From 682f3faacf6cc4a1def997ab98aba6ee0b46fec2 Mon Sep 17 00:00:00 2001 From: David Pilnik Date: Mon, 5 Dec 2022 08:48:14 +0200 Subject: [PATCH] [secure boot]Remove sudo redundancy, fix code example comments --- build_debian.sh | 24 ++++++++++++------------ scripts/efi-sign.sh | 2 +- scripts/signing_kernel_modules.sh | 8 ++++---- scripts/signing_secure_boot_dev.sh | 28 ++++++++++++++-------------- scripts/signing_secure_boot_prod.sh | 3 ++- 5 files changed, 33 insertions(+), 32 deletions(-) diff --git a/build_debian.sh b/build_debian.sh index 5340e1d18ea2..7e1172b0c399 100755 --- a/build_debian.sh +++ b/build_debian.sh @@ -656,25 +656,25 @@ if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" && $SONIC_ exit 1 fi - sudo bash scripts/signing_secure_boot_dev.sh -a $CONFIGURED_ARCH \ - -r $FILESYSTEM_ROOT \ - -l $LINUX_KERNEL_VERSION \ - -c $SECURE_UPGRADE_DEV_SIGNING_CERT \ - -p $SECURE_UPGRADE_DEV_SIGNING_KEY + sudo ./scripts/signing_secure_boot_dev.sh -a $CONFIGURED_ARCH \ + -r $FILESYSTEM_ROOT \ + -l $LINUX_KERNEL_VERSION \ + -c $SECURE_UPGRADE_DEV_SIGNING_CERT \ + -p $SECURE_UPGRADE_DEV_SIGNING_KEY elif [[ $SECURE_UPGRADE_MODE == "prod" ]]; then # Here Vendor signing should be implemented OUTPUT_SEC_BOOT_DIR=$FILESYSTEM_ROOT/boot - sudo bash scripts/signing_secure_boot_prod.sh $CONFIGURED_ARCH $FILESYSTEM_ROOT $LINUX_KERNEL_VERSION $OUTPUT_SEC_BOOT_DIR + sudo ./scripts/signing_secure_boot_prod.sh $CONFIGURED_ARCH $FILESYSTEM_ROOT $LINUX_KERNEL_VERSION $OUTPUT_SEC_BOOT_DIR # verifying all EFI files and kernel modules in $OUTPUT_SEC_BOOT_DIR - bash scripts/secure_boot_signature_verification.sh -e $OUTPUT_SEC_BOOT_DIR \ - -c $SECURE_UPGRADE_DEV_SIGNING_CERT \ - -k $FILESYSTEM_ROOT + sudo ./scripts/secure_boot_signature_verification.sh -e $OUTPUT_SEC_BOOT_DIR \ + -c $SECURE_UPGRADE_DEV_SIGNING_CERT \ + -k $FILESYSTEM_ROOT # verifying vmlinuz file. - bash scripts/secure_boot_signature_verification.sh -e $FILESYSTEM_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-${CONFIGURED_ARCH} \ - -c $SECURE_UPGRADE_DEV_SIGNING_CERT \ - -k $FILESYSTEM_ROOT + sudo ./scripts/secure_boot_signature_verification.sh -e $FILESYSTEM_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-${CONFIGURED_ARCH} \ + -c $SECURE_UPGRADE_DEV_SIGNING_CERT \ + -k $FILESYSTEM_ROOT fi echo "Secure Boot support build stage: END." fi diff --git a/scripts/efi-sign.sh b/scripts/efi-sign.sh index fd890f23c4fc..34dca50b067d 100755 --- a/scripts/efi-sign.sh +++ b/scripts/efi-sign.sh @@ -13,7 +13,7 @@ print_usage() { $0: Usage $0 -p -c -e -s -Usage example: efi-sign.sh priv-key.pem pub-key.pem shimx64.efi shimx64-signed.efi +Usage example: efi-sign.sh -p priv-key.pem -c pub-key.pem -e shimx64.efi -s shimx64-signed.efi EOF } diff --git a/scripts/signing_kernel_modules.sh b/scripts/signing_kernel_modules.sh index 654ed2e1badd..5270d23b86f4 100755 --- a/scripts/signing_kernel_modules.sh +++ b/scripts/signing_kernel_modules.sh @@ -16,8 +16,8 @@ LOCAL_EXTRACT_CERT path of the extract-cert tool for Extract X KERNEL_MODULES_DIR root directory of all the kernel modules to be sign by the script, if the value empty it will use the call script location as root. Runs examples: -1. sudo bash scripts/signing_kernel_modules.sh 5.10.0-8-2 cert.pem priv-key.pem -2. sudo bash scripts/signing_kernel_modules.sh 5.10.0-8-2 cert.pem priv-key.pem fsroot-mellanox /usr/lib/linux-kbuild-5.10/scripts/extract-cert /usr/lib/linux-kbuild-5.10/scripts/sign-file +1. ./scripts/signing_kernel_modules.sh -l 5.10.0-8-2 -c cert.pem -p priv-key.pem +2. ./scripts/signing_kernel_modules.sh -l 5.10.0-8-2 -c cert.pem -p priv-key.pem -k fsroot-mellanox -e /usr/lib/linux-kbuild-5.10/scripts/extract-cert -s /usr/lib/linux-kbuild-5.10/scripts/sign-file EOF } @@ -83,7 +83,7 @@ if [ ! -d "$KERNEL_MODULES_DIR" ]; then fi # find all the kernel modules. -modules_list=$(sudo find ${KERNEL_MODULES_DIR} -name "*.ko") +modules_list=$(find ${KERNEL_MODULES_DIR} -name "*.ko") dev_certs_tmp_folder="/tmp/dev_kmod_sign" @@ -111,7 +111,7 @@ do echo "signing module named: ${mod} .." echo "${LOCAL_SIGN_FILE} sha512 ${local_sign_key} ${local_sign_cert} ${mod}" kernel_modules_cnt=$((kernel_modules_cnt+1)) - sudo ${LOCAL_SIGN_FILE} sha512 ${local_sign_key} ${local_sign_cert} ${mod} + ${LOCAL_SIGN_FILE} sha512 ${local_sign_key} ${local_sign_cert} ${mod} # check Kernel module is signed. if ! grep -q "~Module signature appended~" "${mod}"; then diff --git a/scripts/signing_secure_boot_dev.sh b/scripts/signing_secure_boot_dev.sh index 134aed2afbf8..cc937215b9b2 100755 --- a/scripts/signing_secure_boot_dev.sh +++ b/scripts/signing_secure_boot_dev.sh @@ -16,8 +16,8 @@ EOF clean_file() { if [ -f $1 ]; then echo "clean old file named: $1" - echo "sudo rm -f $1" - sudo sudo rm -f $1 + echo "rm -f $1" + rm -f $1 fi } @@ -39,31 +39,31 @@ echo "$0 signing & verifying EFI files and Kernel Modules start ..." if [ -z ${CONFIGURED_ARCH} ]; then echo "ERROR: CONFIGURED_ARCH=${CONFIGURED_ARCH} is empty" - usage + print_usage exit 1 fi if [ -z ${FS_ROOT} ]; then echo "ERROR: FS_ROOT=${FS_ROOT} is empty" - usage + print_usage exit 1 fi if [ -z ${LINUX_KERNEL_VERSION} ]; then echo "ERROR: LINUX_KERNEL_VERSION=${LINUX_KERNEL_VERSION} is empty" - usage + print_usage exit 1 fi if [ ! -f "${PEM_CERT}" ]; then echo "ERROR: PEM_CERT=${PEM_CERT} file does not exist" - usage + print_usage exit 1 fi if [ ! -f "${PEM_PRIV_KEY}" ]; then echo "ERROR: PEM_PRIV_KEY=${PEM_PRIV_KEY} file does not exist" - usage + print_usage exit 1 fi @@ -86,13 +86,13 @@ do echo "signing efi file - full path: ${efi} filename: ${efi_filename}" echo "sudo ${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${efi} -s ${efi}-signed" - sudo ${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${efi} -s ${efi}-signed + ${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${efi} -s ${efi}-signed # cp shim & mmx signed files to boot directory in the fs. - sudo cp ${efi}-signed $FS_ROOT/boot/${efi_filename} + cp ${efi}-signed $FS_ROOT/boot/${efi_filename} # verifying signature of mm & shim efi files. - sudo bash scripts/secure_boot_signature_verification.sh -c $PEM_CERT -e $FS_ROOT/boot/${efi_filename} + ./scripts/secure_boot_signature_verification.sh -c $PEM_CERT -e $FS_ROOT/boot/${efi_filename} fi done @@ -106,16 +106,16 @@ CURR_VMLINUZ=$FS_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-${CONFIGURED_ARCH} clean_file ${CURR_VMLINUZ}-signed echo "signing ${CURR_VMLINUZ} .." -sudo ${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${CURR_VMLINUZ} -s ${CURR_VMLINUZ}-signed +${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${CURR_VMLINUZ} -s ${CURR_VMLINUZ}-signed # rename signed vmlinuz with the name vmlinuz without signed suffix -sudo mv ${CURR_VMLINUZ}-signed ${CURR_VMLINUZ} +mv ${CURR_VMLINUZ}-signed ${CURR_VMLINUZ} -sudo bash scripts/secure_boot_signature_verification.sh -c $PEM_CERT -e ${CURR_VMLINUZ} +./scripts/secure_boot_signature_verification.sh -c $PEM_CERT -e ${CURR_VMLINUZ} ######################### # Kernel Modules signing ######################### -sudo bash scripts/signing_kernel_modules.sh -l $LINUX_KERNEL_VERSION -c ${PEM_CERT} -p ${PEM_PRIV_KEY} -k ${FS_ROOT} +./scripts/signing_kernel_modules.sh -l $LINUX_KERNEL_VERSION -c ${PEM_CERT} -p ${PEM_PRIV_KEY} -k ${FS_ROOT} echo "$0 signing & verifying EFI files and Kernel Modules DONE" diff --git a/scripts/signing_secure_boot_prod.sh b/scripts/signing_secure_boot_prod.sh index 111283cb8a59..a90940ee57e5 100644 --- a/scripts/signing_secure_boot_prod.sh +++ b/scripts/signing_secure_boot_prod.sh @@ -1 +1,2 @@ -#In this script Vendor should code the logic to build a secure boot image by using vendor flows +# In this script Vendor should code the logic to build a secure boot image by using production vendor flows. +# More details can be found in the Secure Boot HLD in https://github.com/sonic-net/SONiC repo