Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[202211] Add support of secure warm-boot backport #19

Closed
wants to merge 2 commits into from

Conversation

DavidZagury
Copy link
Owner

Backport of sonic-net#2532 and sonic-net#2715

What I did

Add support of secure warm-boot to SONiC.
Basically, warm-boot is supporting to load a new kernel without doing full/cold boot.
That is by loading a new kernel and exec with kexec Linux command. As a result of that, even when the Secure Boot feature is enabled, still a user or a malicious user can load an unsigned kernel, so to avoid that we added the support of the secure warm boot.
More Description about this feature can be found in the Secure Boot HLD: sonic-net/SONiC#1028

How I did it

In general, Linux support it, so I enabled this support by doing the follow steps:

I added some special flags in Linux Kernel when user build the sonic-buildimage with secure boot feature enabled.
I added a flag "-s" to the kexec command
Note: more details in the HLD above.

How to verify it

Good flow:
manually just install with sonic-installed a new secure image (a SONiC image that was build with Secure Boot flag enabled)
after the secure image is installed, do:
warm-reboot
Check now that the new kernel is really loaded and switched.
Bad flow:
Do the same steps 1-2 as a good flow but with an insecure image (SONiC image that was built without setting Secure Boot enabled)
After the insecure image is installed, and triggered warm-boot you should get an error that the new unsigned kernel from the unsecured image was not loaded.

Previous command output (if the output of a command-line utility has changed)

New command output (if the output of a command-line utility has changed)

davidpil2002 and others added 2 commits May 1, 2023 11:17
- What I did
Add support of secure warm-boot to SONiC.
Basically, warm-boot is supporting to load a new kernel without doing full/cold boot.
That is by loading a new kernel and exec with kexec Linux command. As a result of that, even when the Secure Boot feature is enabled, still a user or a malicious user can load an unsigned kernel, so to avoid that we added the support of the secure warm boot.
More Description about this feature can be found in the Secure Boot HLD: sonic-net/SONiC#1028

- How I did it
In general, Linux support it, so I enabled this support by doing the follow steps:

I added some special flags in Linux Kernel when user build the sonic-buildimage with secure boot feature enabled.
I added a flag "-s" to the kexec command
Note: more details in the HLD above.

- How to verify it
* Good flow:
manually just install with sonic-installed a new secure image (a SONiC image that was build with Secure Boot flag enabled)
after the secure image is installed, do:
warm-reboot
Check now that the new kernel is really loaded and switched.
* Bad flow:
Do the same steps 1-2 as a good flow but with an insecure image (SONiC image that was built without setting Secure Boot enabled)
After the insecure image is installed, and triggered warm-boot you should get an error that the new unsigned kernel from the unsecured image was not loaded.
Automation test - TBD
…ic-net#2715)

What I did
Warm-reboot fails on kvm due to non-zero exit upon command
bootctl status 2>/dev/null | grep -c "Secure Boot: enabled"

How I did it
Added || true to return 0 when previous command fails.
Added CHECK_SECURE_UPGRADE_ENABLED to check output of previous command
Added debug logs

How to verify it
Run warm-reboot on kvm and physical device when increased verbosity. Expects debug log to indicate secure/non secure boot. Successful warm reboot
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants