Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

backport: secureboot support #14246

Closed
wants to merge 5 commits into from
Closed

backport: secureboot support #14246

wants to merge 5 commits into from

Conversation

sacnaik
Copy link
Contributor

@sacnaik sacnaik commented Mar 15, 2023
edited
Loading

Backporting PR#12692 to the 202205 branch.

The diffs of PR#12692 do not cleanly get applied to the 202205 branch. Hence patch #12692 was slightly modified for the 202205 branch.

Why I did it

To support UEFI secure boot on the 202205 branch

How I did it

The feature is supported at the master branch see #12692.
Backported #12692 from master to 202205 branch

How to verify it

Booted on UEFI secure boot-enabled hardware.

Which release branch to backport (provide reason below if selected)

  • 201811
  • 201911
  • 202006
  • 202012
  • 202106
  • 202111
  • 202205
  • 202211

Description for the changelog

Refer HLD: sonic-net/SONiC#1028

Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

@sacnaik
backport: secureboot support
5574593 
   Backporting sonic-net#12692 PR on 202205 branch.

   The diffs of sonic-net#12692 does not cleanly gets apply.

   on 202205 branch. Hence the patch sonic-net#12692 slightly

   modified so that it can get applied on 202205 branch

   without functional break.

Signed-off-by: Sachin Naik <[email protected]>
@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Mar 15, 2023
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

@rlhui
Copy link
Contributor

rlhui commented Mar 15, 2023

@davidpil2002 , would you please review this one for 202205? thanks

@davidpil2002 davidpil2002 mentioned this pull request Mar 27, 2023
Closed
7 tasks
@davidpil2002
Copy link
Contributor

davidpil2002 commented Mar 27, 2023
edited
Loading

@sacnaik In general look good to me.
I beleive you didnt manage to cherry pick beause there is some modification in the instaltion structucre.
few comments:
1.take in consideration that theoretical my PR should support ARM (still not fully tested)
And your PR not, because the structure its different, in your installation modification only in X64 directory.
2. you forget to rm this file scripts/signing_secure_boot_prod.sh
3.
Pls also add the fix about mokutil that I pushed lastly to support device with old ONIE versions

@sacnaik
Backport: sonic-net#14429 to support older ONIE versio
bc05bd5 
The older ONIE version does not support mokutil command.  This backport changes will address the issue.
@sacnaik
Delete signing_secure_boot_prod.sh
d9240b0
@sacnaik
Copy link
Contributor Author

sacnaik commented Apr 5, 2023

@davidpil2002

  1. ARM support is not needed at this time on 202205 branches and once you fully test I can cherry-pick that or move to newer branch
  2. scripts/signing_secure_boot_prod.sh - I removed it
  3. Added Secure boot fix instalation with devices that used ONIE version older than 2021.11 #14429 to the changes

@davidpil2002
Copy link
Contributor

davidpil2002 commented Apr 9, 2023
edited
Loading

looks good to me,
there is a small PR that will be publish soon with some additional small fixes, I think the best it's to merge this PR with the fixes by the day 1.
I approved this PR, but pls add the PR with the fixes.
@DavidZagury pls can you write in the comment the PR with your fixes so all the branches will be aligned?

@davidpil2002 davidpil2002 mentioned this pull request Apr 10, 2023
Merged
7 tasks
@davidpil2002
Copy link
Contributor

davidpil2002 commented Apr 10, 2023
edited
Loading

@davidpil2002

  1. ARM support is not needed at this time on 202205 branches and once you fully test I can cherry-pick that or move to newer branch
  2. scripts/signing_secure_boot_prod.sh - I removed it
  3. Added Secure boot fix instalation with devices that used ONIE version older than 2021.11 #14429 to the changes

hi @sacnaik ,
sorry for the inconvinence, but we decided to remove the mokutil dependency by using efivar tool.
any chances you can cherry pick this new fix, instead the previous one.
new fix:
#14589

You are welcome to review it as well

@sacnaik
Copy link
Contributor Author

sacnaik commented Apr 18, 2023

Backported #14589 as well

yxieca
yxieca requested changes May 4, 2023
View reviewed changes
Copy link
Contributor

@yxieca yxieca left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change is not an approved feature for 202205 branch. Please request back porting to 202211 branch instead.

@rlhui rlhui added the Chassis for 202205 branch PRs needed for 202205 branch in msft repo label May 5, 2023
@abdosi abdosi mentioned this pull request May 10, 2023
Merged
5 tasks
qiluo-msft pushed a commit that referenced this pull request May 31, 2023
@davidpil2002
[secure boot]Fix mokutil check issue with ONIE version older than 202… (
7a2bb6d 
#14589)

…1.11 by using efivar tool instead

#### Why I did it
solution to BUG below/
#14316
bug report also in this issue:
backport: secureboot support #14246
#### How I did it
When installing an image secure boot is checking if the UEFI have the secure boot flag enabled or disabled using a tool name `mokutil` this tool its not exist in ONIE version older than 2021.11 so its crasshing the install.
To fix that we add a coded that checking secure boot enabled/disabled by using efivar tool that should exist in any UEFI system
#### How to verify it
Install the image in a device with ONIE version older than 2021.11 and check that the installation and boot succeed (all docker up).
@abdosi
Copy link
Contributor

abdosi commented Jul 12, 2023

Already Backport msft repo 202205 branch.

@abdosi abdosi closed this Jul 12, 2023
sonic-otn pushed a commit to sonic-otn/sonic-buildimage that referenced this pull request Sep 20, 2023
@davidpil2002 @sonic-otn
[secure boot]Fix mokutil check issue with ONIE version older than 202… (
39f8307 
sonic-net#14589)

…1.11 by using efivar tool instead

#### Why I did it
solution to BUG below/
sonic-net#14316
bug report also in this issue:
backport: secureboot support sonic-net#14246
#### How I did it
When installing an image secure boot is checking if the UEFI have the secure boot flag enabled or disabled using a tool name `mokutil` this tool its not exist in ONIE version older than 2021.11 so its crasshing the install.
To fix that we add a coded that checking secure boot enabled/disabled by using efivar tool that should exist in any UEFI system
#### How to verify it
Install the image in a device with ONIE version older than 2021.11 and check that the installation and boot succeed (all docker up).
@gechiang gechiang added the Included in Chassis for 202205 Branch Indicate PR is already in MSFT repo 202205 branch label Sep 30, 2023
@gechiang
Copy link
Collaborator

Added the label "Icluded in Chassis for 202205 branch" label to keep the consistency where this PR was already backported by Abhishek separately even though this PR got closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ITJamie ITJamie ITJamie left review comments

@kuanyu99 kuanyu99 kuanyu99 left review comments

@yxieca yxieca yxieca requested changes

@davidpil2002 davidpil2002 davidpil2002 approved these changes

@qiluo-msft qiluo-msft Awaiting requested review from qiluo-msft qiluo-msft is a code owner

@xumia xumia Awaiting requested review from xumia xumia is a code owner

@lguohan lguohan Awaiting requested review from lguohan lguohan is a code owner

Assignees

@sacnaik sacnaik

Labels
Chassis for 202205 branch PRs needed for 202205 branch in msft repo Included in Chassis for 202205 Branch Indicate PR is already in MSFT repo 202205 branch
Projects
SONiC Chassis
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@sacnaik @rlhui @davidpil2002 @abdosi @gechiang @ITJamie @yxieca @kuanyu99