the signed template together with the binary package(s) containing the unsigned
files form the input to our secure boot signing service.
the signed template consists of
- files.json (specifying which files are signed how and by which key)
- packaging template used to build the signed package(s)
the signing service
- extracts and checks the signed-template binary package
- extracts the unsigned package(s)
- signs the needed files
- packs up the signatures + the template contained in the signed-template
package into the signed source package
the signed source package can then be built in the regular fashion (in case of
the kernel packages, it will copy the kernel image, modules and some helper
files from the unsigned package, attach the signature created by the signing
service, and re-pack the result as signed-kernel package).
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
this is required for secure boot support.
at build time, an ephemeral key pair will be generated and all built modules
will be signed with it. the private key is discarded, and the public key
embedded in the kernel image for signature validation at module load time.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
but allow discarding BTF information when loading modules, so that upgrades
which are otherwise ABI compatible still work. this allows using BTF
information when matching and available, while degrading gracefully if the
currently running kernel is not identical to the one that module was built for.
in case of a mismatch, the kernel will log a warning when loading the module,
for example:
Jan 30 13:57:58 test kernel: BPF: type_id=184 bits_offset=4096
Jan 30 13:57:58 test kernel: BPF:
Jan 30 13:57:58 test kernel: BPF: Invalid name
Jan 30 13:57:58 test kernel: BPF:
Jan 30 13:57:58 test kernel: failed to validate module [bonding] BTF: -22
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This is provdied by both initramfs-tools and dracut.
Required to be able to use dracut in place of
initramfs-tools.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
same info but shorter, avoiding cut-off on `uname -a` output due to
the relatively newly changed and reported "SMP PREEMPT_DYNAMIC" mode.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Useless since 5.5 and will fail build with 5.16+, see upstream linux
commit 7ecaf069da52 and 4fbce819337a for some details
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
we cannot make this a built-in easily due to kconfig dependency
resolution.
We'll handle the availability in initrd with a initramfs modules.d
snippet shipped by the meta package,
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
