diff --git a/Makefile.work b/Makefile.work index 40c73dc0897..5bc4d731420 100644 --- a/Makefile.work +++ b/Makefile.work @@ -314,15 +314,14 @@ endif ifneq ($(SECURE_UPGRADE_DEV_SIGNING_KEY),) DOCKER_RUN += -v $(SECURE_UPGRADE_DEV_SIGNING_KEY):$(SECURE_UPGRADE_DEV_SIGNING_KEY):ro endif -ifneq ($(SECURE_UPGRADE_DEV_SIGNING_CERT),) - DOCKER_RUN += -v $(SECURE_UPGRADE_DEV_SIGNING_CERT):$(SECURE_UPGRADE_DEV_SIGNING_CERT):ro +ifneq ($(SECURE_UPGRADE_SIGNING_CERT),) + DOCKER_RUN += -v $(SECURE_UPGRADE_SIGNING_CERT):$(SECURE_UPGRADE_SIGNING_CERT):ro endif # Mount the Signing prod tool in the slave container $(info "SECURE_UPGRADE_PROD_SIGNING_TOOL": "$(SECURE_UPGRADE_PROD_SIGNING_TOOL)") ifneq ($(SECURE_UPGRADE_PROD_SIGNING_TOOL),) SECURE_UPGRADE_PROD_SIGNING_TOOL_DST = /sonic/scripts/$(shell basename -- $(SECURE_UPGRADE_PROD_SIGNING_TOOL)) DOCKER_RUN += -v $(SECURE_UPGRADE_PROD_SIGNING_TOOL):$(SECURE_UPGRADE_PROD_SIGNING_TOOL_DST):ro - SECURE_UPGRADE_PROD_SIGNING_TOOL := $(SECURE_UPGRADE_PROD_SIGNING_TOOL_DST) endif ifneq ($(SONIC_DPKG_CACHE_SOURCE),) @@ -544,8 +543,9 @@ SONIC_BUILD_INSTRUCTION := $(MAKE) \ SONIC_ENABLE_SECUREBOOT_SIGNATURE=$(SONIC_ENABLE_SECUREBOOT_SIGNATURE) \ SECURE_UPGRADE_MODE=$(SECURE_UPGRADE_MODE) \ SECURE_UPGRADE_DEV_SIGNING_KEY=$(SECURE_UPGRADE_DEV_SIGNING_KEY) \ - SECURE_UPGRADE_DEV_SIGNING_CERT=$(SECURE_UPGRADE_DEV_SIGNING_CERT) \ + SECURE_UPGRADE_SIGNING_CERT=$(SECURE_UPGRADE_SIGNING_CERT) \ SECURE_UPGRADE_PROD_SIGNING_TOOL=$(SECURE_UPGRADE_PROD_SIGNING_TOOL) \ + SECURE_UPGRADE_PROD_TOOL_ARGS=$(SECURE_UPGRADE_PROD_TOOL_ARGS) \ SONIC_DEFAULT_CONTAINER_REGISTRY=$(DEFAULT_CONTAINER_REGISTRY) \ ENABLE_HOST_SERVICE_ON_START=$(ENABLE_HOST_SERVICE_ON_START) \ SLAVE_DIR=$(SLAVE_DIR) \ diff --git a/build_debian.sh b/build_debian.sh index 61bac8b6325..b3a6b61d4c5 100755 --- a/build_debian.sh +++ b/build_debian.sh @@ -647,8 +647,8 @@ if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" && $SONIC_ shim-unsigned \ grub-efi - if [ ! -f $SECURE_UPGRADE_DEV_SIGNING_CERT ]; then - echo "Error: SONiC SECURE_UPGRADE_DEV_SIGNING_CERT=$SECURE_UPGRADE_DEV_SIGNING_CERT key missing" + if [ ! -f $SECURE_UPGRADE_SIGNING_CERT ]; then + echo "Error: SONiC SECURE_UPGRADE_SIGNING_CERT=$SECURE_UPGRADE_SIGNING_CERT key missing" exit 1 fi @@ -663,27 +663,31 @@ if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" && $SONIC_ sudo ./scripts/signing_secure_boot_dev.sh -a $CONFIGURED_ARCH \ -r $FILESYSTEM_ROOT \ -l $LINUX_KERNEL_VERSION \ - -c $SECURE_UPGRADE_DEV_SIGNING_CERT \ + -c $SECURE_UPGRADE_SIGNING_CERT \ -p $SECURE_UPGRADE_DEV_SIGNING_KEY elif [[ $SECURE_UPGRADE_MODE == "prod" ]]; then # Here Vendor signing should be implemented OUTPUT_SEC_BOOT_DIR=$FILESYSTEM_ROOT/boot - if [ ! -f $SECURE_UPGRADE_PROD_SIGNING_TOOL ]; then - echo "Error: SONiC SECURE_UPGRADE_PROD_SIGNING_TOOL=$SECURE_UPGRADE_PROD_SIGNING_TOOL script missing" + if [ ! -f $sonic_su_prod_signing_tool ]; then + echo "Error: SONiC sonic_su_prod_signing_tool=$sonic_su_prod_signing_tool script missing" exit 1 fi - sudo $SECURE_UPGRADE_PROD_SIGNING_TOOL $CONFIGURED_ARCH $FILESYSTEM_ROOT $LINUX_KERNEL_VERSION $OUTPUT_SEC_BOOT_DIR - + sudo $sonic_su_prod_signing_tool -a $CONFIGURED_ARCH \ + -r $FILESYSTEM_ROOT \ + -l $LINUX_KERNEL_VERSION \ + -o $OUTPUT_SEC_BOOT_DIR \ + $SECURE_UPGRADE_PROD_TOOL_ARGS + # verifying all EFI files and kernel modules in $OUTPUT_SEC_BOOT_DIR sudo ./scripts/secure_boot_signature_verification.sh -e $OUTPUT_SEC_BOOT_DIR \ - -c $SECURE_UPGRADE_DEV_SIGNING_CERT \ + -c $SECURE_UPGRADE_SIGNING_CERT \ -k $FILESYSTEM_ROOT # verifying vmlinuz file. sudo ./scripts/secure_boot_signature_verification.sh -e $FILESYSTEM_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-${CONFIGURED_ARCH} \ - -c $SECURE_UPGRADE_DEV_SIGNING_CERT \ + -c $SECURE_UPGRADE_SIGNING_CERT \ -k $FILESYSTEM_ROOT fi echo "Secure Boot support build stage: END." diff --git a/rules/config b/rules/config index c3a58f96d14..c33b304dd69 100644 --- a/rules/config +++ b/rules/config @@ -223,13 +223,15 @@ SONIC_ENABLE_SECUREBOOT_SIGNATURE ?= n # Full Secure Boot feature flags. # SECURE_UPGRADE_DEV_SIGNING_KEY - path to development signing key, used for image signing during build -# SECURE_UPGRADE_DEV_SIGNING_CERT - path to development signing certificate, used for image signing during build +# SECURE_UPGRADE_SIGNING_CERT - path to development signing certificate, used for image signing during build # SECURE_UPGRADE_MODE - enum value for secure upgrade mode, valid options are "dev", "prod" and "no_sign" # SECURE_UPGRADE_PROD_SIGNING_TOOL - path to a vendor signing tool for production flow. -SECURE_UPGRADE_DEV_SIGNING_KEY = /sonic/your/private/key/path/private_key.pem -SECURE_UPGRADE_DEV_SIGNING_CERT = /sonic/your/certificate/path/cert.pem +# SECURE_UPGRADE_PROD_TOOL_ARGS - Extra arguments options for vendor to use to run his specific prod signing script +SECURE_UPGRADE_DEV_SIGNING_KEY ?= +SECURE_UPGRADE_SIGNING_CERT ?= SECURE_UPGRADE_MODE = "no_sign" SECURE_UPGRADE_PROD_SIGNING_TOOL ?= +SECURE_UPGRADE_PROD_TOOL_ARGS ?= # PACKAGE_URL_PREFIX - the package url prefix PACKAGE_URL_PREFIX ?= https://packages.trafficmanager.net/public/packages diff --git a/rules/linux-kernel.dep b/rules/linux-kernel.dep index 7e2dd474148..e577ca7f44c 100644 --- a/rules/linux-kernel.dep +++ b/rules/linux-kernel.dep @@ -4,7 +4,7 @@ DEP_FILES := rules/linux-kernel.mk rules/linux-kernel.dep SMDEP_FILES := $(addprefix $(SPATH)/,$(shell cd $(SPATH) && git ls-files)) DEP_FLAGS := $(SONIC_COMMON_FLAGS_LIST) \ - $(KERNEL_PROCURE_METHOD) $(KERNEL_CACHE_PATH) $(SECURE_UPGRADE_MODE) $(SECURE_UPGRADE_DEV_SIGNING_CERT) + $(KERNEL_PROCURE_METHOD) $(KERNEL_CACHE_PATH) $(SECURE_UPGRADE_MODE) $(SECURE_UPGRADE_SIGNING_CERT) $(LINUX_HEADERS_COMMON)_CACHE_MODE := GIT_CONTENT_SHA $(LINUX_HEADERS_COMMON)_DEP_FLAGS := $(DEP_FLAGS) diff --git a/slave.mk b/slave.mk index 1d5c3dde784..16b5090cdff 100644 --- a/slave.mk +++ b/slave.mk @@ -379,8 +379,9 @@ $(info "PASSWORD" : "$(PASSWORD)") $(info "CHANGE_DEFAULT_PASSWORD" : "$(CHANGE_DEFAULT_PASSWORD)") $(info "SECURE_UPGRADE_MODE" : "$(SECURE_UPGRADE_MODE)") $(info "SECURE_UPGRADE_DEV_SIGNING_KEY" : "$(SECURE_UPGRADE_DEV_SIGNING_KEY)") -$(info "SECURE_UPGRADE_DEV_SIGNING_CERT" : "$(SECURE_UPGRADE_DEV_SIGNING_CERT)") +$(info "SECURE_UPGRADE_SIGNING_CERT" : "$(SECURE_UPGRADE_SIGNING_CERT)") $(info "SECURE_UPGRADE_PROD_SIGNING_TOOL": "$(SECURE_UPGRADE_PROD_SIGNING_TOOL)") +$(info "SECURE_UPGRADE_PROD_TOOL_ARGS" : "$(SECURE_UPGRADE_PROD_TOOL_ARGS)") $(info "ENABLE_DHCP_GRAPH_SERVICE" : "$(ENABLE_DHCP_GRAPH_SERVICE)") $(info "SHUTDOWN_BGP_ON_START" : "$(SHUTDOWN_BGP_ON_START)") $(info "ENABLE_PFCWD_ON_START" : "$(ENABLE_PFCWD_ON_START)") @@ -1263,9 +1264,9 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \ export include_teamd="$(INCLUDE_TEAMD)" export include_router_advertiser="$(INCLUDE_ROUTER_ADVERTISER)" export sonic_su_dev_signing_key="$(SECURE_UPGRADE_DEV_SIGNING_KEY)" - export sonic_su_dev_signing_cert="$(SECURE_UPGRADE_DEV_SIGNING_CERT)" + export sonic_su_signing_cert="$(SECURE_UPGRADE_SIGNING_CERT)" export sonic_su_mode="$(SECURE_UPGRADE_MODE)" - export sonic_su_prod_signing_tool="$(SECURE_UPGRADE_PROD_SIGNING_TOOL)" + export sonic_su_prod_signing_tool="/sonic/scripts/$(shell basename -- $(SECURE_UPGRADE_PROD_SIGNING_TOOL))" export include_system_telemetry="$(INCLUDE_SYSTEM_TELEMETRY)" export include_restapi="$(INCLUDE_RESTAPI)" export include_nat="$(INCLUDE_NAT)" @@ -1468,8 +1469,9 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \ SONIC_ENABLE_IMAGE_SIGNATURE="$(SONIC_ENABLE_IMAGE_SIGNATURE)" \ SECURE_UPGRADE_MODE="$(SECURE_UPGRADE_MODE)" \ SECURE_UPGRADE_DEV_SIGNING_KEY="$(SECURE_UPGRADE_DEV_SIGNING_KEY)" \ - SECURE_UPGRADE_DEV_SIGNING_CERT="$(SECURE_UPGRADE_DEV_SIGNING_CERT)" \ + SECURE_UPGRADE_SIGNING_CERT="$(SECURE_UPGRADE_SIGNING_CERT)" \ SECURE_UPGRADE_PROD_SIGNING_TOOL="$(SECURE_UPGRADE_PROD_SIGNING_TOOL)" \ + SECURE_UPGRADE_PROD_TOOL_ARGS="$(SECURE_UPGRADE_PROD_TOOL_ARGS)" \ SIGNING_KEY="$(SIGNING_KEY)" \ SIGNING_CERT="$(SIGNING_CERT)" \ CA_CERT="$(CA_CERT)" \