[secure boot]Remove sudo redundancy, fix code example comments

build_debian.sh

@@ -656,25 +656,25 @@ if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" && $SONIC_
             exit 1
         fi
 
-        sudo bash scripts/signing_secure_boot_dev.sh -a $CONFIGURED_ARCH \
-                                                     -r $FILESYSTEM_ROOT \
-                                                     -l $LINUX_KERNEL_VERSION \
-                                                     -c $SECURE_UPGRADE_DEV_SIGNING_CERT \
-                                                     -p $SECURE_UPGRADE_DEV_SIGNING_KEY
+        sudo ./scripts/signing_secure_boot_dev.sh -a $CONFIGURED_ARCH \
+                                                  -r $FILESYSTEM_ROOT \
+                                                  -l $LINUX_KERNEL_VERSION \
+                                                  -c $SECURE_UPGRADE_DEV_SIGNING_CERT \
+                                                  -p $SECURE_UPGRADE_DEV_SIGNING_KEY
     elif [[ $SECURE_UPGRADE_MODE == "prod" ]]; then
         #  Here Vendor signing should be implemented
         OUTPUT_SEC_BOOT_DIR=$FILESYSTEM_ROOT/boot
-        sudo bash scripts/signing_secure_boot_prod.sh $CONFIGURED_ARCH $FILESYSTEM_ROOT $LINUX_KERNEL_VERSION $OUTPUT_SEC_BOOT_DIR
+        sudo ./scripts/signing_secure_boot_prod.sh $CONFIGURED_ARCH $FILESYSTEM_ROOT $LINUX_KERNEL_VERSION $OUTPUT_SEC_BOOT_DIR
 
         # verifying all EFI files and kernel modules in $OUTPUT_SEC_BOOT_DIR
-        bash scripts/secure_boot_signature_verification.sh -e $OUTPUT_SEC_BOOT_DIR \
-                                                        -c $SECURE_UPGRADE_DEV_SIGNING_CERT \
-                                                        -k $FILESYSTEM_ROOT
+        sudo ./scripts/secure_boot_signature_verification.sh -e $OUTPUT_SEC_BOOT_DIR \
+                                                             -c $SECURE_UPGRADE_DEV_SIGNING_CERT \
+                                                             -k $FILESYSTEM_ROOT
 
         # verifying vmlinuz file.
-        bash scripts/secure_boot_signature_verification.sh -e $FILESYSTEM_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-${CONFIGURED_ARCH} \
-                                                        -c $SECURE_UPGRADE_DEV_SIGNING_CERT \
-                                                        -k $FILESYSTEM_ROOT
+        sudo ./scripts/secure_boot_signature_verification.sh -e $FILESYSTEM_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-${CONFIGURED_ARCH} \
+                                                             -c $SECURE_UPGRADE_DEV_SIGNING_CERT \
+                                                             -k $FILESYSTEM_ROOT
     fi
     echo "Secure Boot support build stage: END."
 fi

scripts/efi-sign.sh

@@ -13,7 +13,7 @@ print_usage() {
 
 $0: Usage
 $0 -p <PRIVATE_KEY_PEM> -c <CERT_PEM> -e <EFI_FILE> -s <EFI_FILE_SIGNED>
-Usage example: efi-sign.sh priv-key.pem pub-key.pem shimx64.efi shimx64-signed.efi
+Usage example: efi-sign.sh -p priv-key.pem -c pub-key.pem -e shimx64.efi -s shimx64-signed.efi
 
 EOF
 }

scripts/signing_kernel_modules.sh

@@ -16,8 +16,8 @@ LOCAL_EXTRACT_CERT                   path of the extract-cert tool for Extract X
 KERNEL_MODULES_DIR                   root directory of all the kernel modules to be sign by the script, if the value empty it will use the call script location as root.
 
 Runs examples:
-1. sudo bash scripts/signing_kernel_modules.sh 5.10.0-8-2 cert.pem priv-key.pem
-2. sudo bash scripts/signing_kernel_modules.sh 5.10.0-8-2 cert.pem priv-key.pem fsroot-mellanox /usr/lib/linux-kbuild-5.10/scripts/extract-cert /usr/lib/linux-kbuild-5.10/scripts/sign-file
+1. ./scripts/signing_kernel_modules.sh -l 5.10.0-8-2 -c cert.pem -p priv-key.pem
+2. ./scripts/signing_kernel_modules.sh -l 5.10.0-8-2 -c cert.pem -p priv-key.pem -k fsroot-mellanox -e /usr/lib/linux-kbuild-5.10/scripts/extract-cert -s /usr/lib/linux-kbuild-5.10/scripts/sign-file
 EOF
 }
 
@@ -83,7 +83,7 @@ if [ ! -d "$KERNEL_MODULES_DIR" ]; then
 fi
 
 # find all the kernel modules.
-modules_list=$(sudo find ${KERNEL_MODULES_DIR} -name "*.ko")
+modules_list=$(find ${KERNEL_MODULES_DIR} -name "*.ko")
 
 dev_certs_tmp_folder="/tmp/dev_kmod_sign"
 
@@ -111,7 +111,7 @@ do
     echo "signing module named: ${mod} .."
     echo "${LOCAL_SIGN_FILE} sha512 ${local_sign_key} ${local_sign_cert} ${mod}"
     kernel_modules_cnt=$((kernel_modules_cnt+1))
-    sudo ${LOCAL_SIGN_FILE} sha512 ${local_sign_key} ${local_sign_cert} ${mod}
+    ${LOCAL_SIGN_FILE} sha512 ${local_sign_key} ${local_sign_cert} ${mod}
 
     # check Kernel module is signed.
     if ! grep -q "~Module signature appended~" "${mod}"; then

scripts/signing_secure_boot_dev.sh

@@ -16,8 +16,8 @@ EOF
 clean_file() {
     if [ -f $1 ]; then
         echo "clean old file named: $1"
-        echo "sudo rm -f $1"
-        sudo sudo rm -f $1
+        echo "rm -f $1"
+        rm -f $1
     fi
 }
 
@@ -39,31 +39,31 @@ echo "$0 signing & verifying EFI files and Kernel Modules start ..."
 
 if [ -z ${CONFIGURED_ARCH} ]; then
     echo "ERROR: CONFIGURED_ARCH=${CONFIGURED_ARCH} is empty"
-    usage
+    print_usage
     exit 1
 fi
 
 if [ -z ${FS_ROOT} ]; then
     echo "ERROR: FS_ROOT=${FS_ROOT} is empty"
-    usage
+    print_usage
     exit 1
 fi
 
 if [ -z ${LINUX_KERNEL_VERSION} ]; then
     echo "ERROR: LINUX_KERNEL_VERSION=${LINUX_KERNEL_VERSION} is empty"
-    usage
+    print_usage
     exit 1
 fi
 
 if [ ! -f "${PEM_CERT}" ]; then
     echo "ERROR: PEM_CERT=${PEM_CERT} file does not exist"
-    usage
+    print_usage
     exit 1
 fi
 
 if [ ! -f "${PEM_PRIV_KEY}" ]; then
     echo "ERROR: PEM_PRIV_KEY=${PEM_PRIV_KEY} file does not exist"
-    usage
+    print_usage
     exit 1
 fi
 
@@ -86,13 +86,13 @@ do
 
         echo "signing efi file - full path: ${efi} filename: ${efi_filename}"
         echo "sudo ${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${efi} -s ${efi}-signed"
-        sudo ${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${efi} -s ${efi}-signed
+        ${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${efi} -s ${efi}-signed
 
         # cp shim & mmx signed files to boot directory in the fs.
-        sudo cp ${efi}-signed $FS_ROOT/boot/${efi_filename}
+        cp ${efi}-signed $FS_ROOT/boot/${efi_filename}
 
         # verifying signature of mm & shim efi files.
-        sudo bash scripts/secure_boot_signature_verification.sh -c $PEM_CERT -e $FS_ROOT/boot/${efi_filename} 
+        ./scripts/secure_boot_signature_verification.sh -c $PEM_CERT -e $FS_ROOT/boot/${efi_filename} 
     fi
 done
 
@@ -106,16 +106,16 @@ CURR_VMLINUZ=$FS_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-${CONFIGURED_ARCH}
 clean_file ${CURR_VMLINUZ}-signed
 
 echo "signing ${CURR_VMLINUZ} .."
-sudo ${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${CURR_VMLINUZ} -s ${CURR_VMLINUZ}-signed
+${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${CURR_VMLINUZ} -s ${CURR_VMLINUZ}-signed
 
 # rename signed vmlinuz with the name vmlinuz without signed suffix
-sudo mv ${CURR_VMLINUZ}-signed ${CURR_VMLINUZ}
+mv ${CURR_VMLINUZ}-signed ${CURR_VMLINUZ}
 
-sudo bash scripts/secure_boot_signature_verification.sh -c $PEM_CERT -e ${CURR_VMLINUZ}
+./scripts/secure_boot_signature_verification.sh -c $PEM_CERT -e ${CURR_VMLINUZ}
 
 #########################
 # Kernel Modules signing
 #########################
-sudo bash scripts/signing_kernel_modules.sh -l $LINUX_KERNEL_VERSION -c ${PEM_CERT} -p ${PEM_PRIV_KEY} -k ${FS_ROOT}
+./scripts/signing_kernel_modules.sh -l $LINUX_KERNEL_VERSION -c ${PEM_CERT} -p ${PEM_PRIV_KEY} -k ${FS_ROOT}
 
 echo "$0 signing & verifying EFI files and Kernel Modules DONE"

scripts/signing_secure_boot_prod.sh

@@ -1 +1,2 @@
-#In this script Vendor should code  the logic to build a secure boot image by using vendor flows
+# In this script Vendor should code  the logic to build a secure boot image by using production vendor flows.
+# More details can be found in the Secure Boot HLD in https://github.com/sonic-net/SONiC repo