search

seapath / meta-seapath

This is the core of the seapath project. The meta-seapath repo contains the yocto Seapath layer, which contains all the code (yocto recipes) needed to build the seapath images used to install seapath (host, guest, flasher, etc.)
https://lfenergy.org/projects/seapath/
Apache License 2.0
6 stars 10 forks source link

kernel parameters: disable IPv6 #60

Closed insatomcat closed 2 years ago

insatomcat commented 2 years ago

IPv6 in SEAPATH has not been taken into account and tested. For security reasons it is better to disable it. The IPv6 disabling is done in kernel parameters to avoid givin the possibility de re-enabled at runtime. The IPv6 can easily be restored if necessary by deleting the kernel parameter.

Signed-off-by: insatomcat florent.carli@rte-france.com

dupremathieu commented 2 years ago

I know it would be better to do it directly in the kernel config, but in the meantime this is quick and easy

It's seemed ok to deactivate IPv6 using kernel parameters. It is a good compromise, with this we can be sure that it can't be reactivated later in runtime and it's easy to re-enabled it, during the generation for those who need it.

I think we could go even further by making this deactivation configurable. I am adding in the external_parameters branch the possibility to configure some aspects of SEAPATH like the keymap and the configuration of some kernel parameters like CPU isolation. It could be done in another PR.