-
Overview
-
redpesk OS releases
-
Security updates
-
Application Framework Manager
-
Application Framework Binder
-
APIs & Services
-
Security manager
-
Trusted Boot
-
Recovery features
-
redpak
-
Minimal image
- Reduce image size
- Optimizing boot time
-
kernel fragments description
- Introduction to Linux Kernel Configuration
- 01 Disable IPC, Timers and Audit
- 02 Disable Kconfig, Scheduler and Initrd
- 03 Disable Perf, Profiling and Errata
- 04 Disable EFI, Power Management Debug and Energy Model
- 05 Disable Schedutil, CPUFreq Governors and Virtualization
- 06 Disable Kprobes and Jump Labels
- 07 Disable GCC Plugins and Function Alignment
- 08 Disable Partition Parsers
- 09 Enable Inline Spinlocks and Kernel Operations
- 10 Disable Swap, Memory Hotplug and KSM
- 11 Disable Networking IPv4, IPv6, Netfilter
- 12 Disable SCTP, VLAN, TIPC, BATMAN
- 13 Disable Wireless, Bluetooth, CAN and RFKILL
- 14 Disable PCI and Firmware
- 15 Disable GNSS and ProcEvents
- 16 Disable Block Storage NBD and AoE
- 17 Disable EEPROM and Misc Drivers
- 18 Disable Network Device Drivers
- 19 Disable PHY Drivers
- 20 Disable PPP, WLAN Coexistence, and Failover
- 21 Disable Input Devices
- 22 Disable Serial, TTY and TPM
- 23 Disable I2C, Power and Sensor Drivers
- 24 Disable MFD, Display and Media Drivers
- 25 Disable USB, Sound, RTC and VirtIO
- 26 Disable Filesystem Encodings and Compatibility
- 27 Enable Minimal Cryptographic Core with SHA3 and XTS
- 28 Disable Hardware Cryptography, Keep DRBG and Jitter Entropy
- 29 Disable Kernel Debugging Features
- 30 Disable Filesystem Verity and SecurityFS
-
Zephyr in Redpesk
-
Mender redpesk (OTA)
-
Hardware support
- Download images
- Image metrics
- Trusted Boot
- Boards - ARM64
- Boards - x86_64
- Boards - Virtual
- Miscs
Compilation
Dependencies
If you are missing any dependencies please follow this guide: redpesk-build-host
Smack is not packaged and has to be compiled from source.
Fedora / Centos
dnf install check-devel sec-cynagora-devel libsemanage-devel libselinux-devel systemd-devel libcap-devel
Build Smack:
sudo dnf install autoconf automake libtool
git clone https://github.com/smack-team/smack
cd smack
./autogen.sh
make
sudo make install
Ubuntu / Debian
apt install check sec-cynagora-dev libsemanage-dev libselinux1-dev libsystemd-dev libcap-dev
Build Smack:
sudo apt install autoconf libtool pkg-config make
git clone https://github.com/smack-team/smack
cd smack
./autogen.sh
make
sudo make install
Options
It is possible to modify the following compilation options when executing the cmake command:
-
WITH_SYSTEMD (default:
ON
): systemd socket activation -
WITH_SMACK (default:
OFF
) : SMACK mode -
WITH_SELINUX (default:
OFF
): SELinux mode -
WITH_SIMULATION (default:
OFF
): active simulations for cynagora, SMACK and SELinux -
SIMULATE_CYNAGORA (default:
OFF
): simulate cynagora -
SIMULATE_SMACK (default:
OFF
): simulate SMACK -
SIMULATE_SELINUX (default:
OFF
): simulate SELinux -
FORTIFY (default:
ON
): fortify source code -
COMPILE_TEST (default:
ON
): compile tests -
DEBUG (default:
OFF
): active debug mode (symbols, debug message)
For example with DEBUG option and only SELinux:
cmake -DDEBUG=ON -DWITH_SELINUX=ON ..
Environment Variables
Then there are variables defined at compile time in the CMakeLists.txt
file that can be changed at runtime by defining an environment variable.
For example the SEC_LSM_MANAGER_SOCKET_NAME variable which contains sec-lsm-manager.socket
can be modified at launch:
export SEC_LSM_MANAGER_SOCKET_NAME="new-socket-name.socket"
/usr/bin/sec-lsm-managerd
It is possible to modify the following environment variables:
-
SELINUX_RULES_DIR (default:
/usr/share/sec-lsm-manager/selinux-rules
) -
SELINUX_MAKEFILE (default:
/usr/share/selinux/devel/Makefile
) -
SEC_LSM_MANAGER_DATADIR (default:
/usr/share/sec-lsm-manager
) -
SEC_LSM_MANAGER_SOCKET_NAME (default:
sec-lsm-manager.socket
) -
COMPILE_SCRIPT_DIR (default:
/usr/share/sec-lsm-manager/script
) -
COMPILE_SCRIPT_NAME (default:
build-module.sh
) -
TE_TEMPLATE_FILE (default:
app-template.te
) -
IF_TEMPLATE_FILE (default:
app-template.if
) -
TEMPLATE_FILE (default:
app-template.smack
) -
SELINUX_FS_PATH (default:
/sys/fs/selinux
) -
SMACK_FS_PATH (default:
/sys/fs/smackfs
) -
SMACK_POLICY_DIR (default:
/etc/smack/accesses.d
, simulation:/usr/share/sec-lsm-manager/smack-simulation
) -
SELINUX_POLICY_DIR (simulation:
/usr/share/sec-lsm-manager/selinux-simulation
)