[Secureboot] Revert the changes done to only do Kernel Signnning (son…

…ic-net#19199) What I did: Before this feature sonic-net/SONiC#1028 got merged their was intermediate change done to just support Kernel Signing via: sonic-net#10557. However once this feature is merged : sonic-net/SONiC#1028 (Which support sign of all boot components not just Kernel) we do not need the Kernel only signing changes as it define new rules macro which just create confusion. So as part of this PR i am reverting the Kernel -only sign PR sonic-net#10557 Signed-off-by: Abhishek Dosi <[email protected]>
arun1355492 · Jul 26, 2024 · 8129dd6 · 8129dd6
1 parent 94ebf76
commit 8129dd6
Show file tree

Hide file tree

Showing 4 changed files with 1 addition and 47 deletions.
diff --git a/Makefile.work b/Makefile.work
@@ -339,17 +339,6 @@ ifneq ($(SONIC_VERSION_CACHE_SOURCE),)
 	DOCKER_RUN += -v "$(SONIC_VERSION_CACHE_SOURCE):/vcache:rw"
 endif
 
-ifeq ($(SONIC_ENABLE_SECUREBOOT_SIGNATURE), y)
-ifneq ($(SIGNING_KEY),)
-	DOCKER_SIGNING_SOURCE := $(shell dirname $(SIGNING_KEY))
-	DOCKER_RUN += -v "$(DOCKER_SIGNING_SOURCE):$(DOCKER_SIGNING_SOURCE):ro"
-endif
-ifneq ($(SIGNING_CERT),)
-	DOCKER_SIGNING_SOURCE := $(shell dirname $(SIGNING_CERT))
-	DOCKER_RUN += -v "$(DOCKER_SIGNING_SOURCE):$(DOCKER_SIGNING_SOURCE):ro"
-endif
-endif
-
 # User name and tag for "docker-*" images created by native dockerd mode.
 ifeq ($(strip $(SONIC_CONFIG_USE_NATIVE_DOCKERD_FOR_BUILD)),y)
 DOCKER_USERNAME = $(USER_LC)
@@ -551,7 +540,6 @@ SONIC_BUILD_INSTRUCTION :=  $(MAKE) \
                            EXTRA_DOCKER_TARGETS=$(EXTRA_DOCKER_TARGETS) \
                            BUILD_LOG_TIMESTAMP=$(BUILD_LOG_TIMESTAMP) \
                            SONIC_ENABLE_IMAGE_SIGNATURE=$(ENABLE_IMAGE_SIGNATURE) \
-                           SONIC_ENABLE_SECUREBOOT_SIGNATURE=$(SONIC_ENABLE_SECUREBOOT_SIGNATURE) \
                            SECURE_UPGRADE_MODE=$(SECURE_UPGRADE_MODE) \
                            SECURE_UPGRADE_DEV_SIGNING_KEY=$(SECURE_UPGRADE_DEV_SIGNING_KEY) \
                            SECURE_UPGRADE_SIGNING_CERT=$(SECURE_UPGRADE_SIGNING_CERT) \

diff --git a/build_debian.sh b/build_debian.sh
@@ -172,24 +172,6 @@ if [[ $CONFIGURED_ARCH == amd64 ]]; then
     sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install dmidecode hdparm
 fi
 
-## Sign the Linux kernel
-# note: when flag SONIC_ENABLE_SECUREBOOT_SIGNATURE is enabled the Secure Upgrade flags should be disabled (no_sign) to avoid conflict between the features.
-if [ "$SONIC_ENABLE_SECUREBOOT_SIGNATURE" = "y" ] && [ "$SECURE_UPGRADE_MODE" != 'dev' ] && [ "$SECURE_UPGRADE_MODE" != "prod" ]; then
-    if [ ! -f $SIGNING_KEY ]; then
-       echo "Error: SONiC linux kernel signing key missing"
-       exit 1
-    fi
-    if [ ! -f $SIGNING_CERT ]; then
-       echo "Error: SONiC linux kernel signing certificate missing"
-       exit 1
-    fi
-
-    echo '[INFO] Signing SONiC linux kernel image'
-    K=$FILESYSTEM_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-${CONFIGURED_ARCH}
-    sbsign --key $SIGNING_KEY --cert $SIGNING_CERT --output /tmp/${K##*/} ${K}
-    sudo cp -f /tmp/${K##*/} ${K}
-fi
-
 ## Update initramfs for booting with squashfs+overlay
 cat files/initramfs-tools/modules | sudo tee -a $FILESYSTEM_ROOT/etc/initramfs-tools/modules > /dev/null
 
@@ -696,10 +678,7 @@ sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c "echo 0 > /etc/fips/fips_enable
 # #################
 #   secure boot
 # #################
-if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" && $SONIC_ENABLE_SECUREBOOT_SIGNATURE != 'y' ]]; then
-    # note: SONIC_ENABLE_SECUREBOOT_SIGNATURE is a feature that signing just kernel,
-    # SECURE_UPGRADE_MODE is signing all the boot component including kernel.
-    # its required to do not enable both features together to avoid conflicts.
+if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" ]]; then
     echo "Secure Boot support build stage: Starting .."
 
     # debian secure boot dependecies

diff --git a/rules/config b/rules/config
@@ -227,13 +227,6 @@ MASTER_FLUENTD_VERSION = mariner_20230517.1
 # The relative path is build root folder.
 SONIC_ENABLE_IMAGE_SIGNATURE ?= n
 
-# SONIC_ENABLE_SECUREBOOT_SIGNATURE - enable SONiC kernel signing to support UEFI secureboot
-# To support UEFI secureboot chain of trust requires EFI kernel to be signed as a PE binary
-#     SIGNING_KEY =
-#     SIGNING_CERT =
-# The absolute path should be provided.
-SONIC_ENABLE_SECUREBOOT_SIGNATURE ?= n
-
 # Full Secure Boot feature flags.
 # SECURE_UPGRADE_DEV_SIGNING_KEY - path to development signing key, used for image signing during build
 # SECURE_UPGRADE_SIGNING_CERT - path to development signing certificate, used for image signing during build

diff --git a/slave.mk b/slave.mk
@@ -1327,9 +1327,6 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_RFS_TARGETS)) : $(TARGET_PATH)/% : \
 		IMAGE_TYPE=$($(installer)_IMAGE_TYPE) \
 		TARGET_PATH=$(TARGET_PATH) \
 		TRUSTED_GPG_URLS=$(TRUSTED_GPG_URLS) \
-		SONIC_ENABLE_SECUREBOOT_SIGNATURE="$(SONIC_ENABLE_SECUREBOOT_SIGNATURE)" \
-		SIGNING_KEY="$(SIGNING_KEY)" \
-		SIGNING_CERT="$(SIGNING_CERT)" \
 		PACKAGE_URL_PREFIX=$(PACKAGE_URL_PREFIX) \
 		DBGOPT='$(DBGOPT)' \
 		SONIC_VERSION_CACHE=$(SONIC_VERSION_CACHE) \
@@ -1581,9 +1578,6 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
 		ONIE_IMAGE_PART_SIZE=$(ONIE_IMAGE_PART_SIZE) \
 		SONIC_ENFORCE_VERSIONS=$(SONIC_ENFORCE_VERSIONS) \
 		TRUSTED_GPG_URLS=$(TRUSTED_GPG_URLS) \
-		SONIC_ENABLE_SECUREBOOT_SIGNATURE="$(SONIC_ENABLE_SECUREBOOT_SIGNATURE)" \
-		SIGNING_KEY="$(SIGNING_KEY)" \
-		SIGNING_CERT="$(SIGNING_CERT)" \
 		PACKAGE_URL_PREFIX=$(PACKAGE_URL_PREFIX) \
 		DBGOPT='$(DBGOPT)' \
 		SONIC_VERSION_CACHE=$(SONIC_VERSION_CACHE) \