diff --git a/Makefile.work b/Makefile.work index 69cf6e5b180f..c81fe2483096 100644 --- a/Makefile.work +++ b/Makefile.work @@ -339,17 +339,6 @@ ifneq ($(SONIC_VERSION_CACHE_SOURCE),) DOCKER_RUN += -v "$(SONIC_VERSION_CACHE_SOURCE):/vcache:rw" endif -ifeq ($(SONIC_ENABLE_SECUREBOOT_SIGNATURE), y) -ifneq ($(SIGNING_KEY),) - DOCKER_SIGNING_SOURCE := $(shell dirname $(SIGNING_KEY)) - DOCKER_RUN += -v "$(DOCKER_SIGNING_SOURCE):$(DOCKER_SIGNING_SOURCE):ro" -endif -ifneq ($(SIGNING_CERT),) - DOCKER_SIGNING_SOURCE := $(shell dirname $(SIGNING_CERT)) - DOCKER_RUN += -v "$(DOCKER_SIGNING_SOURCE):$(DOCKER_SIGNING_SOURCE):ro" -endif -endif - # User name and tag for "docker-*" images created by native dockerd mode. ifeq ($(strip $(SONIC_CONFIG_USE_NATIVE_DOCKERD_FOR_BUILD)),y) DOCKER_USERNAME = $(USER_LC) @@ -551,7 +540,6 @@ SONIC_BUILD_INSTRUCTION := $(MAKE) \ EXTRA_DOCKER_TARGETS=$(EXTRA_DOCKER_TARGETS) \ BUILD_LOG_TIMESTAMP=$(BUILD_LOG_TIMESTAMP) \ SONIC_ENABLE_IMAGE_SIGNATURE=$(ENABLE_IMAGE_SIGNATURE) \ - SONIC_ENABLE_SECUREBOOT_SIGNATURE=$(SONIC_ENABLE_SECUREBOOT_SIGNATURE) \ SECURE_UPGRADE_MODE=$(SECURE_UPGRADE_MODE) \ SECURE_UPGRADE_DEV_SIGNING_KEY=$(SECURE_UPGRADE_DEV_SIGNING_KEY) \ SECURE_UPGRADE_SIGNING_CERT=$(SECURE_UPGRADE_SIGNING_CERT) \ diff --git a/build_debian.sh b/build_debian.sh index 08b2b720fa1b..3763e5e25336 100755 --- a/build_debian.sh +++ b/build_debian.sh @@ -172,24 +172,6 @@ if [[ $CONFIGURED_ARCH == amd64 ]]; then sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install dmidecode hdparm fi -## Sign the Linux kernel -# note: when flag SONIC_ENABLE_SECUREBOOT_SIGNATURE is enabled the Secure Upgrade flags should be disabled (no_sign) to avoid conflict between the features. -if [ "$SONIC_ENABLE_SECUREBOOT_SIGNATURE" = "y" ] && [ "$SECURE_UPGRADE_MODE" != 'dev' ] && [ "$SECURE_UPGRADE_MODE" != "prod" ]; then - if [ ! -f $SIGNING_KEY ]; then - echo "Error: SONiC linux kernel signing key missing" - exit 1 - fi - if [ ! -f $SIGNING_CERT ]; then - echo "Error: SONiC linux kernel signing certificate missing" - exit 1 - fi - - echo '[INFO] Signing SONiC linux kernel image' - K=$FILESYSTEM_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-${CONFIGURED_ARCH} - sbsign --key $SIGNING_KEY --cert $SIGNING_CERT --output /tmp/${K##*/} ${K} - sudo cp -f /tmp/${K##*/} ${K} -fi - ## Update initramfs for booting with squashfs+overlay cat files/initramfs-tools/modules | sudo tee -a $FILESYSTEM_ROOT/etc/initramfs-tools/modules > /dev/null @@ -696,10 +678,7 @@ sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c "echo 0 > /etc/fips/fips_enable # ################# # secure boot # ################# -if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" && $SONIC_ENABLE_SECUREBOOT_SIGNATURE != 'y' ]]; then - # note: SONIC_ENABLE_SECUREBOOT_SIGNATURE is a feature that signing just kernel, - # SECURE_UPGRADE_MODE is signing all the boot component including kernel. - # its required to do not enable both features together to avoid conflicts. +if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" ]]; then echo "Secure Boot support build stage: Starting .." # debian secure boot dependecies diff --git a/rules/config b/rules/config index d081fd5aab91..06a6f256f8e6 100644 --- a/rules/config +++ b/rules/config @@ -227,13 +227,6 @@ MASTER_FLUENTD_VERSION = mariner_20230517.1 # The relative path is build root folder. SONIC_ENABLE_IMAGE_SIGNATURE ?= n -# SONIC_ENABLE_SECUREBOOT_SIGNATURE - enable SONiC kernel signing to support UEFI secureboot -# To support UEFI secureboot chain of trust requires EFI kernel to be signed as a PE binary -# SIGNING_KEY = -# SIGNING_CERT = -# The absolute path should be provided. -SONIC_ENABLE_SECUREBOOT_SIGNATURE ?= n - # Full Secure Boot feature flags. # SECURE_UPGRADE_DEV_SIGNING_KEY - path to development signing key, used for image signing during build # SECURE_UPGRADE_SIGNING_CERT - path to development signing certificate, used for image signing during build diff --git a/slave.mk b/slave.mk index 29f6baa25694..a08778bed145 100644 --- a/slave.mk +++ b/slave.mk @@ -1327,9 +1327,6 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_RFS_TARGETS)) : $(TARGET_PATH)/% : \ IMAGE_TYPE=$($(installer)_IMAGE_TYPE) \ TARGET_PATH=$(TARGET_PATH) \ TRUSTED_GPG_URLS=$(TRUSTED_GPG_URLS) \ - SONIC_ENABLE_SECUREBOOT_SIGNATURE="$(SONIC_ENABLE_SECUREBOOT_SIGNATURE)" \ - SIGNING_KEY="$(SIGNING_KEY)" \ - SIGNING_CERT="$(SIGNING_CERT)" \ PACKAGE_URL_PREFIX=$(PACKAGE_URL_PREFIX) \ DBGOPT='$(DBGOPT)' \ SONIC_VERSION_CACHE=$(SONIC_VERSION_CACHE) \ @@ -1581,9 +1578,6 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \ ONIE_IMAGE_PART_SIZE=$(ONIE_IMAGE_PART_SIZE) \ SONIC_ENFORCE_VERSIONS=$(SONIC_ENFORCE_VERSIONS) \ TRUSTED_GPG_URLS=$(TRUSTED_GPG_URLS) \ - SONIC_ENABLE_SECUREBOOT_SIGNATURE="$(SONIC_ENABLE_SECUREBOOT_SIGNATURE)" \ - SIGNING_KEY="$(SIGNING_KEY)" \ - SIGNING_CERT="$(SIGNING_CERT)" \ PACKAGE_URL_PREFIX=$(PACKAGE_URL_PREFIX) \ DBGOPT='$(DBGOPT)' \ SONIC_VERSION_CACHE=$(SONIC_VERSION_CACHE) \