From fd737172f1068870fe1ededbe9b2ed4a86663acd Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Wed, 4 Sep 2024 21:37:11 +0200
Subject: T861: add UEFI Secure Boot support

This adds support for UEFI Secure Boot. It adds the missing pieces to the Linux
Kernel and enforces module signing. This results in an additional security
layer where untrusted (unsigned) Kernel modules can no longer be loaded into
the live system.

NOTE: This commit will not work unless signing keys are present. Arbitrary
keys can be generated using instructions found in:

  data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
---
 scripts/image-build/build-vyos-image | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'scripts/image-build/build-vyos-image')

diff --git a/scripts/image-build/build-vyos-image b/scripts/image-build/build-vyos-image
index a0acd184..566c6a8b 100755
--- a/scripts/image-build/build-vyos-image
+++ b/scripts/image-build/build-vyos-image
@@ -571,7 +571,7 @@ if __name__ == "__main__":
                 --checksums 'sha256 md5' \
                 --chroot-squashfs-compression-type "{{squashfs_compression_type}}" \
                 --debian-installer none \
-                --debootstrap-options "--variant=minbase --exclude=isc-dhcp-client,isc-dhcp-common,ifupdown --include=apt-utils,ca-certificates,gnupg2" \
+                --debootstrap-options "--variant=minbase --exclude=isc-dhcp-client,isc-dhcp-common,ifupdown --include=apt-utils,ca-certificates,gnupg2,linux-kbuild-6.1" \
                 --distribution {{debian_distribution}} \
                 --firmware-binary false \
                 --firmware-chroot false \
-- 
cgit v1.2.3