This config enables the syscall tracepoints which are mainly used by
different security and observability tools.
The config was moved to common, so it's removed from the AMD64 only
config.
Signed-off-by: Jon Doron <jond@wiz.io>
systemd-journal's Forward Secure Sealing feature requires gcrypt, but
Flatcar doesn't need it.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Again, zstd is faster but we're getting seriously short on space. Unlike
the kernel itself, this applies to both amd64 and arm64.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
This is the GPRS Tunneling Protocol datapath for usage in telecoms
scenarios. It has been requested by a user.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Giving the --best or -9 option results in a heavier decompression cost
with no gain on such small files.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Secure Boot prevents you from loading additional modules so remove them
to save space. These modules could be useful for debugging with Secure
Boot disabled, but manually copying the modules with debug symbols is
even more useful and not that difficult.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
edk2-bin now supports multiple platforms, including QEMU on arm64, so we
no longer need to use Fedora's build. Note that the Secure Boot
implementation is currently insecure as it lacks SMM, which is needed to
protect the EFI variable store.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
The new arm64 firmware supporting Secure Boot (see next commit) is in
QCOW2 format only, avoiding the extra space taken up by the 64MB
padding. Supporting both raw and QCOW2 images would be messy, so switch
entirely to QCOW2.
Only the 4MB images are in QCOW2 format on amd64, so also switch away
from the 2MB images. 4MB images are now the default for most
distributions as they are needed to apply certain Windows updates.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
We initially thought we would need Red Hat's patch set. Then it looked
like we wouldn't because the TPM Event Log appeared to work without it.
We later discovered that on amd64, it only works with Secure Boot
disabled. The patch set also fixes Secure Boot on arm64, which would
have otherwise needed a couple of patches from Canonical.
We have to drop Gentoo's patches because they conflict, but they don't
affect Flatcar anyway.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
* oem-azure: add hyperv daemons
This change adds hyperv daemons hv_fcopy, hv_kvp, and hv_vss to the
Azure and HyperV OEM sysexts. hv_kvp specifically is needed to submit OS version
information to the Azure hypervisor.
The daemons, tough userspace programs, are built from the kernel sources
as they are included in the Linux kernel.
As the ebuild is (somewhat) kernel specific, it should be updated when the kernel
is updated. Respective additions have been made to the kernel update GitHub actions
automation.
Signed-off-by: Thilo Fromm <thilofromm@microsoft.com>
Co-authored-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
Landlock is a feature to create security sandboxes thanks to 3 dedicated
system calls. They are designed to be safe to used by any processes,
which can only drop their privileges, similarly to seccomp.
The new Landlock LSM is build in the kernel (CONFIG_SECURITY_LANDLOCK=y)
but it is not enough to make it usable by default. As a stackable LSM,
it is required to enable it at boot time with the CONFIG_LSM list. See
https://docs.kernel.org/userspace-api/landlock.html#kernel-support
As for other stackable LSMs, prepending Landlock to the default LSM list
enables users to potentially get more protection by default by letting
programs sandbox themselves.
As a dependency, CONFIG_SECURITY_PATH=y will be automatically set.
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Catalyst 4 has totally changed the way repositories are handled. It only
works when the name of the directory containing the repository matches
the configured name of that repository. This was not the case for us,
with the coreos repository residing in the coreos-overlay directory. We
wanted to move and rename our repositories anyway, but this is a big
change, so we'll do separately. For now, this just renames coreos to
coreos-overlay.
Catalyst 4 also ingests the main repository snapshot as a squashfs
rather than a tarball. It features a utility to generate such a
snapshot, but it doesn't fit Flatcar well, particularly because it
expects each ebuild repository to reside at the top level of its own git
repository. It was very easy to call tar2sqfs manually though.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Change `flatcar-openstack-hostname.service` to use afterburn `openstack` provider implemented on coreos/afterburn#462 instead of `openstack-metadata`.
BootEngine PR: flatcar/bootengine#96
Enabled user session dbus in base image to support podman rootless mode.
Extension images can now be created from multiple packages by seperating
them with a comma. The podman sysext includes app-containers/podman and
net-misc/passt.
It can be enabled by adding podman to /etc/flatcar/enabled-sysext.conf.
Potential TODO: gpgme had to be added as BDEPEND to podman ebuild.
