.sleep(MOK_SLEEP)
+ c.send(KEY_RETURN)
+ time.sleep(MOK_SLEEP)
+
+ # Continue
+ c.send(KEY_DOWN)
+ time.sleep(MOK_SLEEP)
+ c.send(KEY_RETURN)
+ time.sleep(MOK_SLEEP)
+
+ # Enroll Keys
+ c.send(KEY_DOWN)
+ time.sleep(MOK_SLEEP)
+ c.send(KEY_RETURN)
+ time.sleep(MOK_SLEEP)
+
+ c.sendline(mok_password)
+ c.send(KEY_RETURN)
+ time.sleep(MOK_SLEEP)
+
+ # Reboot
+ c.send(KEY_RETURN)
+ time.sleep(MOK_SLEEP)
+
+ #################################################
+ # Re-Enable Secure Boot
+ #################################################
+ if args.sbtest:
+ log.info('Enable UEFI Secure Boot for initial installation')
+ toggleUEFISecureBoot(c)
+
#################################################
# Removing CD installation media
#################################################
@@ -588,7 +718,6 @@ try:
log.debug(f'Executing command: {cmd}')
c = pexpect.spawn(cmd, logfile=stl)
-
#################################################
# Logging into VyOS system
#################################################
@@ -710,7 +839,10 @@ try:
tmp = 'Configtest failed :/ - check debug output'
log.error(tmp)
raise Exception(tmp)
-
+ elif args.sbtest:
+ c.sendline('show secure-boot')
+ c.expect('SecureBoot enabled')
+ c.expect(op_mode_prompt)
else:
log.info('No testcase selected!')
@@ -748,6 +880,8 @@ if not args.keep:
os.remove(args.disk)
if diskname_raid:
os.remove(diskname_raid)
+ if args.sbtest:
+ os.remove(OVMF_VARS_TMP)
except Exception:
log.error('Exception while removing diskimage!')
log.error(traceback.format_exc())
diff --git a/scripts/image-build/build-vyos-image b/scripts/image-build/build-vyos-image
index a0acd184..566c6a8b 100755
--- a/scripts/image-build/build-vyos-image
+++ b/scripts/image-build/build-vyos-image
@@ -571,7 +571,7 @@ if __name__ == "__main__":
--checksums 'sha256 md5' \
--chroot-squashfs-compression-type "{{squashfs_compression_type}}" \
--debian-installer none \
- --debootstrap-options "--variant=minbase --exclude=isc-dhcp-client,isc-dhcp-common,ifupdown --include=apt-utils,ca-certificates,gnupg2" \
+ --debootstrap-options "--variant=minbase --exclude=isc-dhcp-client,isc-dhcp-common,ifupdown --include=apt-utils,ca-certificates,gnupg2,linux-kbuild-6.1" \
--distribution {{debian_distribution}} \
--firmware-binary false \
--firmware-chroot false \
--
cgit v1.2.3
From 928c1f505b95bb4b693b9e8eac5c73185d67515f Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Sat, 14 Sep 2024 23:14:16 +0200
Subject: Docker: T861: fix warning for UID_MIN/UID_MAC out of range
Rise upper limit for UID when working in an Active Direcotry integrated
environment. This solves the warning: vyos_bld's uid 1632000007 outside of the
UID_MIN 1000 and UID_MAX 60000 range.
---
docker/Dockerfile | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 40b2067d..5cc8744e 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -372,6 +372,11 @@ RUN sed "s/^%sudo.*/%sudo\tALL=(ALL) NOPASSWD:ALL/g" -i /etc/sudoers && \
RUN echo "$(opam env --root=/opt/opam --set-root)" >> /etc/skel/.bashrc && \
echo "export PATH=/opt/go/bin:\$PATH" >> /etc/skel/.bashrc
+# Rise upper limit for UID when working in an Active Direcotry integrated
+# environment. This solves the warning: vyos_bld's uid 1632000007 outside of the
+# UID_MIN 1000 and UID_MAX 60000 range.
+RUN sed -i 's/UID_MAX\t\t\t60000/UID_MAX\t\t\t2000000000/g' /etc/login.defs
+
# Cleanup
RUN rm -rf /tmp/*
--
cgit v1.2.3