Raspberry Pi mit dot1X, RADIUS & MACsec

Diese Anleitung geht davon aus dass der Raspberry Pi 5 mit Raspberry Pi OS „Trixie“ verwendet wird!

Kernel mit MACsec kompilieren

Um Zeit zu sparen, empfehle ich den Kernel/Module nicht auf dem Pi selbst zu kompilieren, sondern in einer Debian-VM die auf einem ARM-basierten System läuft (z.B. MacBook Pro mit M1(+) Prozessor) - alternativ mit Cross-Compile Toolchain.

benny@debian:~$ mkdir raspiOct
benny@debian:~$ cd raspiOct
benny@debian:~/raspiOct$ git clone --depth=1 --branch rpi-6.12.y https://github.com/raspberrypi/linux
Cloning into 'linux'...
remote: Enumerating objects: 92781, done.
remote: Counting objects: 100% (92781/92781), done.
remote: Compressing objects: 100% (82502/82502), done.
remote: Total 92781 (delta 9561), reused 85758 (delta 9291), pack-reused 0 (from 0)
Receiving objects: 100% (92781/92781), 258.36 MiB | 22.61 MiB/s, done.
Resolving deltas: 100% (9561/9561), done.
Updating files: 100% (87559/87559), done.
benny@debian:~/raspiOct$ cd linux/
benny@debian:~/raspiOct/linux$ KERNEL=kernel_2712
benny@debian:~/raspiOct/linux$ make bcm2712_defconfig
  HOSTCC  scripts/basic/fixdep
  HOSTCC  scripts/kconfig/conf.o
  HOSTCC  scripts/kconfig/confdata.o
  HOSTCC  scripts/kconfig/expr.o
  LEX     scripts/kconfig/lexer.lex.c
  YACC    scripts/kconfig/parser.tab.[ch]
  HOSTCC  scripts/kconfig/lexer.lex.o
  HOSTCC  scripts/kconfig/menu.o
  HOSTCC  scripts/kconfig/parser.tab.o
  HOSTCC  scripts/kconfig/preprocess.o
  HOSTCC  scripts/kconfig/symbol.o
  HOSTCC  scripts/kconfig/util.o
  HOSTLD  scripts/kconfig/conf
#
# configuration written to .config
#
benny@debian:~/raspiOct/linux$ make menuconfig
  HOSTCC  scripts/kconfig/mconf.o
  HOSTCC  scripts/kconfig/lxdialog/checklist.o
  HOSTCC  scripts/kconfig/lxdialog/inputbox.o
  HOSTCC  scripts/kconfig/lxdialog/menubox.o
  HOSTCC  scripts/kconfig/lxdialog/textbox.o
  HOSTCC  scripts/kconfig/lxdialog/util.o
  HOSTCC  scripts/kconfig/lxdialog/yesno.o
  HOSTCC  scripts/kconfig/mnconf-common.o
  HOSTLD  scripts/kconfig/mconf


*** End of the configuration.
*** Execute 'make' to start the build or try 'make help'.

benny@debian:~/raspiOct/linux$ make -j4 Image.gz modules dtbs

...

benny@debian:~/raspiOct/linux$ mkdir modules
benny@debian:~/raspiOct/linux$ env PATH=$PATH make INSTALL_MOD_PATH=/home/benny/raspiOct/linux/modules modules_install

...

benny@debian:~/raspiOct/linux$ tar czf kernel-macsec.tar.gz arch/
benny@debian:~/raspiOct/linux$ tar czf modules-macsec.tar.gz modules
benny@debian:~/raspiOct/linux$ scp kernel-macsec.tar.gz pi@192.168.11.199:
The authenticity of host '192.168.11.199 (192.168.11.199)' can't be established.
ED25519 key fingerprint is SHA256:QnYk4nWf6N14XBgP1mxamkrQGf+s2RugmcqEJ942J8o.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.11.199' (ED25519) to the list of known hosts.
pi@192.168.11.199's password: 
kernel-macsec.tar.gz                                                     100%   47MB   3.5MB/s   00:13    
benny@debian:~/raspiOct/linux$ scp modules-macsec.tar.gz pi@192.168.11.199:
pi@192.168.11.199's password: 
modules-macsec.tar.gz                                                    100%   21MB   3.4MB/s   00:06

Neuen Kernel auf dem Pi nutzen

Offizielle Anleitung des Raspberry Pi Teams bzgl. Kernel kompilieren & Installation

pi@MACsecPi:~ $ ls
kernel-macsec.tar.gz  modules-macsec.tar.gz
pi@MACsecPi:~ $ tar xzf kernel-macsec.tar.gz 
pi@MACsecPi:~ $ tar xzf modules-macsec.tar.gz 
pi@MACsecPi:~ $ sudo mv modules/lib/modules/6.12.50-v8-16k+/ /lib/modules/
pi@MACsecPi:~ $ sudo chown -R root:root /lib/modules/6.12.50-v8-16k+/
pi@MACsecPi:~ $ sudo cp arch/arm64/boot/Image.gz /boot/firmware/kernel-macsec.img
pi@MACsecPi:~ $ sudo cp arch/arm64/boot/dts/broadcom/*.dtb /boot/firmware
pi@MACsecPi:~ $ sudo cp arch/arm64/boot/dts/overlays/*.dtb* /boot/firmware/overlays/
pi@MACsecPi:~ $ sudo cp arch/arm64/boot/dts/overlays/README /boot/firmware/overlays/