Enable USB Test and Measurement Class driver as a loadable kernel
module. This module is used for many USB devices that meet the USB Test
and Measurement device specification, like HW and Power Analyzers.
Signed-off-by: Chris Co <chrco@microsoft.com>
Enable Multipath TCP (MPTCP) to allow using multiple interface paths to send and receive TCP packets for improving throughput and redundancy.
Signed-off-by: Chris Co <chrco@microsoft.com>
Enable the Extended Verification Module (EVM) support to allow the verification of security-related extended attributes like SELinux file labels or IMA hash
Signed-off-by: Chris Co <chrco@microsoft.com>
Co-authored-by: Chris Co <chrco@microsoft.com>
Enable FS-verity and Integrity Policy Enforcement LSM. These are useful security features that users/services can leverage to better secure their system.
Signed-off-by: Chris Co <chrco@microsoft.com>
Add DMI sysfs and EROFS module support. Additionally hooks for Secure Boot with dm-verity verification.
These kconfigs will also be necessary to onboard Azure Linux into upstream systemd's CI testing.
Signed-off-by: Chris Co <chrco@microsoft.com>
Moving batch of configs that were built-in to be modules to maintain flexibility, though reduce kernel size and boot speed.
These modules are already set as modules on x86 and only targeted to change on arm64.
Signed-off-by: Kelsey Steele <kelseysteele@microsoft.com>
TPM Event log does not appear to be passed to the kernel when Secure Boot is enforcing. To restore this critical functionality, revert back to our previous 2.06 grub2 which has this support and all SBAT-related CVEs patched.
This reverts commit 26d9bca
Enable the secondary keyring for partners to enroll their own key which is used to sign and validate kernel modules for a specific project. This limits the trust of modules built and signed by partners to their respective images and products.
- Add kernel-uki-signed.spec
- Add systemd-boot-signed.spec
- kernel-uki: Install UKI EFI binary under /boot and create a symlink to it under /lib/modules/$(uname -r)/
Signed-off-by: Thien Trung Vuong <tvuong@microsoft.com>
- kernel-uki: include i18n dracut module so UKI systemd-vconsole-setup service works
- toolkit: add support for partition type UUID
- imageconfigs: add CVM image definition
Signed-off-by: Thien Trung Vuong <tvuong@microsoft.com>
Co-authored-by: Dan Streetman <ddstreet@microsoft.com>
The 'cpupower' systemd startup script is useful for users to change the behavior of cpufreq at runtime rather than relying on the config default set at compile time. Specifically, it allows users to change the scaling governor. By default Azure Linux sets the scaling governor to performance mode via CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE. This was confirmed by flashing the latest CBL-Mariner 2.0 iso onto an Intel NUC. It by default used the performance scaling governor and the cpufreq driver was intel_pstates. The powersave governor was available but not used. More on CPU frequency scaling can be seen at kernel.org
While useful, introducing the cpupower.service script in Mariner 2.0 would break the assumption for how users can affect the cpu frenquency. Adding the service file would change the cpu frequency for users who have taken action to change from the default "performance" governor to some other governor (powersave, ondemand, etc.). Set in 3.0 to encourage users to have the most performant state.
Just as a note that there are many places the cpu frequency setting can be altered:
- bios
- governor in kernel configs (CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE=y in Mariner)
- governor in kernel command line (cpufreq.default_governor not set in Mariner)
- cpufreq direct call in userspace
- tuned (which we don't ship with by default)