From 8129dd6e25e826d138f0fb447ac407e79d1b6518 Mon Sep 17 00:00:00 2001 From: abdosi <58047199+abdosi@users.noreply.github.com> Date: Wed, 5 Jun 2024 17:54:39 +1000 Subject: [PATCH] [Secureboot] Revert the changes done to only do Kernel Signnning (#19199) What I did: Before this feature sonic-net/SONiC#1028 got merged their was intermediate change done to just support Kernel Signing via: #10557. However once this feature is merged : sonic-net/SONiC#1028 (Which support sign of all boot components not just Kernel) we do not need the Kernel only signing changes as it define new rules macro which just create confusion. So as part of this PR i am reverting the Kernel -only sign PR #10557 Signed-off-by: Abhishek Dosi --- Makefile.work | 12 ------------ build_debian.sh | 23 +---------------------- rules/config | 7 ------- slave.mk | 6 ------ 4 files changed, 1 insertion(+), 47 deletions(-) diff --git a/Makefile.work b/Makefile.work index 69cf6e5b180f..c81fe2483096 100644 --- a/Makefile.work +++ b/Makefile.work @@ -339,17 +339,6 @@ ifneq ($(SONIC_VERSION_CACHE_SOURCE),) DOCKER_RUN += -v "$(SONIC_VERSION_CACHE_SOURCE):/vcache:rw" endif -ifeq ($(SONIC_ENABLE_SECUREBOOT_SIGNATURE), y) -ifneq ($(SIGNING_KEY),) - DOCKER_SIGNING_SOURCE := $(shell dirname $(SIGNING_KEY)) - DOCKER_RUN += -v "$(DOCKER_SIGNING_SOURCE):$(DOCKER_SIGNING_SOURCE):ro" -endif -ifneq ($(SIGNING_CERT),) - DOCKER_SIGNING_SOURCE := $(shell dirname $(SIGNING_CERT)) - DOCKER_RUN += -v "$(DOCKER_SIGNING_SOURCE):$(DOCKER_SIGNING_SOURCE):ro" -endif -endif - # User name and tag for "docker-*" images created by native dockerd mode. ifeq ($(strip $(SONIC_CONFIG_USE_NATIVE_DOCKERD_FOR_BUILD)),y) DOCKER_USERNAME = $(USER_LC) @@ -551,7 +540,6 @@ SONIC_BUILD_INSTRUCTION := $(MAKE) \ EXTRA_DOCKER_TARGETS=$(EXTRA_DOCKER_TARGETS) \ BUILD_LOG_TIMESTAMP=$(BUILD_LOG_TIMESTAMP) \ SONIC_ENABLE_IMAGE_SIGNATURE=$(ENABLE_IMAGE_SIGNATURE) \ - SONIC_ENABLE_SECUREBOOT_SIGNATURE=$(SONIC_ENABLE_SECUREBOOT_SIGNATURE) \ SECURE_UPGRADE_MODE=$(SECURE_UPGRADE_MODE) \ SECURE_UPGRADE_DEV_SIGNING_KEY=$(SECURE_UPGRADE_DEV_SIGNING_KEY) \ SECURE_UPGRADE_SIGNING_CERT=$(SECURE_UPGRADE_SIGNING_CERT) \ diff --git a/build_debian.sh b/build_debian.sh index 08b2b720fa1b..3763e5e25336 100755 --- a/build_debian.sh +++ b/build_debian.sh @@ -172,24 +172,6 @@ if [[ $CONFIGURED_ARCH == amd64 ]]; then sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install dmidecode hdparm fi -## Sign the Linux kernel -# note: when flag SONIC_ENABLE_SECUREBOOT_SIGNATURE is enabled the Secure Upgrade flags should be disabled (no_sign) to avoid conflict between the features. -if [ "$SONIC_ENABLE_SECUREBOOT_SIGNATURE" = "y" ] && [ "$SECURE_UPGRADE_MODE" != 'dev' ] && [ "$SECURE_UPGRADE_MODE" != "prod" ]; then - if [ ! -f $SIGNING_KEY ]; then - echo "Error: SONiC linux kernel signing key missing" - exit 1 - fi - if [ ! -f $SIGNING_CERT ]; then - echo "Error: SONiC linux kernel signing certificate missing" - exit 1 - fi - - echo '[INFO] Signing SONiC linux kernel image' - K=$FILESYSTEM_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-${CONFIGURED_ARCH} - sbsign --key $SIGNING_KEY --cert $SIGNING_CERT --output /tmp/${K##*/} ${K} - sudo cp -f /tmp/${K##*/} ${K} -fi - ## Update initramfs for booting with squashfs+overlay cat files/initramfs-tools/modules | sudo tee -a $FILESYSTEM_ROOT/etc/initramfs-tools/modules > /dev/null @@ -696,10 +678,7 @@ sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c "echo 0 > /etc/fips/fips_enable # ################# # secure boot # ################# -if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" && $SONIC_ENABLE_SECUREBOOT_SIGNATURE != 'y' ]]; then - # note: SONIC_ENABLE_SECUREBOOT_SIGNATURE is a feature that signing just kernel, - # SECURE_UPGRADE_MODE is signing all the boot component including kernel. - # its required to do not enable both features together to avoid conflicts. +if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" ]]; then echo "Secure Boot support build stage: Starting .." # debian secure boot dependecies diff --git a/rules/config b/rules/config index d081fd5aab91..06a6f256f8e6 100644 --- a/rules/config +++ b/rules/config @@ -227,13 +227,6 @@ MASTER_FLUENTD_VERSION = mariner_20230517.1 # The relative path is build root folder. SONIC_ENABLE_IMAGE_SIGNATURE ?= n -# SONIC_ENABLE_SECUREBOOT_SIGNATURE - enable SONiC kernel signing to support UEFI secureboot -# To support UEFI secureboot chain of trust requires EFI kernel to be signed as a PE binary -# SIGNING_KEY = -# SIGNING_CERT = -# The absolute path should be provided. -SONIC_ENABLE_SECUREBOOT_SIGNATURE ?= n - # Full Secure Boot feature flags. # SECURE_UPGRADE_DEV_SIGNING_KEY - path to development signing key, used for image signing during build # SECURE_UPGRADE_SIGNING_CERT - path to development signing certificate, used for image signing during build diff --git a/slave.mk b/slave.mk index 29f6baa25694..a08778bed145 100644 --- a/slave.mk +++ b/slave.mk @@ -1327,9 +1327,6 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_RFS_TARGETS)) : $(TARGET_PATH)/% : \ IMAGE_TYPE=$($(installer)_IMAGE_TYPE) \ TARGET_PATH=$(TARGET_PATH) \ TRUSTED_GPG_URLS=$(TRUSTED_GPG_URLS) \ - SONIC_ENABLE_SECUREBOOT_SIGNATURE="$(SONIC_ENABLE_SECUREBOOT_SIGNATURE)" \ - SIGNING_KEY="$(SIGNING_KEY)" \ - SIGNING_CERT="$(SIGNING_CERT)" \ PACKAGE_URL_PREFIX=$(PACKAGE_URL_PREFIX) \ DBGOPT='$(DBGOPT)' \ SONIC_VERSION_CACHE=$(SONIC_VERSION_CACHE) \ @@ -1581,9 +1578,6 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \ ONIE_IMAGE_PART_SIZE=$(ONIE_IMAGE_PART_SIZE) \ SONIC_ENFORCE_VERSIONS=$(SONIC_ENFORCE_VERSIONS) \ TRUSTED_GPG_URLS=$(TRUSTED_GPG_URLS) \ - SONIC_ENABLE_SECUREBOOT_SIGNATURE="$(SONIC_ENABLE_SECUREBOOT_SIGNATURE)" \ - SIGNING_KEY="$(SIGNING_KEY)" \ - SIGNING_CERT="$(SIGNING_CERT)" \ PACKAGE_URL_PREFIX=$(PACKAGE_URL_PREFIX) \ DBGOPT='$(DBGOPT)' \ SONIC_VERSION_CACHE=$(SONIC_VERSION_CACHE) \