Skip to content

feat(kernel): enable GTM multicast kernel opts (amd64) — 6.18.34-ct6#4

Merged
kkroo merged 11 commits into
mainfrom
blockcast-ct6-ipv6-pimsm
Jul 11, 2026
Merged

feat(kernel): enable GTM multicast kernel opts (amd64) — 6.18.34-ct6#4
kkroo merged 11 commits into
mainfrom
blockcast-ct6-ipv6-pimsm

Conversation

@kkroo

@kkroo kkroo commented Jul 4, 2026

Copy link
Copy Markdown

Problem

CT6/GTM nodes need the v6 multicast dataplane to match v4: without CONFIG_IPV6_PIMSM_V2=y, MRT6_PIM returns ENOPROTOOPT and pim6d disables its v6 mroute socket. The CT6 DIMT path also needs multicast route-table steering enabled for both families.

Changes

  • Enables the ct6 multicast kernel options on amd64:
    • CONFIG_IPV6_PIMSM_V2=y
    • CONFIG_IP_MROUTE_MULTIPLE_TABLES=y
    • CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y
  • Keeps CONFIG_NET_IPGRE_BROADCAST disabled intentionally. Current Blockcast DIMT uses IPIP-in-FOU; the draft does not require GRE broadcast for this deployment path.
  • Carries the existing ct5/MPLS + 6.18.34 Talos boot-parity lineage, including Blockcast module-signing trust. The private signing key is not committed; CI provisions it from BLOCKCAST_MODULE_SIGNING_KEY, validates it matches blockcast-modsign.crt, and scrubs it after build.
  • Adds dispatch/proof workflows for the ct6 kernel and ct6 installer chain, including ct6-specific installer tags to avoid overwriting the generic AMT tags.
  • Updates signed-installer compose auth handling to require an explicit GHCR package token (GH_PAT) for cross-repo private amt-kmod pulls.

Verification

  • Kernel package build: build-ct6-mroute-kernel run 29131419459 passed.
    • Confirmed ct6 config for Linux 6.18.34.
    • Pushed ghcr.io/blockcast/kernel:v1.13.4-amt-ct6-mroute@sha256:e88d73108f1dd0575cbe6a229aa3f42ded20a8b7b1d6915db503fa2894c42228.
    • Log shows signed modules and DEPMOD for 6.18.34-talos, including ip_gre.ko, ip6_gre.ko, and vport-gre.ko.
  • Base installer build: build-amt-installer run 29134485069 passed.
    • Consumed the ct6 kernel digest above.
    • Published ghcr.io/blockcast/installer:v1.13.4-amt-ct6-mroute.
  • Signed installer compose: compose-signed-installer run 29136475511 passed.
    • Pulled ghcr.io/blockcast/amt-kmod:v1.13.4 using the repo GH_PAT package token.
    • Published deployable signed installer ghcr.io/blockcast/installer:v1.13.4-amt-ct6-mroute-signed@sha256:efe53dc2b397a3eb3f13b8b31a0a4e20bbaccaac6a903894b28969fe224e616a.

Merge Gate

The ct6 custom proof chain is green. The PR rollup still shows the generic default job queued on the pkgs runner path, so GitHub reports the PR as UNSTABLE until that queue clears or branch protection accepts the explicit ct6 proof runs above.

kkroo and others added 5 commits June 24, 2026 02:58
…TED_KEYS)

The custom AMT kernel (kernel:<ver>-amt → installer:<ver>-amt) shipped a stock
keyring trusting ONLY the Sidero build-time throw-away key, so a Blockcast-signed
amt.ko is rejected under module.sig_enforce=1 (`key was rejected by service`),
verified on a freshly-imaged Talos node (.builtin_trusted_keys held only the
Sidero key). The signed-kernel design (.planning 2026-06-17) never wired the
kernel-trust half.

Embed the Blockcast module-signing public cert in the kernel's builtin trusted
keyring:
- add kernel/build/certs/blockcast-modsign.crt (public cert; CN "Blockcast AMT
  Module Signing Key"; private key held as org secret BLOCKCAST_MODULE_SIGNING_KEY)
- set CONFIG_SYSTEM_TRUSTED_KEYS="certs/blockcast-modsign.crt" (amd64+arm64)

kernel/build/pkg.yaml already `cp /pkg/certs/* certs/`, so the cert lands at
certs/blockcast-modsign.crt in the kernel tree. The throw-away CONFIG_MODULE_SIG_KEY
is unchanged (Talos's own modules still verify); this only ADDS the Blockcast key.
Pairs with re-enabling signing in linux-amt's amt-kmod build using the same key.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Pin the kernel to Linux 6.18.34 (Pkgfile version + sha256/sha512) and
regenerate config-amd64 to match. Add CONFIG_STATIC_USERMODEHELPER and
CONFIG_PAGE_TABLE_CHECK_ENFORCED to filter-hardened-check IGNORE_VIOLATIONS
since the deployed Sidero stock kernel runs without them and enabling is
unproven on these Talos VMs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
GTM BGP-MVPN IR leaves receive replicated multicast as a single-label
MPLS frame (the leaf's own advertised I-PMSI label, PHP'd transport).
Enable the kernel disposition path (CONFIG_MPLS_ROUTING) so the node
pops it natively via 'ip -f mpls route add <label> dev lo' instead of
an XDP program; CONFIG_MPLS_IPTUNNEL for the encap direction. Both =y
(builtin) to sidestep the Talos imager module-curation trap that bit
amt.ko. CONFIG_MPLS/NET_MPLS_GSO were already =y; LWTUNNEL=y satisfies
the iptunnel dependency. BLO-8371.

Signed-off-by: Omar Ramadan <omar@blockcast.net>
cdn.kernel.org evicted the linux-6.18.34.tar.xz release tarball
(superseded by 6.18.35), 404ing the pinned source. Staying on 6.18.34
is deliberate: the deployed amt-kmod extension is built and signed for
6.18.34-talos, and this branch's ct-lineage kernel is the one proven
under module.sig_enforce=1. Switch the source to the git.kernel.org
stable snapshot of the v6.18.34 tag (content-verified: Makefile
VERSION/PATCHLEVEL/SUBLEVEL = 6.18.34) and re-pin its hashes. NOTE:
snapshot tarballs are generated on demand and their hashes can rotate
with kernel.org infra changes — if this pin ever mismatches, re-verify
content and re-pin. BLO-8371.

Signed-off-by: Omar Ramadan <omar@blockcast.net>
CONFIG_IPV6_PIMSM_V2=y so pim6d's MRT6_PIM upcall registration succeeds.
Without it the kernel returns ENOPROTOOPT and FRR disables the entire v6
mroute socket at startup (fd=-1), leaving pim6d without a v6 multicast
data plane and exercising failure paths in every MFC update. The v4 side
(CONFIG_IP_PIMSM_V2) has always been enabled; this brings v6 to parity
for the BGP-MVPN GTM receiver nodes.

Compile-time bool (no module option), builtin like the MPLS options —
no imager module-curation impact.

Signed-off-by: Omar Ramadan <omar@blockcast.net>
@cursor

cursor Bot commented Jul 4, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@allyblockcast allyblockcast Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ally — Consolidated PR Review

Lenses: pr-review-toolkit (code/tests/comments/errors/types — largely n/a for a binary kernel-config diff) + gstack/review (structural/scope) + native-codex (adversarial diff read, nested CLI unavailable in this runtime).

Critical Issues (2)

  • [native-codex] Pkgfile:106, kernel/build/config-amd64 (~130 changed lines) — The PR description says this is a single compile-time bool flip (CONFIG_IPV6_PIMSM_V2=y, "like the MPLS options"), but the actual diff is a full kernel-config rebase: linux_version is downgraded 6.18.35 → 6.18.34, and dozens of unrelated subsystems change (ATM, X25, LAPB, PHONET, RDS, IP_NF_IPTABLES/IP6_NF_IPTABLES/BRIDGE_NF_EBTABLES, DVB drivers, and ~30 drivers flipped from loadable module (=m) to built-in (=y) — VMware/Xen/Hyper-V stacks, USB HCDs, storage, InfiniBand, etc.). None of this is mentioned, so reviewers approving on the stated scope have no visibility into a kernel downgrade or a large attack-surface/build-size change shipping to fleet GTM nodes alongside it.

    • Split the PIM-SM flag change from the config rebase, or make the rebase and its rationale explicit in the PR description (looks like a /proc/config.gz boot-parity rebase against the deployed Sidero stock kernel — say so).
  • [native-codex] kernel/build/config-amd64:6915 and :2092-2093CONFIG_STATIC_USERMODEHELPER is disabled (was y with PATH="/sbin/init") while CONFIG_UEVENT_HELPER is simultaneously re-enabled with a writable legacy path (/sbin/hotplug). This pairing removes the pinned usermode-helper path and reinstates the legacy hotplug helper mechanism — a well-known local-privesc-relevant combination (arbitrary usermode-helper path can be repointed via /sys/module/*/uevent_helper or /proc/sys/kernel/hotplug). Both exemptions are added to the hardening gate in the same commit (kernel/build/scripts/filter-hardened-check.py:40-41, "unproven on these Talos VMs"), so the check that should catch this is being loosened at the same time, with no security review called out in the PR body.

    • Needs explicit sign-off that this hardening regression is intentional/accepted risk for the fleet, not an artifact of rebasing onto the stock config.

Important Issues (2)

  • [gstack/review] kernel/prepare/pkg.yaml:9 — Kernel source fetch moved from a pinned cdn.kernel.org release tarball to a git.kernel.org git-snapshot tarball (.../snapshot/linux-{{ .linux_version }}.tar.gz). Different provenance/generation semantics than the official release artifact; worth confirming this is deliberate (and that hashes were re-pinned against the new source, which they were) rather than an incidental side effect of whatever produced the version downgrade above.
  • [native-codex] kernel/build/certs/blockcast-modsign.crt (new) is wired into kernel/build/config-arm64's CONFIG_SYSTEM_TRUSTED_KEYS, but amd64's CONFIG_SYSTEM_TRUSTED_KEYS is untouched and still "". For a PR titled "(amd64)" that introduces a new Blockcast module-signing cert (and whose own description cites amt.ko being "ct6-signed"), the amd64 kernel not embedding this trust anchor while arm64 does looks like a gap rather than a deliberate asymmetry — worth confirming amd64 doesn't need it, or wiring it up to match.

Strengths

  • The committed cert (blockcast-modsign.crt) is a public X.509 cert only — no private key material added to the repo.
  • The two new hardening-gate exemptions carry inline rationale comments (boot parity with the deployed Sidero v1.13.4 stock kernel) rather than being silent suppressions — good practice, it just needs to also be surfaced in the PR description itself.

Recommended Action

  1. Before merge: confirm the linux_version downgrade and the cdn.kernel.orggit.kernel.org source change are both intentional, not rebase artifacts.
  2. Get explicit security sign-off on disabling CONFIG_STATIC_USERMODEHELPER while re-enabling CONFIG_UEVENT_HELPER, given this ships to GTM fleet nodes.
  3. Reconcile the amd64/arm64 SYSTEM_TRUSTED_KEYS asymmetry for the new signing cert.
  4. Update the PR description to reflect the true scope (config rebase + PIM-SM flag), or split into separate PRs so each can be reviewed on its own merits.

@kkroo

kkroo commented Jul 10, 2026

Copy link
Copy Markdown
Author

Added commit 94061a9 on this branch to enable the missing multicast route-table steering booleans on amd64: CONFIG_IP_MROUTE_MULTIPLE_TABLES=y and CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y. This keeps CONFIG_NET_IPGRE_BROADCAST disabled intentionally: the current Blockcast DIMT path is IPIP-in-FOU, and the DIMT draft treats GRE only as one possible tunnel type, not a broadcast-GRE requirement. This is the actual Talos custom-kernel path; the linux-amt extension build can prove amt.ko, but cannot change built-in kernel config.

@kkroo kkroo changed the title feat(kernel): enable IPv6 PIM-SM v2 (amd64) — 6.18.34-ct6 feat(kernel): enable GTM multicast kernel opts (amd64) — 6.18.34-ct6 Jul 10, 2026

@allyblockcast allyblockcast Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ally — Consolidated PR Review

Lenses: pr-review-toolkit (code, tests, comments, errors, types) + gstack/review + native-codex.
reviewed head: 94061a9

Critical Issues (1)

  • [native-codex] kernel/build/config-amd64:7239 / kernel/build/config-arm64:9997 — module-signing trust cert appears wired to the wrong architecture, breaking the exact "amt.ko ct6-signed" chain this PR's title/companion pipeline depends on.
    • config-amd64 now sets CONFIG_MODULE_SIG_KEY="certs/blockcast_signing_key.pem", but that file doesn't exist anywhere in this repo, and kernel/build/pkg.yaml's cp -v /pkg/certs/* certs/ only stages blockcast-modsign.crt and x509.genkey into certs/ for both arches — so the amd64 build has no blockcast_signing_key.pem to satisfy that path (likely build failure, or at best silent fallback to an unintended key).
    • Meanwhile config-amd64's CONFIG_SYSTEM_TRUSTED_KEYS is left "" (untouched by this PR), while config-arm64 — the only other change in that file, 1 line total — gets CONFIG_SYSTEM_TRUSTED_KEYS="certs/blockcast-modsign.crt".
    • Per .github/workflows/compose-signed-installer.yml's own header comment, the kernel that must "TRUST the Blockcast module-signing cert" so the externally-signed amt.ko doesn't EKEYREJECTED is the amd64 installer base (--arch amd64), not arm64. arm64 isn't part of the AMT signed-installer pipeline at all, and nothing else in this PR touches arm64.
    • Net effect: the trust wiring landed on the architecture that doesn't need it, and the architecture that does need it (amd64) got a dangling key reference instead. If this PR's build/deploy claims in the description were validated on an earlier commit of this branch, they don't cover the current head — worth re-verifying the compose-signed-installer + amt.ko load path against this exact SHA before merge.

Important Issues (2)

  • [gstack/review] kernel/build/config-amd64 (LSM / hardening block, ~L911-951) — kernel hardening quietly weakened, undocumented in the PR description.

    • CONFIG_STATIC_USERMODEHELPER and CONFIG_PAGE_TABLE_CHECK_ENFORCED both flip from y to unset, and filter-hardened-check.py was updated in the same diff to suppress the corresponding hardening-checker warnings ("unproven on these Talos VMs" / "config rebased on /proc/config.gz for boot parity"). That rationale may be legitimate, but it's a real hardening regression riding along in a PR titled purely as an IPv6 PIM-SM enable — worth a one-line callout in the PR body so it isn't missed in git log.
    • Separately, CONFIG_SECURITY_SAFESETID is disabled (y → not set) but CONFIG_LSM= still lists safesetid by name, and loadpin is newly added to that same string even though CONFIG_SECURITY_LOADPIN is (and was already) not set anywhere in this config. Neither LSM is actually compiled in, so the ordering string references two no-op entries — a sign the .config wasn't fully reconciled via make oldconfig/listnewconfig against the new base, which also explains the scope issue below.
  • [pr-review-toolkit] kernel/build/config-amd64 — diff scope far exceeds the stated change. The PR title/description describe a single compile-time bool (CONFIG_IPV6_PIMSM_V2=y, matching the existing CONFIG_IP_PIMSM_V2 pattern — that specific hunk, L1401-1402 in the diff, looks correct and mirrors v4). But the actual diff flips ~150+ unrelated CONFIG_* options across ACPI, netfilter/nftables (new iptables/ip6tables/ebtables match & target modules), DVB tuner drivers, framebuffer/DRM (CONFIG_FB re-enabled with ~40 sub-options), USB host controllers, crypto userspace API, and dozens of =m=y module-to-builtin conversions (Hyper-V, Xen, VirtIO, SCSI, etc.), plus a kernel patch-version downgrade (6.18.356.18.34 in Pkgfile/pkg.yaml, also switching the source tarball URL from cdn.kernel.org to git.kernel.org snapshot). None of this is mentioned in the PR body. If it's an artifact of regenerating the config against a different base, please regenerate a minimal diff or explicitly call out and justify the version pin + collateral drift — builtin-vs-module changes affect boot image size and which drivers can be blacklisted/unloaded at runtime.

Suggestions (1)

  • [pr-review-toolkit] kernel/prepare/pkg.yaml — the kernel source is now fetched from a git.kernel.org snapshot tarball (linux.git/snapshot/linux-{version}.tar.gz) instead of the previous cdn.kernel.org release tarball. Snapshot tarballs from git.kernel.org are documented as not stability-guaranteed/reproducible (content can change for the same ref over time), unlike the numbered release tarballs on cdn.kernel.org. Worth confirming this is intentional and that the pinned sha256/sha512 are re-verified on each fetch (not just first ingestion), since a mutable upstream artifact undermines the pin's purpose.

Strengths

  • The core stated change is correct and minimal in isolation: CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y + CONFIG_IPV6_PIMSM_V2=y cleanly mirrors the existing, already-enabled v4 pair (CONFIG_IP_MROUTE_MULTIPLE_TABLES / CONFIG_IP_PIMSM_V2), matching the PR's stated rationale for why v6 PIM-SM was silently disabled (MRT6_PIMENOPROTOOPT).
  • The filter-hardened-check.py suppressions include specific, dated rationale comments rather than blanket silencing.

Recommended Action

  1. Fix the module-signing trust-cert/key wiring before merge (Critical) — confirm which arch actually needs SYSTEM_TRUSTED_KEYS pointing at blockcast-modsign.crt, and confirm blockcast_signing_key.pem either exists in the amd64 build context or that reference is a leftover to remove.
  2. Call out the hardening regressions and kernel-version downgrade explicitly in the PR description, or split them into a separate PR from the PIM-SM enable.
  3. Consider regenerating config-amd64 as a minimal diff against the intended base, or document why the wider drift is expected.

@kkroo

kkroo commented Jul 11, 2026

Copy link
Copy Markdown
Author

Status update from this pass:

  • Pushed 52a4a19 on blockcast-ct6-ipv6-pimsm.
  • Kernel proof is green: build-ct6-mroute-kernel run 29131419459 published ghcr.io/blockcast/kernel:v1.13.4-amt-ct6-mroute@sha256:e88d73108f1dd0575cbe6a229aa3f42ded20a8b7b1d6915db503fa2894c42228 and confirmed the ct6 mroute config.
  • Base installer proof is green: build-amt-installer run 29134485069 consumed that kernel digest and published ghcr.io/blockcast/installer:v1.13.4-amt-ct6-mroute.
  • Signed compose is blocked on package access, not kernel/build code: run 29135078092 failed pulling private ghcr.io/blockcast/amt-kmod:v1.13.4 because secrets.GH_PAT is not configured for this repo. I updated the workflow to fail fast and to mount an explicit imager Docker config once GH_PAT exists.

Next unblock: add/grant GH_PAT on Blockcast/pkgs with read:packages access to ghcr.io/blockcast/amt-kmod, then rerun compose-signed-installer with base ghcr.io/blockcast/installer:v1.13.4-amt-ct6-mroute and output ghcr.io/blockcast/installer:v1.13.4-amt-ct6-mroute-signed.

@kkroo

kkroo commented Jul 11, 2026

Copy link
Copy Markdown
Author

Signed compose is now green after interactive gh auth + repo GH_PAT update.\n\nProof:\n- compose-signed-installer run: https://github.com/Blockcast/pkgs/actions/runs/29136475511\n- consumed base: ghcr.io/blockcast/installer:v1.13.4-amt-ct6-mroute\n- consumed extension: ghcr.io/blockcast/amt-kmod:v1.13.4\n- published deployable signed installer: ghcr.io/blockcast/installer:v1.13.4-amt-ct6-mroute-signed@sha256:efe53dc2b397a3eb3f13b8b31a0a4e20bbaccaac6a903894b28969fe224e616a\n\nThe only remaining PR rollup issue I see is the generic default job still queued on the pkgs runner path; the ct6 kernel/base/signed installer proof chain is green.

@kkroo kkroo merged commit 4ba59bb into main Jul 11, 2026
1 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant