Shim signing for secure boot requires enforcing lockdown. There are three ways
we can do this:
1. setting CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y. This unconditionally
prevents loading unsigned kernel modules.
2. setting lockdown=integrity on the kernel cmdline from a signed Grub
configuration. This would be OK, but Grub is not updated in the field right
now, so we'd be stuck.
3. incorporate the secure-boot-lockdown patches that other major distros are using.
We're going to go with 3, because this only enforces lockdown when secure boot
is actually enabled and lets us change approach later on.
These patches are sourced from Debian:
https://sources.debian.org/src/linux/6.6.13-1~bpo12%2B1/debian/patches/features/all/lockdown/.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
This change adds the Azure and HyperV OEM "hv-daemons" to board-packages
so build_packages.sh will actually build these. This un-breaks a build
issue with the Azure and HyperV images.
Signed-off-by: Thilo Fromm <thilofromm@microsoft.com>
* oem-azure: add hyperv daemons
This change adds hyperv daemons hv_fcopy, hv_kvp, and hv_vss to the
Azure and HyperV OEM sysexts. hv_kvp specifically is needed to submit OS version
information to the Azure hypervisor.
The daemons, tough userspace programs, are built from the kernel sources
as they are included in the Linux kernel.
As the ebuild is (somewhat) kernel specific, it should be updated when the kernel
is updated. Respective additions have been made to the kernel update GitHub actions
automation.
Signed-off-by: Thilo Fromm <thilofromm@microsoft.com>
Co-authored-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
We can now use Gentoo's upstream ebuild, save for a few small overrides
in a separate env file.
This bumps GRUB from 2.06 to 2.12, The existing two Flatcar patches have
been rebased.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Mask split-usr globally, not only for generic images. Move some SDK
only USE flags to SDK target profile (cros_host, expat). Drop
duplicated disabling of cups USE flag.
The initial goals of this commit were:
- drop symlink-usr USE flag and keep the code paths where symlink-usr
was evaluated to true,
- make sbin a symlink to its bin counterpart, effectively doing the
merged-sbin process too
- unify filesystem layouts of the SDK and generic images.
But over the course, more changes have accumulated:
- use EAPI 8,
- drop the check_sym function - it never worked due to typos
(real_path and real_value versus read_path and read_value),
- do the SDK-specific or generic-image-specific customizations in the
src_prepare phase,
- follow the changes made in the baselayout repository:
- remove unnecessary tmpfiles.d conf files instead of fiddling with
sed to edit them:
- in the baselayout repo, the conf files were split to make it
possible,
- use tmpfiles.d to create core home directory:
- used to be done differently for generic images and for SDKs,
- use dumb-tmpfiles-proc.sh instead of systemd's tmpfile processor:
- this removes the need to install valid passwd and group files
into /etc before,
- also it seems to be fixing some issues with installing files for
users and groups that weren't there anyway,
- drop generating of baselayout-usr in src_compile, and creating
debug directories in pkg_preinst, these are handled by the
Makefile now
- this made inheriting systemd and tmpfiles eclasses unnecessary
- install files in the src_install phase and install the directory
structure in the pkg_preinst phase:
- empty directories created in src_install are not guaranteed to be
preserved, and indeed at some point /usr/local/bin was not
installed on the final rootfs,
- currently installed /etc/passwd and /etc/group are now empty
- drop DEPEND variable entirely - systemd isn't really needed, I don't
know what was the point of depending on libidn2, and the rest were
conflicts with some old versions of packages.
