From 41665e5add665ed819e40c5692793a4393d45bf1 Mon Sep 17 00:00:00 2001 From: Yona Cohen Date: Mon, 15 Aug 2022 15:05:41 +0300 Subject: [PATCH 01/17] Implemented secure upgrade --- Makefile.work | 3 ++ build_image.sh | 2 +- .../build_templates/sonic_debian_extension.j2 | 3 ++ installer/sharch_body.sh | 8 +++- onie-mk-demo.sh | 41 +++++++++++++++++++ rules/config | 8 ++++ scripts/sign_image_dev.sh | 14 +++++++ slave.mk | 9 ++++ 8 files changed, 85 insertions(+), 3 deletions(-) create mode 100755 scripts/sign_image_dev.sh diff --git a/Makefile.work b/Makefile.work index 3f64531ab11c..f7111185ba3c 100644 --- a/Makefile.work +++ b/Makefile.work @@ -400,6 +400,9 @@ SONIC_BUILD_INSTRUCTION := make \ SONIC_ENABLE_IMAGE_SIGNATURE=$(ENABLE_IMAGE_SIGNATURE) \ SONIC_ENABLE_SECUREBOOT_SIGNATURE=$(SONIC_ENABLE_SECUREBOOT_SIGNATURE) \ SONIC_DEFAULT_CONTAINER_REGISTRY=$(DEFAULT_CONTAINER_REGISTRY) \ + SECURE_UPGRADE_MODE=$(SECURE_UPGRADE_MODE) \ + SECURE_UPGRADE_DEV_SIGNING_KEY=$(SECURE_UPGRADE_DEV_SIGNING_KEY) \ + SECURE_UPGRADE_DEV_SIGNING_CERT=$(SECURE_UPGRADE_DEV_SIGNING_CERT) \ ENABLE_HOST_SERVICE_ON_START=$(ENABLE_HOST_SERVICE_ON_START) \ SLAVE_DIR=$(SLAVE_DIR) \ ENABLE_AUTO_TECH_SUPPORT=$(ENABLE_AUTO_TECH_SUPPORT) \ diff --git a/build_image.sh b/build_image.sh index ddf134e845ce..6559b89eda6b 100755 --- a/build_image.sh +++ b/build_image.sh @@ -86,7 +86,7 @@ generate_onie_installer_image() ## Note: Don't leave blank between lines. It is single line command. ./onie-mk-demo.sh $CONFIGURED_ARCH $TARGET_MACHINE $TARGET_PLATFORM-$TARGET_MACHINE-$ONIEIMAGE_VERSION \ installer platform/$TARGET_MACHINE/platform.conf $output_file OS $IMAGE_VERSION $ONIE_IMAGE_PART_SIZE \ - $ONIE_INSTALLER_PAYLOAD + $ONIE_INSTALLER_PAYLOAD $SECURE_UPGRADE_DEV_SIGNING_CERT $SECURE_UPGRADE_DEV_SIGNING_KEY } # Generate asic-specific device list diff --git a/files/build_templates/sonic_debian_extension.j2 b/files/build_templates/sonic_debian_extension.j2 index 4b7a77b3151c..bd8a4d3a9152 100644 --- a/files/build_templates/sonic_debian_extension.j2 +++ b/files/build_templates/sonic_debian_extension.j2 @@ -78,6 +78,9 @@ fi # Update apt's snapshot of its repos sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get update +# Install efitools to support secure upgrade +sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install efitools + # Apply environtment configuration files sudo cp $IMAGE_CONFIGS/environment/environment $FILESYSTEM_ROOT/etc/ sudo cp $IMAGE_CONFIGS/environment/motd $FILESYSTEM_ROOT/etc/ diff --git a/installer/sharch_body.sh b/installer/sharch_body.sh index e6289371cd58..d2d46c8b09cd 100644 --- a/installer/sharch_body.sh +++ b/installer/sharch_body.sh @@ -11,7 +11,9 @@ ## echo -n "Verifying image checksum ..." -sha1=$(sed -e '1,/^exit_marker$/d' "$0" | sha1sum | awk '{ print $1 }') +payload_image_size=%%PAYLOAD_IMAGE_SIZE%% + +sha1=$(sed -e '1,/^exit_marker$/d' "$0" | head -c $payload_image_size | sha1sum | awk '{ print $1 }') payload_sha1=%%IMAGE_SHA1%% @@ -45,7 +47,9 @@ if [ "$(id -u)" = "0" ] ; then fi cd $tmp_dir echo -n "Preparing image archive ..." -sed -e '1,/^exit_marker$/d' $archive_path | tar xf - || exit 1 + +sed -e '1,/^exit_marker$/d' $archive_path | head -c $payload_image_size | tar xf - || clean_up 1 + echo " OK." cd $cur_wd if [ -n "$extract" ] ; then diff --git a/onie-mk-demo.sh b/onie-mk-demo.sh index 0905673d42cb..5b91ccc817f8 100755 --- a/onie-mk-demo.sh +++ b/onie-mk-demo.sh @@ -14,6 +14,8 @@ output_file=$6 demo_type=$7 image_version=$8 onie_image_part_size=$9 +cert_file=${11} +key_file=${12} shift 9 @@ -130,7 +132,46 @@ cp $installer_dir/sharch_body.sh $output_file || { # Replace variables in the sharch template sed -i -e "s/%%IMAGE_SHA1%%/$sha1/" $output_file echo -n "." +tar_size="$(wc -c < "${sharch}")" cat $sharch >> $output_file +sed -i -e "s|%%PAYLOAD_IMAGE_SIZE%%|${tar_size}|" ${output_file} +echo "secure upgrade flags: SECURE_UPGRADE_MODE = $SECURE_UPGRADE_MODE, \ +SECURE_UPGRADE_DEV_SIGNING_KEY = $SECURE_UPGRADE_DEV_SIGNING_KEY, SECURE_UPGRADE_DEV_SIGNING_CERT = $SECURE_UPGRADE_DEV_SIGNING_CERT" + +if [ "$SECURE_UPGRADE_MODE" = "dev" -o "$SECURE_UPGRADE_MODE" = "prod" ]; then + CMS_SIG="${tmp_dir}/signature.sig" + + echo "$0 Creating CMS signature for ${output_file} with ${key_file}. Output file ${CMS_SIG}" + DIR="$(dirname "$0")" + + scripts_dir="${DIR}/scripts" + if [ "$SECURE_UPGRADE_MODE" = "dev" ]; then + . ${scripts_dir}/sign_image_dev.sh + sign_image_dev ${cert_file} ${key_file} ${output_file} ${CMS_SIG} || { + echo "CMS sign error $?" + sudo rm -rf ${CMS_SIG} + clean_up 1 + } + else # "$SECURE_UPGRADE_MODE" has to be equal to "prod" + . ${scripts_dir}/sign_image_${platform}.sh + sign_image_prod ${output_file} ${CMS_SIG} || { + echo "CMS sign error $?" + sudo rm -rf ${CMS_SIG} + clean_up 1 + } + fi + + [ -f "$CMS_SIG" ] || { + echo "Error: CMS signature not created - exiting without signing" + clean_up 1 + } + # append signature to binary + cat ${CMS_SIG} >> ${output_file} + sudo rm -rf ${CMS_SIG} +elif [ "$SECURE_UPGRADE_MODE" -ne "no_sign" ]; then + echo "SECURE_UPGRADE_MODE not defined or defined as $SECURE_UPGRADE_MODE - build without signing" +fi + rm -rf $tmp_dir echo " Done." diff --git a/rules/config b/rules/config index 380b28bc7cd5..a407c0921df1 100644 --- a/rules/config +++ b/rules/config @@ -208,6 +208,14 @@ SONIC_ENABLE_IMAGE_SIGNATURE ?= n # The absolute path should be provided. SONIC_ENABLE_SECUREBOOT_SIGNATURE ?= n +# folloing flags are used for image secure upgrade verification: +# SECURE_UPGRADE_DEV_SIGNING_KEY - path to development signing key, used for image signing during build +# SECURE_UPGRADE_DEV_SIGNING_CERT - path to development signing certificate, used for image signing during build +# SECURE_UPGRADE_MODE - enum value for secure upgrade mode, valid options are "dev", "prod" and "no_sign" +#SECURE_UPGRADE_DEV_SIGNING_KEY = +#SECURE_UPGRADE_DEV_SIGNING_CERT = +SECURE_UPGRADE_MODE = "no_sign" + # PACKAGE_URL_PREFIX - the package url prefix PACKAGE_URL_PREFIX ?= https://packages.trafficmanager.net/public/packages diff --git a/scripts/sign_image_dev.sh b/scripts/sign_image_dev.sh new file mode 100755 index 000000000000..1dbc7fa1bbde --- /dev/null +++ b/scripts/sign_image_dev.sh @@ -0,0 +1,14 @@ +sign_image_dev() +{ + cert_file=$1 + key_file=$2 + image_to_sign=$3 + cms_sig_out=$4 + openssl cms -sign -nosmimecap -signer ${cert_file} -inkey ${key_file} -binary -in $image_to_sign -outform pem -out ${cms_sig_out} || { + echo "$?: CMS sign error" + sudo rm -rf ${cms_sig_out} + exit 1 + } + echo "CMS sign OK" + return 0 +} \ No newline at end of file diff --git a/slave.mk b/slave.mk index e1f4a0ef80d9..0cd26d11bdfc 100644 --- a/slave.mk +++ b/slave.mk @@ -348,6 +348,9 @@ $(info "USE_NATIVE_DOCKERD_FOR_BUILD" : "$(SONIC_CONFIG_USE_NATIVE_DOCKERD_FO $(info "SONIC_USE_DOCKER_BUILDKIT" : "$(SONIC_USE_DOCKER_BUILDKIT)") $(info "USERNAME" : "$(USERNAME)") $(info "PASSWORD" : "$(PASSWORD)") +$(info "SECURE_UPGRADE_MODE" : "$(SECURE_UPGRADE_MODE)") +$(info "SECURE_UPGRADE_DEV_SIGNING_KEY" : "$(SECURE_UPGRADE_DEV_SIGNING_KEY)") +$(info "SECURE_UPGRADE_DEV_SIGNING_CERT" : "$(SECURE_UPGRADE_DEV_SIGNING_CERT)") $(info "ENABLE_DHCP_GRAPH_SERVICE" : "$(ENABLE_DHCP_GRAPH_SERVICE)") $(info "SHUTDOWN_BGP_ON_START" : "$(SHUTDOWN_BGP_ON_START)") $(info "ENABLE_PFCWD_ON_START" : "$(ENABLE_PFCWD_ON_START)") @@ -1174,6 +1177,9 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \ export enable_organization_extensions="$(ENABLE_ORGANIZATION_EXTENSIONS)" export enable_dhcp_graph_service="$(ENABLE_DHCP_GRAPH_SERVICE)" export enable_ztp="$(ENABLE_ZTP)" + export sonic_su_dev_signing_key="$(SECURE_UPGRADE_DEV_SIGNING_KEY)" + export sonic_su_dev_signing_cert="$(SECURE_UPGRADE_DEV_SIGNING_CERT)" + export sonic_su_mode="$(SECURE_UPGRADE_MODE)" export include_system_telemetry="$(INCLUDE_SYSTEM_TELEMETRY)" export include_restapi="$(INCLUDE_RESTAPI)" export include_nat="$(INCLUDE_NAT)" @@ -1373,6 +1379,9 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \ TARGET_MACHINE=$(dep_machine) \ IMAGE_TYPE=$($*_IMAGE_TYPE) \ SONIC_ENABLE_IMAGE_SIGNATURE="$(SONIC_ENABLE_IMAGE_SIGNATURE)" \ + SECURE_UPGRADE_MODE="$(SECURE_UPGRADE_MODE)" \ + SECURE_UPGRADE_DEV_SIGNING_KEY="$(SECURE_UPGRADE_DEV_SIGNING_KEY)" \ + SECURE_UPGRADE_DEV_SIGNING_CERT="$(SECURE_UPGRADE_DEV_SIGNING_CERT)" \ SIGNING_KEY="$(SIGNING_KEY)" \ SIGNING_CERT="$(SIGNING_CERT)" \ CA_CERT="$(CA_CERT)" \ From 5848e45cdfe63f7f2a76d329a47e0929ddf04c0e Mon Sep 17 00:00:00 2001 From: ycoheNvidia <99744138+ycoheNvidia@users.noreply.github.com> Date: Thu, 18 Aug 2022 17:28:39 +0300 Subject: [PATCH 02/17] Fixed weird binary related sha1 issue --- onie-mk-demo.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/onie-mk-demo.sh b/onie-mk-demo.sh index 5b91ccc817f8..4236e2e99833 100755 --- a/onie-mk-demo.sh +++ b/onie-mk-demo.sh @@ -122,7 +122,6 @@ echo -n "." echo "Error: $sharch not found" clean_up 1 } -sha1=$(cat $sharch | sha1sum | awk '{print $1}') echo -n "." cp $installer_dir/sharch_body.sh $output_file || { echo "Error: Problems copying sharch_body.sh" @@ -130,10 +129,11 @@ cp $installer_dir/sharch_body.sh $output_file || { } # Replace variables in the sharch template -sed -i -e "s/%%IMAGE_SHA1%%/$sha1/" $output_file echo -n "." tar_size="$(wc -c < "${sharch}")" cat $sharch >> $output_file +sha1=$(sed -e '1,/^exit_marker$/d' "$output_file" | sha1sum | awk '{ print $1 }') +sed -i -e "s/%%IMAGE_SHA1%%/$sha1/" $output_file sed -i -e "s|%%PAYLOAD_IMAGE_SIZE%%|${tar_size}|" ${output_file} echo "secure upgrade flags: SECURE_UPGRADE_MODE = $SECURE_UPGRADE_MODE, \ SECURE_UPGRADE_DEV_SIGNING_KEY = $SECURE_UPGRADE_DEV_SIGNING_KEY, SECURE_UPGRADE_DEV_SIGNING_CERT = $SECURE_UPGRADE_DEV_SIGNING_CERT" @@ -168,7 +168,7 @@ if [ "$SECURE_UPGRADE_MODE" = "dev" -o "$SECURE_UPGRADE_MODE" = "prod" ]; then # append signature to binary cat ${CMS_SIG} >> ${output_file} sudo rm -rf ${CMS_SIG} -elif [ "$SECURE_UPGRADE_MODE" -ne "no_sign" ]; then +elif [ "$SECURE_UPGRADE_MODE" != "no_sign" ]; then echo "SECURE_UPGRADE_MODE not defined or defined as $SECURE_UPGRADE_MODE - build without signing" fi From b3fdcb4de2482f740079d4df863fe510fe8d8661 Mon Sep 17 00:00:00 2001 From: ycoheNvidia <99744138+ycoheNvidia@users.noreply.github.com> Date: Sun, 21 Aug 2022 15:22:35 +0300 Subject: [PATCH 03/17] Fixed sha1 installer issue --- onie-mk-demo.sh | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/onie-mk-demo.sh b/onie-mk-demo.sh index 4236e2e99833..4391f8238399 100755 --- a/onie-mk-demo.sh +++ b/onie-mk-demo.sh @@ -122,6 +122,7 @@ echo -n "." echo "Error: $sharch not found" clean_up 1 } +sha1=$(cat $sharch | sha1sum | awk '{print $1}') echo -n "." cp $installer_dir/sharch_body.sh $output_file || { echo "Error: Problems copying sharch_body.sh" @@ -129,44 +130,40 @@ cp $installer_dir/sharch_body.sh $output_file || { } # Replace variables in the sharch template +sed -i -e "s/%%IMAGE_SHA1%%/$sha1/" $output_file echo -n "." tar_size="$(wc -c < "${sharch}")" -cat $sharch >> $output_file -sha1=$(sed -e '1,/^exit_marker$/d' "$output_file" | sha1sum | awk '{ print $1 }') -sed -i -e "s/%%IMAGE_SHA1%%/$sha1/" $output_file sed -i -e "s|%%PAYLOAD_IMAGE_SIZE%%|${tar_size}|" ${output_file} +cat $sharch >> $output_file echo "secure upgrade flags: SECURE_UPGRADE_MODE = $SECURE_UPGRADE_MODE, \ SECURE_UPGRADE_DEV_SIGNING_KEY = $SECURE_UPGRADE_DEV_SIGNING_KEY, SECURE_UPGRADE_DEV_SIGNING_CERT = $SECURE_UPGRADE_DEV_SIGNING_CERT" if [ "$SECURE_UPGRADE_MODE" = "dev" -o "$SECURE_UPGRADE_MODE" = "prod" ]; then CMS_SIG="${tmp_dir}/signature.sig" - echo "$0 Creating CMS signature for ${output_file} with ${key_file}. Output file ${CMS_SIG}" DIR="$(dirname "$0")" - scripts_dir="${DIR}/scripts" if [ "$SECURE_UPGRADE_MODE" = "dev" ]; then . ${scripts_dir}/sign_image_dev.sh - sign_image_dev ${cert_file} ${key_file} ${output_file} ${CMS_SIG} || { + sign_image_dev ${cert_file} ${key_file} ${output_file} ${CMS_SIG} || { echo "CMS sign error $?" sudo rm -rf ${CMS_SIG} clean_up 1 } else # "$SECURE_UPGRADE_MODE" has to be equal to "prod" . ${scripts_dir}/sign_image_${platform}.sh - sign_image_prod ${output_file} ${CMS_SIG} || { + sign_image_prod ${output_file} ${CMS_SIG} || { echo "CMS sign error $?" sudo rm -rf ${CMS_SIG} clean_up 1 } fi - [ -f "$CMS_SIG" ] || { echo "Error: CMS signature not created - exiting without signing" clean_up 1 } # append signature to binary - cat ${CMS_SIG} >> ${output_file} + cat ${CMS_SIG} >> ${output_file} sudo rm -rf ${CMS_SIG} elif [ "$SECURE_UPGRADE_MODE" != "no_sign" ]; then echo "SECURE_UPGRADE_MODE not defined or defined as $SECURE_UPGRADE_MODE - build without signing" From e11fb1dc5bc94ebcefbf87af5fd05c480f622bb7 Mon Sep 17 00:00:00 2001 From: ycoheNvidia <99744138+ycoheNvidia@users.noreply.github.com> Date: Tue, 23 Aug 2022 11:23:53 +0300 Subject: [PATCH 04/17] Fixed minor sharch_body.sh issue --- installer/sharch_body.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/installer/sharch_body.sh b/installer/sharch_body.sh index d2d46c8b09cd..9683b4692dca 100644 --- a/installer/sharch_body.sh +++ b/installer/sharch_body.sh @@ -48,7 +48,7 @@ fi cd $tmp_dir echo -n "Preparing image archive ..." -sed -e '1,/^exit_marker$/d' $archive_path | head -c $payload_image_size | tar xf - || clean_up 1 +sed -e '1,/^exit_marker$/d' $archive_path | head -c $payload_image_size | tar xf - || exit 1 echo " OK." cd $cur_wd From 56c9fa68746f9433b6c3128a25af2e56c792a7db Mon Sep 17 00:00:00 2001 From: ycoheNvidia <99744138+ycoheNvidia@users.noreply.github.com> Date: Tue, 23 Aug 2022 15:09:40 +0300 Subject: [PATCH 05/17] minor typo fix --- rules/config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/config b/rules/config index a407c0921df1..425799830998 100644 --- a/rules/config +++ b/rules/config @@ -208,7 +208,7 @@ SONIC_ENABLE_IMAGE_SIGNATURE ?= n # The absolute path should be provided. SONIC_ENABLE_SECUREBOOT_SIGNATURE ?= n -# folloing flags are used for image secure upgrade verification: +# following flags are used for image secure upgrade verification: # SECURE_UPGRADE_DEV_SIGNING_KEY - path to development signing key, used for image signing during build # SECURE_UPGRADE_DEV_SIGNING_CERT - path to development signing certificate, used for image signing during build # SECURE_UPGRADE_MODE - enum value for secure upgrade mode, valid options are "dev", "prod" and "no_sign" From f44a67b9e25179642b9d213cf6972ba03ed431c1 Mon Sep 17 00:00:00 2001 From: ycoheNvidia <99744138+ycoheNvidia@users.noreply.github.com> Date: Tue, 23 Aug 2022 15:09:59 +0300 Subject: [PATCH 06/17] newline --- scripts/sign_image_dev.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/sign_image_dev.sh b/scripts/sign_image_dev.sh index 1dbc7fa1bbde..f439243864c1 100755 --- a/scripts/sign_image_dev.sh +++ b/scripts/sign_image_dev.sh @@ -11,4 +11,4 @@ sign_image_dev() } echo "CMS sign OK" return 0 -} \ No newline at end of file +} From 02d126aafa3be6117adf26306712a70b8d8b6cf8 Mon Sep 17 00:00:00 2001 From: Yona Cohen Date: Mon, 9 Jan 2023 16:17:46 +0200 Subject: [PATCH 07/17] fixed secure upgrade image creation bug copying irrelevant files to image --- onie-mk-demo.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/onie-mk-demo.sh b/onie-mk-demo.sh index 4391f8238399..86464bd021eb 100755 --- a/onie-mk-demo.sh +++ b/onie-mk-demo.sh @@ -14,6 +14,7 @@ output_file=$6 demo_type=$7 image_version=$8 onie_image_part_size=$9 +onie_installer_payload=${10} cert_file=${11} key_file=${12} @@ -102,7 +103,7 @@ sed -i -e "s/%%DEMO_TYPE%%/$demo_type/g" \ -e "s@%%OUTPUT_RAW_IMAGE%%@$output_raw_image@" \ $tmp_installdir/install.sh || clean_up 1 echo -n "." -cp -r $* $tmp_installdir || clean_up 1 +cp -r $onie_installer_payload $tmp_installdir || clean_up 1 echo -n "." [ -r "$platform_conf" ] && { cp $platform_conf $tmp_installdir || clean_up 1 From 510c7927ac6db0ff1e87edca0b0a25c98afceb2c Mon Sep 17 00:00:00 2001 From: Yona Cohen Date: Tue, 4 Apr 2023 14:06:34 +0300 Subject: [PATCH 08/17] Improved prints and remove image on build failure --- onie-mk-demo.sh | 44 +++++++++++++++++++++++++++++--------------- 1 file changed, 29 insertions(+), 15 deletions(-) diff --git a/onie-mk-demo.sh b/onie-mk-demo.sh index 86464bd021eb..9ce30201e8c4 100755 --- a/onie-mk-demo.sh +++ b/onie-mk-demo.sh @@ -64,6 +64,13 @@ tmp_dir= clean_up() { rm -rf $tmp_dir + if [ -n "$2" ]; then + rm -rf "$2" + if [ -n "$3" ];then + rm -rf "$3" + fi + echo "Error: CMS signature not created - exiting without signing" + fi exit $1 } @@ -134,31 +141,38 @@ cp $installer_dir/sharch_body.sh $output_file || { sed -i -e "s/%%IMAGE_SHA1%%/$sha1/" $output_file echo -n "." tar_size="$(wc -c < "${sharch}")" -sed -i -e "s|%%PAYLOAD_IMAGE_SIZE%%|${tar_size}|" ${output_file} cat $sharch >> $output_file +sed -i -e "s|%%PAYLOAD_IMAGE_SIZE%%|${tar_size}|" ${output_file} echo "secure upgrade flags: SECURE_UPGRADE_MODE = $SECURE_UPGRADE_MODE, \ SECURE_UPGRADE_DEV_SIGNING_KEY = $SECURE_UPGRADE_DEV_SIGNING_KEY, SECURE_UPGRADE_DEV_SIGNING_CERT = $SECURE_UPGRADE_DEV_SIGNING_CERT" if [ "$SECURE_UPGRADE_MODE" = "dev" -o "$SECURE_UPGRADE_MODE" = "prod" ]; then CMS_SIG="${tmp_dir}/signature.sig" - echo "$0 Creating CMS signature for ${output_file} with ${key_file}. Output file ${CMS_SIG}" DIR="$(dirname "$0")" scripts_dir="${DIR}/scripts" + echo "$0 $SECURE_UPGRADE_MODE signing - creating CMS signature for ${output_file}. Output file ${CMS_SIG}" + if [ "$SECURE_UPGRADE_MODE" = "dev" ]; then - . ${scripts_dir}/sign_image_dev.sh - sign_image_dev ${cert_file} ${key_file} ${output_file} ${CMS_SIG} || { - echo "CMS sign error $?" - sudo rm -rf ${CMS_SIG} - clean_up 1 - } + echo "$0 dev keyfile location: ${key_file}." + . ${scripts_dir}/sign_image_dev.sh || { + echo "dev sign script ${scripts_dir}/sign_image_dev.sh not found" + clean_up 1 ${output_file} + } + sign_image_dev ${cert_file} ${key_file} ${output_file} ${CMS_SIG} || { + echo "CMS sign error $?" + clean_up 1 ${CMS_SIG} ${output_file} + } else # "$SECURE_UPGRADE_MODE" has to be equal to "prod" - . ${scripts_dir}/sign_image_${platform}.sh - sign_image_prod ${output_file} ${CMS_SIG} || { - echo "CMS sign error $?" - sudo rm -rf ${CMS_SIG} - clean_up 1 - } + . ${scripts_dir}/sign_image_${machine}.sh || { + echo "prod sign script ${scripts_dir}/sign_image_${machine}.sh not found" + clean_up 1 ${output_file} + } + sign_image_prod ${output_file} ${CMS_SIG} ${SECURE_UPGRADE_MODE} || { + echo "CMS sign error $?" + clean_up 1 ${CMS_SIG} ${output_file} + } fi + [ -f "$CMS_SIG" ] || { echo "Error: CMS signature not created - exiting without signing" clean_up 1 @@ -166,7 +180,7 @@ if [ "$SECURE_UPGRADE_MODE" = "dev" -o "$SECURE_UPGRADE_MODE" = "prod" ]; then # append signature to binary cat ${CMS_SIG} >> ${output_file} sudo rm -rf ${CMS_SIG} -elif [ "$SECURE_UPGRADE_MODE" != "no_sign" ]; then +elif [ "$SECURE_UPGRADE_MODE" -ne "no_sign" ]; then echo "SECURE_UPGRADE_MODE not defined or defined as $SECURE_UPGRADE_MODE - build without signing" fi From 586098919a97e258bbaa88078acbcd204fe0d655 Mon Sep 17 00:00:00 2001 From: ycoheNvidia <99744138+ycoheNvidia@users.noreply.github.com> Date: Mon, 8 May 2023 15:14:51 +0300 Subject: [PATCH 09/17] Reverted wrong onie-mk-demo.sh change Update PAYLOAD_IMAGE_SIZE before raw image is concatenated to output file --- onie-mk-demo.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/onie-mk-demo.sh b/onie-mk-demo.sh index 9ce30201e8c4..c3387880d8bc 100755 --- a/onie-mk-demo.sh +++ b/onie-mk-demo.sh @@ -141,8 +141,8 @@ cp $installer_dir/sharch_body.sh $output_file || { sed -i -e "s/%%IMAGE_SHA1%%/$sha1/" $output_file echo -n "." tar_size="$(wc -c < "${sharch}")" -cat $sharch >> $output_file sed -i -e "s|%%PAYLOAD_IMAGE_SIZE%%|${tar_size}|" ${output_file} +cat $sharch >> $output_file echo "secure upgrade flags: SECURE_UPGRADE_MODE = $SECURE_UPGRADE_MODE, \ SECURE_UPGRADE_DEV_SIGNING_KEY = $SECURE_UPGRADE_DEV_SIGNING_KEY, SECURE_UPGRADE_DEV_SIGNING_CERT = $SECURE_UPGRADE_DEV_SIGNING_CERT" From 5b438b55dfc56875d5a0053c4cb1ee3a711941ef Mon Sep 17 00:00:00 2001 From: ycoheNvidia <99744138+ycoheNvidia@users.noreply.github.com> Date: Tue, 9 May 2023 15:48:04 +0300 Subject: [PATCH 10/17] Update slave.mk Removed environment variables already added in Secure Boot PR --- slave.mk | 6 ------ 1 file changed, 6 deletions(-) diff --git a/slave.mk b/slave.mk index 6388882128e4..a3909be1d753 100644 --- a/slave.mk +++ b/slave.mk @@ -378,9 +378,6 @@ $(info "USE_NATIVE_DOCKERD_FOR_BUILD" : "$(SONIC_CONFIG_USE_NATIVE_DOCKERD_FO $(info "SONIC_USE_DOCKER_BUILDKIT" : "$(SONIC_USE_DOCKER_BUILDKIT)") $(info "USERNAME" : "$(USERNAME)") $(info "PASSWORD" : "$(PASSWORD)") -$(info "SECURE_UPGRADE_MODE" : "$(SECURE_UPGRADE_MODE)") -$(info "SECURE_UPGRADE_DEV_SIGNING_KEY" : "$(SECURE_UPGRADE_DEV_SIGNING_KEY)") -$(info "SECURE_UPGRADE_DEV_SIGNING_CERT" : "$(SECURE_UPGRADE_DEV_SIGNING_CERT)") $(info "CHANGE_DEFAULT_PASSWORD" : "$(CHANGE_DEFAULT_PASSWORD)") $(info "SECURE_UPGRADE_MODE" : "$(SECURE_UPGRADE_MODE)") $(info "SECURE_UPGRADE_DEV_SIGNING_KEY" : "$(SECURE_UPGRADE_DEV_SIGNING_KEY)") @@ -1267,9 +1264,6 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \ export enable_organization_extensions="$(ENABLE_ORGANIZATION_EXTENSIONS)" export enable_dhcp_graph_service="$(ENABLE_DHCP_GRAPH_SERVICE)" export enable_ztp="$(ENABLE_ZTP)" - export sonic_su_dev_signing_key="$(SECURE_UPGRADE_DEV_SIGNING_KEY)" - export sonic_su_dev_signing_cert="$(SECURE_UPGRADE_DEV_SIGNING_CERT)" - export sonic_su_mode="$(SECURE_UPGRADE_MODE)" export include_teamd="$(INCLUDE_TEAMD)" export include_router_advertiser="$(INCLUDE_ROUTER_ADVERTISER)" export sonic_su_dev_signing_key="$(SECURE_UPGRADE_DEV_SIGNING_KEY)" From af9d766b003d4cb195590e8900802db39d41025d Mon Sep 17 00:00:00 2001 From: ycoheNvidia <99744138+ycoheNvidia@users.noreply.github.com> Date: Tue, 9 May 2023 17:06:15 +0300 Subject: [PATCH 11/17] Update onie-mk-demo.sh --- onie-mk-demo.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/onie-mk-demo.sh b/onie-mk-demo.sh index c3387880d8bc..01225782a533 100755 --- a/onie-mk-demo.sh +++ b/onie-mk-demo.sh @@ -144,7 +144,7 @@ tar_size="$(wc -c < "${sharch}")" sed -i -e "s|%%PAYLOAD_IMAGE_SIZE%%|${tar_size}|" ${output_file} cat $sharch >> $output_file echo "secure upgrade flags: SECURE_UPGRADE_MODE = $SECURE_UPGRADE_MODE, \ -SECURE_UPGRADE_DEV_SIGNING_KEY = $SECURE_UPGRADE_DEV_SIGNING_KEY, SECURE_UPGRADE_DEV_SIGNING_CERT = $SECURE_UPGRADE_DEV_SIGNING_CERT" +SECURE_UPGRADE_SIGNING_KEY = $SECURE_UPGRADE_SIGNING_KEY, SECURE_UPGRADE_SIGNING_CERT = $SECURE_UPGRADE_SIGNING_CERT" if [ "$SECURE_UPGRADE_MODE" = "dev" -o "$SECURE_UPGRADE_MODE" = "prod" ]; then CMS_SIG="${tmp_dir}/signature.sig" From 25bfd261c1060a9045d59dd036acc138685dc5ec Mon Sep 17 00:00:00 2001 From: ycoheNvidia <99744138+ycoheNvidia@users.noreply.github.com> Date: Tue, 9 May 2023 17:09:22 +0300 Subject: [PATCH 12/17] Update build_image.sh --- build_image.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build_image.sh b/build_image.sh index 668a39966332..fe29ec114ce3 100755 --- a/build_image.sh +++ b/build_image.sh @@ -86,7 +86,7 @@ generate_onie_installer_image() ## Note: Don't leave blank between lines. It is single line command. ./onie-mk-demo.sh $CONFIGURED_ARCH $TARGET_MACHINE $TARGET_PLATFORM-$TARGET_MACHINE-$ONIEIMAGE_VERSION \ installer platform/$TARGET_MACHINE/platform.conf $output_file OS $IMAGE_VERSION $ONIE_IMAGE_PART_SIZE \ - $ONIE_INSTALLER_PAYLOAD $SECURE_UPGRADE_DEV_SIGNING_CERT $SECURE_UPGRADE_DEV_SIGNING_KEY + $ONIE_INSTALLER_PAYLOAD $SECURE_UPGRADE_SIGNING_CERT $SECURE_UPGRADE_SIGNING_KEY } # Generate asic-specific device list From 4afa06760b57ee9e47fcd5ffb71da81917941f65 Mon Sep 17 00:00:00 2001 From: ycoheNvidia <99744138+ycoheNvidia@users.noreply.github.com> Date: Tue, 9 May 2023 17:13:23 +0300 Subject: [PATCH 13/17] Update Makefile.work --- Makefile.work | 3 --- 1 file changed, 3 deletions(-) diff --git a/Makefile.work b/Makefile.work index a216e129cc9c..efa105b51488 100644 --- a/Makefile.work +++ b/Makefile.work @@ -546,9 +546,6 @@ SONIC_BUILD_INSTRUCTION := $(MAKE) \ SECURE_UPGRADE_SIGNING_CERT=$(SECURE_UPGRADE_SIGNING_CERT) \ SECURE_UPGRADE_PROD_SIGNING_TOOL=$(SECURE_UPGRADE_PROD_SIGNING_TOOL) \ SONIC_DEFAULT_CONTAINER_REGISTRY=$(DEFAULT_CONTAINER_REGISTRY) \ - SECURE_UPGRADE_MODE=$(SECURE_UPGRADE_MODE) \ - SECURE_UPGRADE_DEV_SIGNING_KEY=$(SECURE_UPGRADE_DEV_SIGNING_KEY) \ - SECURE_UPGRADE_DEV_SIGNING_CERT=$(SECURE_UPGRADE_DEV_SIGNING_CERT) \ ENABLE_HOST_SERVICE_ON_START=$(ENABLE_HOST_SERVICE_ON_START) \ SLAVE_DIR=$(SLAVE_DIR) \ ENABLE_AUTO_TECH_SUPPORT=$(ENABLE_AUTO_TECH_SUPPORT) \ From b0236dba834eadac6941dc90757606344d446b16 Mon Sep 17 00:00:00 2001 From: ycoheNvidia <99744138+ycoheNvidia@users.noreply.github.com> Date: Tue, 9 May 2023 17:16:31 +0300 Subject: [PATCH 14/17] Update build_image.sh --- build_image.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build_image.sh b/build_image.sh index fe29ec114ce3..9cb99269007d 100755 --- a/build_image.sh +++ b/build_image.sh @@ -86,7 +86,7 @@ generate_onie_installer_image() ## Note: Don't leave blank between lines. It is single line command. ./onie-mk-demo.sh $CONFIGURED_ARCH $TARGET_MACHINE $TARGET_PLATFORM-$TARGET_MACHINE-$ONIEIMAGE_VERSION \ installer platform/$TARGET_MACHINE/platform.conf $output_file OS $IMAGE_VERSION $ONIE_IMAGE_PART_SIZE \ - $ONIE_INSTALLER_PAYLOAD $SECURE_UPGRADE_SIGNING_CERT $SECURE_UPGRADE_SIGNING_KEY + $ONIE_INSTALLER_PAYLOAD $SECURE_UPGRADE_SIGNING_CERT $SECURE_UPGRADE_DEV_SIGNING_KEY } # Generate asic-specific device list From 3b0d157763810e965a1e1fb8eecfa38f371077e8 Mon Sep 17 00:00:00 2001 From: ycoheNvidia <99744138+ycoheNvidia@users.noreply.github.com> Date: Sun, 14 May 2023 13:12:23 +0300 Subject: [PATCH 15/17] Update onie-mk-demo.sh --- onie-mk-demo.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/onie-mk-demo.sh b/onie-mk-demo.sh index 01225782a533..13fd954a8e3e 100755 --- a/onie-mk-demo.sh +++ b/onie-mk-demo.sh @@ -144,7 +144,7 @@ tar_size="$(wc -c < "${sharch}")" sed -i -e "s|%%PAYLOAD_IMAGE_SIZE%%|${tar_size}|" ${output_file} cat $sharch >> $output_file echo "secure upgrade flags: SECURE_UPGRADE_MODE = $SECURE_UPGRADE_MODE, \ -SECURE_UPGRADE_SIGNING_KEY = $SECURE_UPGRADE_SIGNING_KEY, SECURE_UPGRADE_SIGNING_CERT = $SECURE_UPGRADE_SIGNING_CERT" +SECURE_UPGRADE_DEV_SIGNING_KEY = $SECURE_UPGRADE_DEV_SIGNING_KEY, SECURE_UPGRADE_SIGNING_CERT = $SECURE_UPGRADE_SIGNING_CERT" if [ "$SECURE_UPGRADE_MODE" = "dev" -o "$SECURE_UPGRADE_MODE" = "prod" ]; then CMS_SIG="${tmp_dir}/signature.sig" From 18d1e13e632ed7abafa2c804d2fef4244ad91cd0 Mon Sep 17 00:00:00 2001 From: Yona Cohen Date: Wed, 17 May 2023 11:12:35 +0300 Subject: [PATCH 16/17] Fixed issues raised on review --- onie-mk-demo.sh | 19 ++++++------------- scripts/sign_image_dev.sh | 23 ++++++++++------------- 2 files changed, 16 insertions(+), 26 deletions(-) diff --git a/onie-mk-demo.sh b/onie-mk-demo.sh index 13fd954a8e3e..702084870cc4 100755 --- a/onie-mk-demo.sh +++ b/onie-mk-demo.sh @@ -64,13 +64,6 @@ tmp_dir= clean_up() { rm -rf $tmp_dir - if [ -n "$2" ]; then - rm -rf "$2" - if [ -n "$3" ];then - rm -rf "$3" - fi - echo "Error: CMS signature not created - exiting without signing" - fi exit $1 } @@ -154,22 +147,22 @@ if [ "$SECURE_UPGRADE_MODE" = "dev" -o "$SECURE_UPGRADE_MODE" = "prod" ]; then if [ "$SECURE_UPGRADE_MODE" = "dev" ]; then echo "$0 dev keyfile location: ${key_file}." - . ${scripts_dir}/sign_image_dev.sh || { + [ -f ${scripts_dir}/sign_image_dev.sh ] || { echo "dev sign script ${scripts_dir}/sign_image_dev.sh not found" - clean_up 1 ${output_file} + rm -rf ${output_file} } - sign_image_dev ${cert_file} ${key_file} ${output_file} ${CMS_SIG} || { + ${scripts_dir}/sign_image_dev.sh ${cert_file} ${key_file} ${output_file} ${CMS_SIG} || { echo "CMS sign error $?" - clean_up 1 ${CMS_SIG} ${output_file} + rm -rf ${CMS_SIG} ${output_file} } else # "$SECURE_UPGRADE_MODE" has to be equal to "prod" . ${scripts_dir}/sign_image_${machine}.sh || { echo "prod sign script ${scripts_dir}/sign_image_${machine}.sh not found" - clean_up 1 ${output_file} + rm -rf ${output_file} } sign_image_prod ${output_file} ${CMS_SIG} ${SECURE_UPGRADE_MODE} || { echo "CMS sign error $?" - clean_up 1 ${CMS_SIG} ${output_file} + rm -rf ${CMS_SIG} ${output_file} } fi diff --git a/scripts/sign_image_dev.sh b/scripts/sign_image_dev.sh index f439243864c1..668672f49378 100755 --- a/scripts/sign_image_dev.sh +++ b/scripts/sign_image_dev.sh @@ -1,14 +1,11 @@ -sign_image_dev() -{ - cert_file=$1 - key_file=$2 - image_to_sign=$3 - cms_sig_out=$4 - openssl cms -sign -nosmimecap -signer ${cert_file} -inkey ${key_file} -binary -in $image_to_sign -outform pem -out ${cms_sig_out} || { - echo "$?: CMS sign error" - sudo rm -rf ${cms_sig_out} - exit 1 - } - echo "CMS sign OK" - return 0 +cert_file=$1 +key_file=$2 +image_to_sign=$3 +cms_sig_out=$4 +openssl cms -sign -nosmimecap -signer ${cert_file} -inkey ${key_file} -binary -in $image_to_sign -outform pem -out ${cms_sig_out} || { + echo "$?: CMS sign error" + sudo rm -rf ${cms_sig_out} + exit 1 } +echo "CMS sign OK" +exit 0 From f43f02d93ac44349bd0c8860509f317ed36f452b Mon Sep 17 00:00:00 2001 From: Yona Cohen Date: Tue, 30 May 2023 09:51:05 +0300 Subject: [PATCH 17/17] Calling image sign on sub shell --- onie-mk-demo.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/onie-mk-demo.sh b/onie-mk-demo.sh index 702084870cc4..b466441ca31b 100755 --- a/onie-mk-demo.sh +++ b/onie-mk-demo.sh @@ -151,16 +151,16 @@ if [ "$SECURE_UPGRADE_MODE" = "dev" -o "$SECURE_UPGRADE_MODE" = "prod" ]; then echo "dev sign script ${scripts_dir}/sign_image_dev.sh not found" rm -rf ${output_file} } - ${scripts_dir}/sign_image_dev.sh ${cert_file} ${key_file} ${output_file} ${CMS_SIG} || { + (${scripts_dir}/sign_image_dev.sh ${cert_file} ${key_file} ${output_file} ${CMS_SIG}) || { echo "CMS sign error $?" rm -rf ${CMS_SIG} ${output_file} } else # "$SECURE_UPGRADE_MODE" has to be equal to "prod" - . ${scripts_dir}/sign_image_${machine}.sh || { + [ -f ${scripts_dir}/sign_image_${machine}.sh ] || { echo "prod sign script ${scripts_dir}/sign_image_${machine}.sh not found" rm -rf ${output_file} } - sign_image_prod ${output_file} ${CMS_SIG} ${SECURE_UPGRADE_MODE} || { + (${scripts_dir}/sign_image_${machine}.sh ${output_file} ${CMS_SIG} ${SECURE_UPGRADE_MODE}) || { echo "CMS sign error $?" rm -rf ${CMS_SIG} ${output_file} }