Updating the kernel (5.10.85)

Getting Started with IPFire
1

I just started with IPFire last night and wanted to move to 5.10.85, but I noticed pakfire did not include a compiler and other packages required. As a gentoo user for my daily driver, this was quite shocking :laughing:

  1. Is there a recommended method for building a custom kernel with IPFire? I think Iā€™m just going to build the kernel on another box and copy the modules etc overā€¦ seems easier than bootstrapping gcc etc.
  2. How closely does IPFire follow the upstream kernel release cadence, and what is required to bump the version packaged?
2

Hi @dlrobertson

Welcome to the IPFire community.

Generally it is not a good idea to have compilers and related tools on an actual production firewall.

If you wait for Core Update 162 which is in testing currently then IPFire will transition to Linux 5.15 which is an LTS kernel release.

See the Core Update 162 Testing Release notification
https://blog.ipfire.org/post/ipfire-2-27-core-update-162-is-available-for-testing

You canā€™t just build a new kernel and copy it across as the kernel is signed by the devs and the key is then thrown away so that it is certain that the kernel that you have on your firewall has not been tampered with.

You would need to do a complete build of IPFire. See the following link in the wiki for details.
https://wiki.ipfire.org/devel/ipfire-2-x/build-howto

For the kernel build portion do a search on the forum for previous threads on the topic.

7 Likes
3

@bonnietwin thanks for the quick and complete response. I really appreciate the links.

How would this be enforced? Iā€™m not sure that I follow. I have not configured a TPM and anything like tboot on the box. It should be pretty simple to just boot a different vmlinuz, and indeed a simple boot of a small useless static kernel does ā€œworkā€. I havenā€™t tested a kernel with the full config that IPFire expects, but early indications seem to point to this working as expected. I get that module signatures are both enabled and forced, but that wouldnā€™t impact entirely replacing the kernel image and modules.

4

Sorry my memory is not what it used to be when I was younger.

The thread I was remembering was related to a kernel module and not the kernel as a whole and that the whole kernel had to be compiled to include the desired additional module due to the signing.
https://community.ipfire.org/t/how-can-i-use-self-compiled-kernel-module/2706

2 Likes
5

Hello Dan,

We generate a key during the build process which is then being used to sign all modules. The public part that key is being compiled into the kernel which will then validate the signature of any module loaded and refuse to load it if it doesnā€™t match.

That is why compiling additional modules is no longer possible without rebuilding the entire kernel. This is useful because injecting kernel modules is impossible in IPFire without circumventing this mechanism.

We do not use Secure Boot or anything outside of the OS. So there is still a chance for an attacker to replace the entire kernel - or you to build your own.

What is the reason for building your own kernel? Are you requiring configuration changes or additional drivers or anything else?

2 Likes
6

Yup, kernel module signing makes sense.

Donā€™t need support for any new drivers or anything currently. In this case I was just trying to follow the upstream release.

1 Like
7

Cool. Kernel 5.15 is on its way and already available for testing:

If you have any improvements, donā€™t hesitate to submit patch:

And developers are probably easiest to get hold of on our mailing list:

3 Likes