I just started with IPFire last night and wanted to move to 5.10.85, but I noticed pakfire did not include a compiler and other packages required. As a gentoo user for my daily driver, this was quite shocking
Is there a recommended method for building a custom kernel with IPFire? I think Iām just going to build the kernel on another box and copy the modules etc overā¦ seems easier than bootstrapping gcc etc.
How closely does IPFire follow the upstream kernel release cadence, and what is required to bump the version packaged?
You canāt just build a new kernel and copy it across as the kernel is signed by the devs and the key is then thrown away so that it is certain that the kernel that you have on your firewall has not been tampered with.
@bonnietwin thanks for the quick and complete response. I really appreciate the links.
How would this be enforced? Iām not sure that I follow. I have not configured a TPM and anything like tboot on the box. It should be pretty simple to just boot a different vmlinuz, and indeed a simple boot of a small useless static kernel does āworkā. I havenāt tested a kernel with the full config that IPFire expects, but early indications seem to point to this working as expected. I get that module signatures are both enabled and forced, but that wouldnāt impact entirely replacing the kernel image and modules.
We generate a key during the build process which is then being used to sign all modules. The public part that key is being compiled into the kernel which will then validate the signature of any module loaded and refuse to load it if it doesnāt match.
That is why compiling additional modules is no longer possible without rebuilding the entire kernel. This is useful because injecting kernel modules is impossible in IPFire without circumventing this mechanism.
We do not use Secure Boot or anything outside of the OS. So there is still a chance for an attacker to replace the entire kernel - or you to build your own.
What is the reason for building your own kernel? Are you requiring configuration changes or additional drivers or anything else?