====== Raspberry Pi mit dot1X, RADIUS & MACsec ======
Diese Anleitung geht davon aus dass der Raspberry Pi 5 mit Raspberry Pi OS "Trixie" verwendet wird!
===== Kernel mit MACsec kompilieren =====
Um Zeit zu sparen, empfehle ich den Kernel/Module nicht auf dem Pi selbst zu kompilieren, sondern in einer Debian-VM die auf einem ARM-basierten System läuft (z.B. MacBook Pro mit M1(+) Prozessor) - alternativ mit Cross-Compile Toolchain.
benny@debian:~$ mkdir raspiOct
benny@debian:~$ cd raspiOct
benny@debian:~/raspiOct$ git clone --depth=1 --branch rpi-6.12.y https://github.com/raspberrypi/linux
Cloning into 'linux'...
remote: Enumerating objects: 92781, done.
remote: Counting objects: 100% (92781/92781), done.
remote: Compressing objects: 100% (82502/82502), done.
remote: Total 92781 (delta 9561), reused 85758 (delta 9291), pack-reused 0 (from 0)
Receiving objects: 100% (92781/92781), 258.36 MiB | 22.61 MiB/s, done.
Resolving deltas: 100% (9561/9561), done.
Updating files: 100% (87559/87559), done.
benny@debian:~/raspiOct$ cd linux/
benny@debian:~/raspiOct/linux$ KERNEL=kernel_2712
benny@debian:~/raspiOct/linux$ make bcm2712_defconfig
HOSTCC scripts/basic/fixdep
HOSTCC scripts/kconfig/conf.o
HOSTCC scripts/kconfig/confdata.o
HOSTCC scripts/kconfig/expr.o
LEX scripts/kconfig/lexer.lex.c
YACC scripts/kconfig/parser.tab.[ch]
HOSTCC scripts/kconfig/lexer.lex.o
HOSTCC scripts/kconfig/menu.o
HOSTCC scripts/kconfig/parser.tab.o
HOSTCC scripts/kconfig/preprocess.o
HOSTCC scripts/kconfig/symbol.o
HOSTCC scripts/kconfig/util.o
HOSTLD scripts/kconfig/conf
#
# configuration written to .config
#
benny@debian:~/raspiOct/linux$ make menuconfig
HOSTCC scripts/kconfig/mconf.o
HOSTCC scripts/kconfig/lxdialog/checklist.o
HOSTCC scripts/kconfig/lxdialog/inputbox.o
HOSTCC scripts/kconfig/lxdialog/menubox.o
HOSTCC scripts/kconfig/lxdialog/textbox.o
HOSTCC scripts/kconfig/lxdialog/util.o
HOSTCC scripts/kconfig/lxdialog/yesno.o
HOSTCC scripts/kconfig/mnconf-common.o
HOSTLD scripts/kconfig/mconf
*** End of the configuration.
*** Execute 'make' to start the build or try 'make help'.
benny@debian:~/raspiOct/linux$ make -j4 Image.gz modules dtbs
...
benny@debian:~/raspiOct/linux$ mkdir modules
benny@debian:~/raspiOct/linux$ env PATH=$PATH make INSTALL_MOD_PATH=/home/benny/raspiOct/linux/modules modules_install
...
benny@debian:~/raspiOct/linux$ tar czf kernel-macsec.tar.gz arch/
benny@debian:~/raspiOct/linux$ tar czf modules-macsec.tar.gz modules
benny@debian:~/raspiOct/linux$ scp kernel-macsec.tar.gz pi@192.168.11.199:
The authenticity of host '192.168.11.199 (192.168.11.199)' can't be established.
ED25519 key fingerprint is SHA256:QnYk4nWf6N14XBgP1mxamkrQGf+s2RugmcqEJ942J8o.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.11.199' (ED25519) to the list of known hosts.
pi@192.168.11.199's password:
kernel-macsec.tar.gz 100% 47MB 3.5MB/s 00:13
benny@debian:~/raspiOct/linux$ scp modules-macsec.tar.gz pi@192.168.11.199:
pi@192.168.11.199's password:
modules-macsec.tar.gz 100% 21MB 3.4MB/s 00:06
===== Neuen Kernel auf dem Pi nutzen =====
[[https://www.raspberrypi.com/documentation/computers/linux_kernel.html|Offizielle Anleitung des Raspberry Pi Teams bzgl. Kernel kompilieren & Installation]]
pi@MACsecPi:~ $ ls
kernel-macsec.tar.gz modules-macsec.tar.gz
pi@MACsecPi:~ $ tar xzf kernel-macsec.tar.gz
pi@MACsecPi:~ $ tar xzf modules-macsec.tar.gz
pi@MACsecPi:~ $ sudo mv modules/lib/modules/6.12.50-v8-16k+/ /lib/modules/
pi@MACsecPi:~ $ sudo chown -R root:root /lib/modules/6.12.50-v8-16k+/
pi@MACsecPi:~ $ sudo cp arch/arm64/boot/Image.gz /boot/firmware/kernel-macsec.img
pi@MACsecPi:~ $ sudo cp arch/arm64/boot/dts/broadcom/*.dtb /boot/firmware
pi@MACsecPi:~ $ sudo cp arch/arm64/boot/dts/overlays/*.dtb* /boot/firmware/overlays/
pi@MACsecPi:~ $ sudo cp arch/arm64/boot/dts/overlays/README /boot/firmware/overlays/
===== PKI mit OpenSSL erzeugen =====
Passwort: demoDEMOdemoOnly
my-openssl.cnf
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./demoCA
certs = $dir/certs
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
private_key = $dir/private/ca.key
certificate = $dir/certs/ca.crt
default_days = 3650
default_md = sha256
policy = policy_strict
x509_extensions = v3_ca
[ policy_strict ]
commonName = supplied
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha256
x509_extensions = v3_ca
[ req_distinguished_name ]
commonName = Common Name (CN)
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:TRUE
keyUsage = critical,keyCertSign,cRLSign
[ v3_server ]
basicConstraints = CA:FALSE
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_client ]
basicConstraints = CA:FALSE
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = clientAuth
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
benny@Bennys-MacBook-Pro-8 MACsecCA % ls
benny@Bennys-MacBook-Pro-8 MACsecCA % touch my-openssl.cnf
benny@Bennys-MacBook-Pro-8 MACsecCA % vi my-openssl.cnf
benny@Bennys-MacBook-Pro-8 MACsecCA %
benny@Bennys-MacBook-Pro-8 MACsecCA % mkdir -p demoCA/{certs,newcerts,private}
benny@Bennys-MacBook-Pro-8 MACsecCA % touch demoCA/index.txt
benny@Bennys-MacBook-Pro-8 MACsecCA % echo 1000 > demoCA/serial
benny@Bennys-MacBook-Pro-8 MACsecCA % openssl req -new -x509 -days 3650 -extensions v3_ca \
-keyout demoCA/private/ca.key -out demoCA/certs/ca.crt \
-config my-openssl.cnf -subj "/CN=MACsecCA"
Generating a 4096 bit RSA private key
...................................................++++
...................................++++
writing new private key to 'demoCA/private/ca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
benny@Bennys-MacBook-Pro-8 MACsecCA % openssl req -new -nodes -out server.csr -newkey rsa:4096 -keyout server.key \
-subj "/CN=mein-radius.local"
Generating a 4096 bit RSA private key
................++++
...........................++++
writing new private key to 'server.key'
-----
benny@Bennys-MacBook-Pro-8 MACsecCA % openssl ca -config my-openssl.cnf -extensions v3_server \
-in server.csr -out server.crt -days 1825
Using configuration from my-openssl.cnf
Enter pass phrase for ./demoCA/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'mein-radius.local'
Certificate is to be certified until Oct 3 18:02:51 2030 GMT (1825 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
benny@Bennys-MacBook-Pro-8 MACsecCA % openssl req -new -nodes -out client.csr -newkey rsa:4096 -keyout client.key \
-subj "/CN=MACsecPi"
Generating a 4096 bit RSA private key
.................................++++
......++++
writing new private key to 'client.key'
-----
benny@Bennys-MacBook-Pro-8 MACsecCA % openssl ca -config my-openssl.cnf -extensions v3_client \
-in client.csr -out client.crt -days 730
Using configuration from my-openssl.cnf
Enter pass phrase for ./demoCA/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'MACsecPi'
Certificate is to be certified until Oct 4 18:04:46 2027 GMT (730 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
benny@Bennys-MacBook-Pro-8 MACsecCA % openssl rsa -aes256 -in server.key -out server-enc.key
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
===== wpa_supplicant v2.11 kompilieren =====
Wurde offenbar ohne MACsec kompiliert in Raspberry Pi OS Trixie, daher mal manuell probieren.
wpa_supplicant v2.11 reagiert nicht auf den "Key Server".
pi@MACsecPi:~ wget https://w1.fi/releases/wpa_supplicant-2.11.tar.gz
pi@MACsecPi:~ tar xzf wpa_supplicant-2.11.tar.gz
pi@MACsecPi:~/wpa_supplicant-2.11/wpa_supplicant $
pi@MACsecPi:~/wpa_supplicant-2.11/wpa_supplicant $ cp defconfig .config
pi@MACsecPi:~/wpa_supplicant-2.11/wpa_supplicant $ vi .config
pi@MACsecPi:~/wpa_supplicant-2.11/wpa_supplicant $ sudo apt install dbus-1 libnl-3.0 libssl-dev libdbus-1-3 libdbus-1-dev libnl-3-dev libnl-genl-3-dev install libnl-route-3-dev
pi@MACsecPi:~/wpa_supplicant-2.11/wpa_supplicant $ make
wpa_supplicant reagiert nicht auf den "Key Server". Hier endet der Test leider erstmal bis auf Weiteres :(