Merge pull request #763 from c-po/secure-boot

T861: add UEFI Secure Boot support

.gitignore

@@ -5,6 +5,8 @@ packer_cache/*
 key/*
 packages/*
 !packages/*/
-testinstall*.img
-*.qcow2
-*.tar
+data/live-build-config/includes.chroot/var/lib/shim-signed/mok/*
+/testinstall*.img
+/testinstall*.efivars
+/*.qcow2
+/*.tar

Makefile

@@ -21,12 +21,12 @@ checkiso:
 .PHONY: test
 .ONESHELL:
 test: checkiso
- scripts/check-qemu-install --debug --configd --match="$(MATCH)" --uefi build/live-image-amd64.hybrid.iso
+ scripts/check-qemu-install --debug --configd --match="$(MATCH)" --smoketest --uefi build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS))
 
 .PHONY: test-no-interfaces
 .ONESHELL:
 test-no-interfaces: checkiso
- scripts/check-qemu-install --debug --configd --match="$(MATCH)" --uefi --no-interfaces build/live-image-amd64.hybrid.iso
+ scripts/check-qemu-install --debug --configd --match="$(MATCH)" --smoketest --uefi --no-interfaces build/live-image-amd64.hybrid.iso
 
 .PHONY: testc
 .ONESHELL:
@@ -36,7 +36,12 @@ testc: checkiso
 .PHONY: testraid
 .ONESHELL:
 testraid: checkiso
- scripts/check-qemu-install --debug --configd --raid --configtest build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS))
+ scripts/check-qemu-install --debug --configd --raid build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS))
+
+.PHONY: testsb
+.ONESHELL:
+testsb: checkiso
+ scripts/check-qemu-install --debug --uefi --sbtest build/live-image-amd64.hybrid.iso $(filter-out $@,$(MAKECMDGOALS))
 
 .PHONY: testtpm
 .ONESHELL:

data/architectures/amd64.toml

@@ -2,8 +2,6 @@ additional_repositories = [
  "deb [arch=amd64] https://repo.saltproject.io/py3/debian/11/amd64/3005 bullseye main"
 ]
 
-kernel_flavor = "amd64-vyos"
-
 # Packages added to images for x86 by default
 packages = [
  "grub2",

data/architectures/arm64.toml

@@ -2,8 +2,6 @@ additional_repositories = [
  "deb [arch=arm64] https://repo.saltproject.io/py3/debian/11/arm64/3005 bullseye main"
 ]
 
-kernel_flavor = "arm64-vyos"
-
 # Packages included in ARM64 images by default
 packages = [
  "grub-efi-arm64",

data/defaults.toml

@@ -14,7 +14,8 @@ vyos_mirror = "https://rolling-packages.vyos.net/current"
 vyos_branch = "current"
 release_train = "current"
 
-kernel_version = "6.6.49"
+kernel_version = "6.6.51"
+kernel_flavor = "vyos"
 bootloaders = "syslinux,grub-efi"
 
 squashfs_compression_type = "xz -Xbcj x86 -b 256k -always-use-fragments -no-recovery"

data/live-build-config/hooks/live/93-sign-kernel.chroot

@@ -0,0 +1,18 @@
+#!/bin/sh
+SIGN_FILE=$(find /usr/lib -name sign-file)
+MOK_KEY="/var/lib/shim-signed/mok/kernel.key"
+MOK_CERT="/var/lib/shim-signed/mok/kernel.pem"
+kernel_elf=$(readlink /boot/vmlinuz)
+
+if [ ! -f ${MOK_KEY} ]; then
+ echo "I: Signing key for Linux Kernel not found - Secure Boot not possible"
+else
+ echo "I: Signing Linux Kernel for Secure Boot"
+
+ sbsign --key $MOK_KEY --cert $MOK_CERT /boot/${kernel_elf} --output /boot/${kernel_elf}
+ sbverify --list /boot/${kernel_elf}
+
+ find /lib/modules -type f -name \*.ko -o -name \*.ko.xz | while read module; do
+ $SIGN_FILE sha512 $MOK_KEY $MOK_CERT $module
+ done
+fi

data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md

@@ -0,0 +1,22 @@
+# Secure Boot
+
+## CA
+
+Create Certificate Authority used for Kernel signing. CA is loaded into the
+Machine Owner Key store on the target system.
+
+```bash
+openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -outform DER -out MOK.der -days 36500 -subj "/CN=VyOS Secure Boot CA/" -nodes
+openssl x509 -inform der -in MOK.der -out MOK.pem
+```
+
+## Kernel Module Signing Key
+
+We do not make use of ephemeral keys for Kernel module signing. Instead a key
+is generated and signed by the VyOS Secure Boot CA which signs all the Kernel
+modules during ISO assembly if present.
+
+```bash
+openssl req -newkey rsa:2048 -keyout kernel.key -out kernel.csr -subj "/CN=VyOS Secure Boot Signer 2024 - linux/" -nodes
+openssl x509 -req -in kernel.csr -CA MOK.pem -CAkey MOK.key -CAcreateserial -out kernel.pem -days 730 -sha256
+```

docker/Dockerfile

@@ -372,6 +372,11 @@ RUN sed "s/^%sudo.*/%sudo\tALL=(ALL) NOPASSWD:ALL/g" -i /etc/sudoers && \
 RUN echo "$(opam env --root=/opt/opam --set-root)" >> /etc/skel/.bashrc && \
  echo "export PATH=/opt/go/bin:\$PATH" >> /etc/skel/.bashrc
 
+# Rise upper limit for UID when working in an Active Direcotry integrated
+# environment. This solves the warning: vyos_bld's uid 1632000007 outside of the
+# UID_MIN 1000 and UID_MAX 60000 range.
+RUN sed -i 's/UID_MAX\t\t\t60000/UID_MAX\t\t\t2000000000/g' /etc/login.defs
+
 # Cleanup
 RUN rm -rf /tmp/*
 

packages/linux-kernel/Jenkinsfile

@@ -63,7 +63,7 @@ def pkgList = [
  ['name': 'ixgbevf', 'buildCmd': 'cd ..; ./build-intel-ixgbevf.sh'],
 
  // Mellanox OFED
- ['name': 'ofed', 'buildCmd': 'cd ..; ./build-mellanox-ofed.sh'],
+ ['name': 'ofed', 'buildCmd': 'cd ..; sudo ./build-mellanox-ofed.sh'],
 
  // Jool
  ['name': 'jool', 'buildCmd': 'cd ..; ./build-jool.py'],

packages/linux-kernel/arch/x86/configs/vyos_defconfig

@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 6.6.16 Kernel Configuration
+# Linux/x86 6.6.48 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (Debian 12.2.0-14) 12.2.0"
 CONFIG_CC_IS_GCC=y
@@ -15,6 +15,7 @@ CONFIG_CC_CAN_LINK=y
 CONFIG_CC_CAN_LINK_STATIC=y
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y
 CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT=y
+CONFIG_GCC_ASM_GOTO_OUTPUT_WORKAROUND=y
 CONFIG_TOOLS_SUPPORT_RELR=y
 CONFIG_CC_HAS_ASM_INLINE=y
 CONFIG_CC_HAS_NO_PROFILE_FN_ATTR=y
@@ -181,7 +182,7 @@ CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
 CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y
 CONFIG_CC_HAS_INT128=y
 CONFIG_CC_IMPLICIT_FALLTHROUGH="-Wimplicit-fallthrough=5"
-CONFIG_GCC11_NO_ARRAY_BOUNDS=y
+CONFIG_GCC10_NO_ARRAY_BOUNDS=y
 CONFIG_CC_NO_ARRAY_BOUNDS=y
 CONFIG_ARCH_SUPPORTS_INT128=y
 CONFIG_NUMA_BALANCING=y
@@ -193,13 +194,16 @@ CONFIG_MEMCG=y
 CONFIG_MEMCG_KMEM=y
 # CONFIG_BLK_CGROUP is not set
 CONFIG_CGROUP_SCHED=y
+CONFIG_FAIR_GROUP_SCHED=y
 CONFIG_CFS_BANDWIDTH=y
+# CONFIG_RT_GROUP_SCHED is not set
 CONFIG_SCHED_MM_CID=y
 CONFIG_CGROUP_PIDS=y
 # CONFIG_CGROUP_RDMA is not set
 # CONFIG_CGROUP_FREEZER is not set
 # CONFIG_CGROUP_HUGETLB is not set
 CONFIG_CPUSETS=y
+CONFIG_PROC_PID_CPUSET=y
 # CONFIG_CGROUP_DEVICE is not set
 CONFIG_CGROUP_CPUACCT=y
 # CONFIG_CGROUP_PERF is not set
@@ -439,7 +443,6 @@ CONFIG_X86_64_ACPI_NUMA=y
 CONFIG_NODES_SHIFT=6
 CONFIG_ARCH_SPARSEMEM_ENABLE=y
 CONFIG_ARCH_SPARSEMEM_DEFAULT=y
-# CONFIG_ARCH_MEMORY_PROBE is not set
 CONFIG_ARCH_PROC_KCORE_TEXT=y
 CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
 CONFIG_X86_PMEM_LEGACY_DEVICE=y
@@ -509,7 +512,7 @@ CONFIG_CALL_PADDING=y
 CONFIG_HAVE_CALL_THUNKS=y
 CONFIG_CALL_THUNKS=y
 CONFIG_PREFIX_SYMBOLS=y
-CONFIG_SPECULATION_MITIGATIONS=y
+CONFIG_CPU_MITIGATIONS=y
 CONFIG_PAGE_TABLE_ISOLATION=y
 CONFIG_RETPOLINE=y
 CONFIG_RETHUNK=y
@@ -521,6 +524,8 @@ CONFIG_CPU_IBRS_ENTRY=y
 CONFIG_CPU_SRSO=y
 # CONFIG_SLS is not set
 # CONFIG_GDS_FORCE_MITIGATION is not set
+CONFIG_MITIGATION_RFDS=y
+CONFIG_MITIGATION_SPECTRE_BHI=y
 CONFIG_ARCH_HAS_ADD_PAGES=y
 
 #
@@ -573,7 +578,6 @@ CONFIG_ACPI_TABLE_UPGRADE=y
 # CONFIG_ACPI_DEBUG is not set
 CONFIG_ACPI_PCI_SLOT=y
 CONFIG_ACPI_CONTAINER=y
-CONFIG_ACPI_HOTPLUG_MEMORY=y
 CONFIG_ACPI_HOTPLUG_IOAPIC=y
 # CONFIG_ACPI_SBS is not set
 CONFIG_ACPI_HED=y
@@ -687,6 +691,7 @@ CONFIG_AS_SHA256_NI=y
 CONFIG_AS_TPAUSE=y
 CONFIG_AS_GFNI=y
 CONFIG_AS_WRUSS=y
+CONFIG_ARCH_CONFIGURES_CPU_MITIGATIONS=y
 
 #
 # General architecture-dependent options
@@ -971,13 +976,8 @@ CONFIG_HAVE_FAST_GUP=y
 CONFIG_NUMA_KEEP_MEMINFO=y
 CONFIG_MEMORY_ISOLATION=y
 CONFIG_EXCLUSIVE_SYSTEM_RAM=y
-CONFIG_HAVE_BOOTMEM_INFO_NODE=y
 CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
-CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
-CONFIG_MEMORY_HOTPLUG=y
-# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set
-CONFIG_MEMORY_HOTREMOVE=y
-CONFIG_MHP_MEMMAP_ON_MEMORY=y
+# CONFIG_MEMORY_HOTPLUG is not set
 CONFIG_ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE=y
 CONFIG_SPLIT_PTLOCK_CPUS=4
 CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
@@ -990,6 +990,7 @@ CONFIG_MIGRATION=y
 CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION=y
 CONFIG_ARCH_ENABLE_THP_MIGRATION=y
 CONFIG_CONTIG_ALLOC=y
+CONFIG_PCP_BATCH_SCALE_MAX=5
 CONFIG_PHYS_ADDR_T_64BIT=y
 CONFIG_MMU_NOTIFIER=y
 CONFIG_KSM=y
@@ -1021,7 +1022,6 @@ CONFIG_ARCH_HAS_PTE_DEVMAP=y
 CONFIG_ARCH_HAS_ZONE_DMA_SET=y
 CONFIG_ZONE_DMA=y
 CONFIG_ZONE_DMA32=y
-# CONFIG_ZONE_DEVICE is not set
 CONFIG_HMM_MIRROR=y
 CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y
 CONFIG_ARCH_HAS_PKEYS=y
@@ -3076,6 +3076,7 @@ CONFIG_XEN_NETDEV_FRONTEND=m
 CONFIG_XEN_NETDEV_BACKEND=m
 CONFIG_VMXNET3=m
 # CONFIG_FUJITSU_ES is not set
+CONFIG_USB4_NET=m
 CONFIG_HYPERV_NET=m
 # CONFIG_NETDEVSIM is not set
 CONFIG_NET_FAILOVER=m
@@ -4202,6 +4203,7 @@ CONFIG_REGULATOR_TPS65132=m
 # Graphics support
 #
 CONFIG_APERTURE_HELPERS=y
+CONFIG_SCREEN_INFO=y
 CONFIG_VIDEO_CMDLINE=y
 # CONFIG_AUXDISPLAY is not set
 # CONFIG_PANEL is not set
@@ -4269,6 +4271,7 @@ CONFIG_FB_CFB_FILLRECT=y
 CONFIG_FB_CFB_COPYAREA=y
 CONFIG_FB_CFB_IMAGEBLIT=y
 # CONFIG_FB_FOREIGN_ENDIAN is not set
+CONFIG_FB_IOMEM_FOPS=y
 CONFIG_FB_IOMEM_HELPERS=y
 # CONFIG_FB_MODE_HELPERS is not set
 # CONFIG_FB_TILEBLITTING is not set
@@ -5009,7 +5012,6 @@ CONFIG_VIRTIO_PCI=m
 CONFIG_VIRTIO_PCI_LEGACY=y
 # CONFIG_VIRTIO_PMEM is not set
 CONFIG_VIRTIO_BALLOON=m
-CONFIG_VIRTIO_MEM=m
 CONFIG_VIRTIO_INPUT=m
 CONFIG_VIRTIO_MMIO=m
 CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y
@@ -5036,8 +5038,6 @@ CONFIG_HYPERV_BALLOON=m
 # Xen driver support
 #
 CONFIG_XEN_BALLOON=y
-CONFIG_XEN_BALLOON_MEMORY_HOTPLUG=y
-CONFIG_XEN_MEMORY_HOTPLUG_LIMIT=512
 CONFIG_XEN_SCRUB_PAGES_DEFAULT=y
 CONFIG_XEN_DEV_EVTCHN=m
 CONFIG_XEN_BACKEND=y
@@ -5317,7 +5317,8 @@ CONFIG_IDLE_INJECT=y
 CONFIG_RAS=y
 # CONFIG_RAS_CEC is not set
 CONFIG_USB4=m
-CONFIG_USB4_NET=m
+# CONFIG_USB4_DEBUGFS_WRITE is not set
+# CONFIG_USB4_DMA_TEST is not set
 
 #
 # Android
@@ -5639,6 +5640,7 @@ CONFIG_CRYPTO_ALGAPI=y
 CONFIG_CRYPTO_ALGAPI2=y
 CONFIG_CRYPTO_AEAD=y
 CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_SIG=y
 CONFIG_CRYPTO_SIG2=y
 CONFIG_CRYPTO_SKCIPHER=y
 CONFIG_CRYPTO_SKCIPHER2=y
@@ -5751,7 +5753,7 @@ CONFIG_CRYPTO_POLY1305=m
 CONFIG_CRYPTO_RMD160=m
 CONFIG_CRYPTO_SHA1=y
 CONFIG_CRYPTO_SHA256=y
-CONFIG_CRYPTO_SHA512=m
+CONFIG_CRYPTO_SHA512=y
 CONFIG_CRYPTO_SHA3=m
 # CONFIG_CRYPTO_SM3_GENERIC is not set
 CONFIG_CRYPTO_STREEBOG=m
@@ -6008,7 +6010,6 @@ CONFIG_SWIOTLB=y
 CONFIG_SGL_ALLOC=y
 CONFIG_IOMMU_HELPER=y
 CONFIG_CHECK_SIGNATURE=y
-# CONFIG_FORCE_NR_CPUS is not set
 CONFIG_CPU_RMAP=y
 CONFIG_DQL=y
 CONFIG_GLOB=y
@@ -6034,7 +6035,6 @@ CONFIG_ARCH_HAS_CPU_CACHE_INVALIDATE_MEMREGION=y
 CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE=y
 CONFIG_ARCH_HAS_COPY_MC=y
 CONFIG_ARCH_STACKWALK=y
-CONFIG_STACKDEPOT=y
 CONFIG_SBITMAP=y
 CONFIG_PARMAN=m
 CONFIG_OBJAGG=m
@@ -6118,8 +6118,7 @@ CONFIG_HAVE_KCSAN_COMPILER=y
 #
 CONFIG_PAGE_EXTENSION=y
 # CONFIG_DEBUG_PAGEALLOC is not set
-CONFIG_SLUB_DEBUG=y
-# CONFIG_SLUB_DEBUG_ON is not set
+# CONFIG_SLUB_DEBUG is not set
 # CONFIG_PAGE_OWNER is not set
 # CONFIG_PAGE_TABLE_CHECK is not set
 CONFIG_PAGE_POISONING=y
@@ -6332,6 +6331,7 @@ CONFIG_X86_DEBUG_FPU=y
 # CONFIG_PUNIT_ATOM_DEBUG is not set
 CONFIG_UNWINDER_ORC=y
 # CONFIG_UNWINDER_FRAME_POINTER is not set
+# CONFIG_UNWINDER_GUESS is not set
 # end of x86 Debugging
 
 #

packages/linux-kernel/build-intel-ixgbe.sh

@@ -105,3 +105,6 @@ fi
 if [ -d ${DEBIAN_DIR} ]; then
  rm -rf ${DEBIAN_DIR}
 fi
+if [ -f ${DEBIAN_POSTINST} ]; then
+ rm -f ${DEBIAN_POSTINST}
+fi

packages/linux-kernel/build-intel-ixgbevf.sh

@@ -97,4 +97,6 @@ fi
 if [ -d ${DEBIAN_DIR} ]; then
  rm -rf ${DEBIAN_DIR}
 fi
-
+if [ -f ${DEBIAN_POSTINST} ]; then
+ rm -f ${DEBIAN_POSTINST}
+fi

packages/linux-kernel/build-intel-qat.sh

@@ -109,3 +109,6 @@ fi
 if [ -d ${DEBIAN_DIR} ]; then
  rm -rf ${DEBIAN_DIR}
 fi
+if [ -f ${DEBIAN_POSTINST} ]; then
+ rm -f ${DEBIAN_POSTINST}
+fi

packages/linux-kernel/build-jool.py

@@ -29,9 +29,8 @@ def add_depends(package_dir: str, package_name: str,
 # find kernel version and source path
 arch: str = find_arch()
 defaults_file: str = Path('../../data/defaults.toml').read_text()
-architecture_file: str = Path(f'../../data/architectures/{arch}.toml').read_text()
 KERNEL_VER: str = toml_loads(defaults_file).get('kernel_version')
-KERNEL_FLAVOR: str = toml_loads(architecture_file).get('kernel_flavor')
+KERNEL_FLAVOR: str = toml_loads(defaults_file).get('kernel_flavor')
 KERNEL_SRC: str = Path.cwd().as_posix() + '/linux'
 
 # define variables