From 7bb020f4831648e042c1b1a94696399a480bcb9c Mon Sep 17 00:00:00 2001 From: Abhishek Dosi Date: Tue, 4 Jun 2024 21:34:47 +0000 Subject: [PATCH 1/2] Revert "secureboot: Enable signing SONiC kernel (#10557)" This reverts commit 598ab994693886c33ce5fbba3f459c8f5dd998f5. Signed-off-by: Abhishek Dosi --- Makefile.work | 12 ------------ build_debian.sh | 23 +---------------------- rules/config | 7 ------- slave.mk | 6 ------ sonic-slave-bullseye/Dockerfile.j2 | 1 - sonic-slave-buster/Dockerfile.j2 | 1 - 6 files changed, 1 insertion(+), 49 deletions(-) diff --git a/Makefile.work b/Makefile.work index 69cf6e5b180f..c81fe2483096 100644 --- a/Makefile.work +++ b/Makefile.work @@ -339,17 +339,6 @@ ifneq ($(SONIC_VERSION_CACHE_SOURCE),) DOCKER_RUN += -v "$(SONIC_VERSION_CACHE_SOURCE):/vcache:rw" endif -ifeq ($(SONIC_ENABLE_SECUREBOOT_SIGNATURE), y) -ifneq ($(SIGNING_KEY),) - DOCKER_SIGNING_SOURCE := $(shell dirname $(SIGNING_KEY)) - DOCKER_RUN += -v "$(DOCKER_SIGNING_SOURCE):$(DOCKER_SIGNING_SOURCE):ro" -endif -ifneq ($(SIGNING_CERT),) - DOCKER_SIGNING_SOURCE := $(shell dirname $(SIGNING_CERT)) - DOCKER_RUN += -v "$(DOCKER_SIGNING_SOURCE):$(DOCKER_SIGNING_SOURCE):ro" -endif -endif - # User name and tag for "docker-*" images created by native dockerd mode. ifeq ($(strip $(SONIC_CONFIG_USE_NATIVE_DOCKERD_FOR_BUILD)),y) DOCKER_USERNAME = $(USER_LC) @@ -551,7 +540,6 @@ SONIC_BUILD_INSTRUCTION := $(MAKE) \ EXTRA_DOCKER_TARGETS=$(EXTRA_DOCKER_TARGETS) \ BUILD_LOG_TIMESTAMP=$(BUILD_LOG_TIMESTAMP) \ SONIC_ENABLE_IMAGE_SIGNATURE=$(ENABLE_IMAGE_SIGNATURE) \ - SONIC_ENABLE_SECUREBOOT_SIGNATURE=$(SONIC_ENABLE_SECUREBOOT_SIGNATURE) \ SECURE_UPGRADE_MODE=$(SECURE_UPGRADE_MODE) \ SECURE_UPGRADE_DEV_SIGNING_KEY=$(SECURE_UPGRADE_DEV_SIGNING_KEY) \ SECURE_UPGRADE_SIGNING_CERT=$(SECURE_UPGRADE_SIGNING_CERT) \ diff --git a/build_debian.sh b/build_debian.sh index 352c642caecf..c2b2de62d78d 100755 --- a/build_debian.sh +++ b/build_debian.sh @@ -172,24 +172,6 @@ if [[ $CONFIGURED_ARCH == amd64 ]]; then sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install dmidecode hdparm fi -## Sign the Linux kernel -# note: when flag SONIC_ENABLE_SECUREBOOT_SIGNATURE is enabled the Secure Upgrade flags should be disabled (no_sign) to avoid conflict between the features. -if [ "$SONIC_ENABLE_SECUREBOOT_SIGNATURE" = "y" ] && [ "$SECURE_UPGRADE_MODE" != 'dev' ] && [ "$SECURE_UPGRADE_MODE" != "prod" ]; then - if [ ! -f $SIGNING_KEY ]; then - echo "Error: SONiC linux kernel signing key missing" - exit 1 - fi - if [ ! -f $SIGNING_CERT ]; then - echo "Error: SONiC linux kernel signing certificate missing" - exit 1 - fi - - echo '[INFO] Signing SONiC linux kernel image' - K=$FILESYSTEM_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-${CONFIGURED_ARCH} - sbsign --key $SIGNING_KEY --cert $SIGNING_CERT --output /tmp/${K##*/} ${K} - sudo cp -f /tmp/${K##*/} ${K} -fi - ## Update initramfs for booting with squashfs+overlay cat files/initramfs-tools/modules | sudo tee -a $FILESYSTEM_ROOT/etc/initramfs-tools/modules > /dev/null @@ -696,10 +678,7 @@ sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c "echo 0 > /etc/fips/fips_enable # ################# # secure boot # ################# -if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" && $SONIC_ENABLE_SECUREBOOT_SIGNATURE != 'y' ]]; then - # note: SONIC_ENABLE_SECUREBOOT_SIGNATURE is a feature that signing just kernel, - # SECURE_UPGRADE_MODE is signing all the boot component including kernel. - # its required to do not enable both features together to avoid conflicts. +if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" ]]; then echo "Secure Boot support build stage: Starting .." # debian secure boot dependecies diff --git a/rules/config b/rules/config index d081fd5aab91..06a6f256f8e6 100644 --- a/rules/config +++ b/rules/config @@ -227,13 +227,6 @@ MASTER_FLUENTD_VERSION = mariner_20230517.1 # The relative path is build root folder. SONIC_ENABLE_IMAGE_SIGNATURE ?= n -# SONIC_ENABLE_SECUREBOOT_SIGNATURE - enable SONiC kernel signing to support UEFI secureboot -# To support UEFI secureboot chain of trust requires EFI kernel to be signed as a PE binary -# SIGNING_KEY = -# SIGNING_CERT = -# The absolute path should be provided. -SONIC_ENABLE_SECUREBOOT_SIGNATURE ?= n - # Full Secure Boot feature flags. # SECURE_UPGRADE_DEV_SIGNING_KEY - path to development signing key, used for image signing during build # SECURE_UPGRADE_SIGNING_CERT - path to development signing certificate, used for image signing during build diff --git a/slave.mk b/slave.mk index 29f6baa25694..a08778bed145 100644 --- a/slave.mk +++ b/slave.mk @@ -1327,9 +1327,6 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_RFS_TARGETS)) : $(TARGET_PATH)/% : \ IMAGE_TYPE=$($(installer)_IMAGE_TYPE) \ TARGET_PATH=$(TARGET_PATH) \ TRUSTED_GPG_URLS=$(TRUSTED_GPG_URLS) \ - SONIC_ENABLE_SECUREBOOT_SIGNATURE="$(SONIC_ENABLE_SECUREBOOT_SIGNATURE)" \ - SIGNING_KEY="$(SIGNING_KEY)" \ - SIGNING_CERT="$(SIGNING_CERT)" \ PACKAGE_URL_PREFIX=$(PACKAGE_URL_PREFIX) \ DBGOPT='$(DBGOPT)' \ SONIC_VERSION_CACHE=$(SONIC_VERSION_CACHE) \ @@ -1581,9 +1578,6 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \ ONIE_IMAGE_PART_SIZE=$(ONIE_IMAGE_PART_SIZE) \ SONIC_ENFORCE_VERSIONS=$(SONIC_ENFORCE_VERSIONS) \ TRUSTED_GPG_URLS=$(TRUSTED_GPG_URLS) \ - SONIC_ENABLE_SECUREBOOT_SIGNATURE="$(SONIC_ENABLE_SECUREBOOT_SIGNATURE)" \ - SIGNING_KEY="$(SIGNING_KEY)" \ - SIGNING_CERT="$(SIGNING_CERT)" \ PACKAGE_URL_PREFIX=$(PACKAGE_URL_PREFIX) \ DBGOPT='$(DBGOPT)' \ SONIC_VERSION_CACHE=$(SONIC_VERSION_CACHE) \ diff --git a/sonic-slave-bullseye/Dockerfile.j2 b/sonic-slave-bullseye/Dockerfile.j2 index 2272dac60f94..983aa2816493 100644 --- a/sonic-slave-bullseye/Dockerfile.j2 +++ b/sonic-slave-bullseye/Dockerfile.j2 @@ -174,7 +174,6 @@ RUN apt-get update && apt-get install -y eatmydata && eatmydata apt-get install devscripts \ quilt \ stgit \ - sbsigntool \ # For platform-modules build module-assistant \ # For thrift build\ diff --git a/sonic-slave-buster/Dockerfile.j2 b/sonic-slave-buster/Dockerfile.j2 index 151df8243ed3..7b1e4b18469f 100644 --- a/sonic-slave-buster/Dockerfile.j2 +++ b/sonic-slave-buster/Dockerfile.j2 @@ -170,7 +170,6 @@ RUN apt-get update && apt-get install -y eatmydata && eatmydata apt-get install devscripts \ quilt \ stgit \ - sbsigntool \ # For platform-modules build module-assistant \ # For thrift build\ From 278921c9ef8bd8fd858ebeaf86fa3ff8521dea51 Mon Sep 17 00:00:00 2001 From: Abhishek Dosi Date: Tue, 4 Jun 2024 21:45:11 +0000 Subject: [PATCH 2/2] More changes Signed-off-by: Abhishek Dosi --- sonic-slave-bullseye/Dockerfile.j2 | 1 + sonic-slave-buster/Dockerfile.j2 | 1 + 2 files changed, 2 insertions(+) diff --git a/sonic-slave-bullseye/Dockerfile.j2 b/sonic-slave-bullseye/Dockerfile.j2 index 983aa2816493..2272dac60f94 100644 --- a/sonic-slave-bullseye/Dockerfile.j2 +++ b/sonic-slave-bullseye/Dockerfile.j2 @@ -174,6 +174,7 @@ RUN apt-get update && apt-get install -y eatmydata && eatmydata apt-get install devscripts \ quilt \ stgit \ + sbsigntool \ # For platform-modules build module-assistant \ # For thrift build\ diff --git a/sonic-slave-buster/Dockerfile.j2 b/sonic-slave-buster/Dockerfile.j2 index 7b1e4b18469f..151df8243ed3 100644 --- a/sonic-slave-buster/Dockerfile.j2 +++ b/sonic-slave-buster/Dockerfile.j2 @@ -170,6 +170,7 @@ RUN apt-get update && apt-get install -y eatmydata && eatmydata apt-get install devscripts \ quilt \ stgit \ + sbsigntool \ # For platform-modules build module-assistant \ # For thrift build\