We will bump this every time we or Gentoo change patches that modify
parts of GRUB that are installed to the boot partition. We will reset
the version back to 1 when the upstream GRUB version changes.
Without this, we are bound by Gentoo's PVR string, which we cannot
change when we need to make changes to our own patches. The shim review
wants to know the full version number of our GRUB build, and it would
look bad to make such changes without changing the version.
This suffix is also applied to the Flatcar entry in the SBAT, which is
especially important for the shim review.
The published binary package will still be labelled with the Gentoo PVR,
but that seems less important given that end users cannot update
individual packages on Flatcar installations.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Shim signing for secure boot requires enforcing lockdown. There are three ways
we can do this:
1. setting CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y. This unconditionally
prevents loading unsigned kernel modules.
2. setting lockdown=integrity on the kernel cmdline from a signed Grub
configuration. This would be OK, but Grub is not updated in the field right
now, so we'd be stuck.
3. incorporate the secure-boot-lockdown patches that other major distros are using.
We're going to go with 3, because this only enforces lockdown when secure boot
is actually enabled and lets us change approach later on.
These patches are sourced from Debian:
https://sources.debian.org/src/linux/6.6.13-1~bpo12%2B1/debian/patches/features/all/lockdown/.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
This change adds the Azure and HyperV OEM "hv-daemons" to board-packages
so build_packages.sh will actually build these. This un-breaks a build
issue with the Azure and HyperV images.
Signed-off-by: Thilo Fromm <thilofromm@microsoft.com>
* oem-azure: add hyperv daemons
This change adds hyperv daemons hv_fcopy, hv_kvp, and hv_vss to the
Azure and HyperV OEM sysexts. hv_kvp specifically is needed to submit OS version
information to the Azure hypervisor.
The daemons, tough userspace programs, are built from the kernel sources
as they are included in the Linux kernel.
As the ebuild is (somewhat) kernel specific, it should be updated when the kernel
is updated. Respective additions have been made to the kernel update GitHub actions
automation.
Signed-off-by: Thilo Fromm <thilofromm@microsoft.com>
Co-authored-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
We can now use Gentoo's upstream ebuild, save for a few small overrides
in a separate env file.
This bumps GRUB from 2.06 to 2.12, The existing two Flatcar patches have
been rebased.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
