raspberry-pi-macsec
Inhaltsverzeichnis
Raspberry Pi mit dot1X, RADIUS & MACsec
Diese Anleitung geht davon aus dass der Raspberry Pi 5 mit Raspberry Pi OS „Trixie“ verwendet wird!
Kernel mit MACsec kompilieren
Um Zeit zu sparen, empfehle ich den Kernel/Module nicht auf dem Pi selbst zu kompilieren, sondern in einer Debian-VM die auf einem ARM-basierten System läuft (z.B. MacBook Pro mit M1(+) Prozessor) - alternativ mit Cross-Compile Toolchain.
benny@debian:~$ mkdir raspiOct benny@debian:~$ cd raspiOct benny@debian:~/raspiOct$ git clone --depth=1 --branch rpi-6.12.y https://github.com/raspberrypi/linux Cloning into 'linux'... remote: Enumerating objects: 92781, done. remote: Counting objects: 100% (92781/92781), done. remote: Compressing objects: 100% (82502/82502), done. remote: Total 92781 (delta 9561), reused 85758 (delta 9291), pack-reused 0 (from 0) Receiving objects: 100% (92781/92781), 258.36 MiB | 22.61 MiB/s, done. Resolving deltas: 100% (9561/9561), done. Updating files: 100% (87559/87559), done. benny@debian:~/raspiOct$ cd linux/ benny@debian:~/raspiOct/linux$ KERNEL=kernel_2712 benny@debian:~/raspiOct/linux$ make bcm2712_defconfig HOSTCC scripts/basic/fixdep HOSTCC scripts/kconfig/conf.o HOSTCC scripts/kconfig/confdata.o HOSTCC scripts/kconfig/expr.o LEX scripts/kconfig/lexer.lex.c YACC scripts/kconfig/parser.tab.[ch] HOSTCC scripts/kconfig/lexer.lex.o HOSTCC scripts/kconfig/menu.o HOSTCC scripts/kconfig/parser.tab.o HOSTCC scripts/kconfig/preprocess.o HOSTCC scripts/kconfig/symbol.o HOSTCC scripts/kconfig/util.o HOSTLD scripts/kconfig/conf # # configuration written to .config # benny@debian:~/raspiOct/linux$ make menuconfig HOSTCC scripts/kconfig/mconf.o HOSTCC scripts/kconfig/lxdialog/checklist.o HOSTCC scripts/kconfig/lxdialog/inputbox.o HOSTCC scripts/kconfig/lxdialog/menubox.o HOSTCC scripts/kconfig/lxdialog/textbox.o HOSTCC scripts/kconfig/lxdialog/util.o HOSTCC scripts/kconfig/lxdialog/yesno.o HOSTCC scripts/kconfig/mnconf-common.o HOSTLD scripts/kconfig/mconf *** End of the configuration. *** Execute 'make' to start the build or try 'make help'. benny@debian:~/raspiOct/linux$ make -j4 Image.gz modules dtbs ... benny@debian:~/raspiOct/linux$ mkdir modules benny@debian:~/raspiOct/linux$ env PATH=$PATH make INSTALL_MOD_PATH=/home/benny/raspiOct/linux/modules modules_install ... benny@debian:~/raspiOct/linux$ tar czf kernel-macsec.tar.gz arch/ benny@debian:~/raspiOct/linux$ tar czf modules-macsec.tar.gz modules benny@debian:~/raspiOct/linux$ scp kernel-macsec.tar.gz pi@192.168.11.199: The authenticity of host '192.168.11.199 (192.168.11.199)' can't be established. ED25519 key fingerprint is SHA256:QnYk4nWf6N14XBgP1mxamkrQGf+s2RugmcqEJ942J8o. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.11.199' (ED25519) to the list of known hosts. pi@192.168.11.199's password: kernel-macsec.tar.gz 100% 47MB 3.5MB/s 00:13 benny@debian:~/raspiOct/linux$ scp modules-macsec.tar.gz pi@192.168.11.199: pi@192.168.11.199's password: modules-macsec.tar.gz 100% 21MB 3.4MB/s 00:06
Neuen Kernel auf dem Pi nutzen
Offizielle Anleitung des Raspberry Pi Teams bzgl. Kernel kompilieren & Installation
pi@MACsecPi:~ $ ls kernel-macsec.tar.gz modules-macsec.tar.gz pi@MACsecPi:~ $ tar xzf kernel-macsec.tar.gz pi@MACsecPi:~ $ tar xzf modules-macsec.tar.gz pi@MACsecPi:~ $ sudo mv modules/lib/modules/6.12.50-v8-16k+/ /lib/modules/ pi@MACsecPi:~ $ sudo chown -R root:root /lib/modules/6.12.50-v8-16k+/ pi@MACsecPi:~ $ sudo cp arch/arm64/boot/Image.gz /boot/firmware/kernel-macsec.img pi@MACsecPi:~ $ sudo cp arch/arm64/boot/dts/broadcom/*.dtb /boot/firmware pi@MACsecPi:~ $ sudo cp arch/arm64/boot/dts/overlays/*.dtb* /boot/firmware/overlays/ pi@MACsecPi:~ $ sudo cp arch/arm64/boot/dts/overlays/README /boot/firmware/overlays/
PKI mit OpenSSL erzeugen
Passwort: demoDEMOdemoOnly
my-openssl.cnf
[ ca ] default_ca = CA_default [ CA_default ] dir = ./demoCA certs = $dir/certs new_certs_dir = $dir/newcerts database = $dir/index.txt serial = $dir/serial private_key = $dir/private/ca.key certificate = $dir/certs/ca.crt default_days = 3650 default_md = sha256 policy = policy_strict x509_extensions = v3_ca [ policy_strict ] commonName = supplied countryName = optional stateOrProvinceName = optional organizationName = optional organizationalUnitName = optional [ req ] default_bits = 4096 distinguished_name = req_distinguished_name string_mask = utf8only default_md = sha256 x509_extensions = v3_ca [ req_distinguished_name ] commonName = Common Name (CN) [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints = critical,CA:TRUE keyUsage = critical,keyCertSign,cRLSign [ v3_server ] basicConstraints = CA:FALSE keyUsage = critical,digitalSignature,keyEncipherment extendedKeyUsage = serverAuth subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer [ v3_client ] basicConstraints = CA:FALSE keyUsage = critical,digitalSignature,keyEncipherment extendedKeyUsage = clientAuth subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer
benny@Bennys-MacBook-Pro-8 MACsecCA % ls
benny@Bennys-MacBook-Pro-8 MACsecCA % touch my-openssl.cnf
benny@Bennys-MacBook-Pro-8 MACsecCA % vi my-openssl.cnf
benny@Bennys-MacBook-Pro-8 MACsecCA %
benny@Bennys-MacBook-Pro-8 MACsecCA % mkdir -p demoCA/{certs,newcerts,private}
benny@Bennys-MacBook-Pro-8 MACsecCA % touch demoCA/index.txt
benny@Bennys-MacBook-Pro-8 MACsecCA % echo 1000 > demoCA/serial
benny@Bennys-MacBook-Pro-8 MACsecCA % openssl req -new -x509 -days 3650 -extensions v3_ca \
-keyout demoCA/private/ca.key -out demoCA/certs/ca.crt \
-config my-openssl.cnf -subj "/CN=MACsecCA"
Generating a 4096 bit RSA private key
...................................................++++
...................................++++
writing new private key to 'demoCA/private/ca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
benny@Bennys-MacBook-Pro-8 MACsecCA % openssl req -new -nodes -out server.csr -newkey rsa:4096 -keyout server.key \ -subj "/CN=mein-radius.local" Generating a 4096 bit RSA private key ................++++ ...........................++++ writing new private key to 'server.key' ----- benny@Bennys-MacBook-Pro-8 MACsecCA % openssl ca -config my-openssl.cnf -extensions v3_server \ -in server.csr -out server.crt -days 1825 Using configuration from my-openssl.cnf Enter pass phrase for ./demoCA/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'mein-radius.local' Certificate is to be certified until Oct 3 18:02:51 2030 GMT (1825 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
benny@Bennys-MacBook-Pro-8 MACsecCA % openssl req -new -nodes -out client.csr -newkey rsa:4096 -keyout client.key \ -subj "/CN=MACsecPi" Generating a 4096 bit RSA private key .................................++++ ......++++ writing new private key to 'client.key' ----- benny@Bennys-MacBook-Pro-8 MACsecCA % openssl ca -config my-openssl.cnf -extensions v3_client \ -in client.csr -out client.crt -days 730 Using configuration from my-openssl.cnf Enter pass phrase for ./demoCA/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'MACsecPi' Certificate is to be certified until Oct 4 18:04:46 2027 GMT (730 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated benny@Bennys-MacBook-Pro-8 MACsecCA % openssl rsa -aes256 -in server.key -out server-enc.key writing RSA key Enter PEM pass phrase: Verifying - Enter PEM pass phrase:
wpa_supplicant v2.11 kompilieren
Wurde offenbar ohne MACsec kompiliert in Raspberry Pi OS Trixie, daher mal manuell probieren. wpa_supplicant v2.11 reagiert nicht auf den „Key Server“.
pi@MACsecPi:~ wget https://w1.fi/releases/wpa_supplicant-2.11.tar.gz pi@MACsecPi:~ tar xzf wpa_supplicant-2.11.tar.gz pi@MACsecPi:~/wpa_supplicant-2.11/wpa_supplicant $ pi@MACsecPi:~/wpa_supplicant-2.11/wpa_supplicant $ cp defconfig .config pi@MACsecPi:~/wpa_supplicant-2.11/wpa_supplicant $ vi .config pi@MACsecPi:~/wpa_supplicant-2.11/wpa_supplicant $ sudo apt install dbus-1 libnl-3.0 libssl-dev libdbus-1-3 libdbus-1-dev libnl-3-dev libnl-genl-3-dev install libnl-route-3-dev pi@MACsecPi:~/wpa_supplicant-2.11/wpa_supplicant $ make
wpa_supplicant reagiert nicht auf den „Key Server“. Hier endet der Test leider erstmal bis auf Weiteres :(
raspberry-pi-macsec.txt · Zuletzt geändert: von benny