Skip to content

Commit 5c9ec20

Browse files
authored
[Secureboot] Revert the changes done to only do Kernel Signnning (#19199)
What I did: Before this feature sonic-net/SONiC#1028 got merged their was intermediate change done to just support Kernel Signing via: #10557. However once this feature is merged : sonic-net/SONiC#1028 (Which support sign of all boot components not just Kernel) we do not need the Kernel only signing changes as it define new rules macro which just create confusion. So as part of this PR i am reverting the Kernel -only sign PR #10557 Signed-off-by: Abhishek Dosi <[email protected]>
1 parent 4d6d808 commit 5c9ec20

4 files changed

Lines changed: 1 addition & 47 deletions

File tree

Makefile.work

Lines changed: 0 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -339,17 +339,6 @@ ifneq ($(SONIC_VERSION_CACHE_SOURCE),)
339339
DOCKER_RUN += -v "$(SONIC_VERSION_CACHE_SOURCE):/vcache:rw"
340340
endif
341341

342-
ifeq ($(SONIC_ENABLE_SECUREBOOT_SIGNATURE), y)
343-
ifneq ($(SIGNING_KEY),)
344-
DOCKER_SIGNING_SOURCE := $(shell dirname $(SIGNING_KEY))
345-
DOCKER_RUN += -v "$(DOCKER_SIGNING_SOURCE):$(DOCKER_SIGNING_SOURCE):ro"
346-
endif
347-
ifneq ($(SIGNING_CERT),)
348-
DOCKER_SIGNING_SOURCE := $(shell dirname $(SIGNING_CERT))
349-
DOCKER_RUN += -v "$(DOCKER_SIGNING_SOURCE):$(DOCKER_SIGNING_SOURCE):ro"
350-
endif
351-
endif
352-
353342
# User name and tag for "docker-*" images created by native dockerd mode.
354343
ifeq ($(strip $(SONIC_CONFIG_USE_NATIVE_DOCKERD_FOR_BUILD)),y)
355344
DOCKER_USERNAME = $(USER_LC)
@@ -551,7 +540,6 @@ SONIC_BUILD_INSTRUCTION := $(MAKE) \
551540
EXTRA_DOCKER_TARGETS=$(EXTRA_DOCKER_TARGETS) \
552541
BUILD_LOG_TIMESTAMP=$(BUILD_LOG_TIMESTAMP) \
553542
SONIC_ENABLE_IMAGE_SIGNATURE=$(ENABLE_IMAGE_SIGNATURE) \
554-
SONIC_ENABLE_SECUREBOOT_SIGNATURE=$(SONIC_ENABLE_SECUREBOOT_SIGNATURE) \
555543
SECURE_UPGRADE_MODE=$(SECURE_UPGRADE_MODE) \
556544
SECURE_UPGRADE_DEV_SIGNING_KEY=$(SECURE_UPGRADE_DEV_SIGNING_KEY) \
557545
SECURE_UPGRADE_SIGNING_CERT=$(SECURE_UPGRADE_SIGNING_CERT) \

build_debian.sh

Lines changed: 1 addition & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -172,24 +172,6 @@ if [[ $CONFIGURED_ARCH == amd64 ]]; then
172172
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install dmidecode hdparm
173173
fi
174174

175-
## Sign the Linux kernel
176-
# note: when flag SONIC_ENABLE_SECUREBOOT_SIGNATURE is enabled the Secure Upgrade flags should be disabled (no_sign) to avoid conflict between the features.
177-
if [ "$SONIC_ENABLE_SECUREBOOT_SIGNATURE" = "y" ] && [ "$SECURE_UPGRADE_MODE" != 'dev' ] && [ "$SECURE_UPGRADE_MODE" != "prod" ]; then
178-
if [ ! -f $SIGNING_KEY ]; then
179-
echo "Error: SONiC linux kernel signing key missing"
180-
exit 1
181-
fi
182-
if [ ! -f $SIGNING_CERT ]; then
183-
echo "Error: SONiC linux kernel signing certificate missing"
184-
exit 1
185-
fi
186-
187-
echo '[INFO] Signing SONiC linux kernel image'
188-
K=$FILESYSTEM_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-${CONFIGURED_ARCH}
189-
sbsign --key $SIGNING_KEY --cert $SIGNING_CERT --output /tmp/${K##*/} ${K}
190-
sudo cp -f /tmp/${K##*/} ${K}
191-
fi
192-
193175
## Update initramfs for booting with squashfs+overlay
194176
cat files/initramfs-tools/modules | sudo tee -a $FILESYSTEM_ROOT/etc/initramfs-tools/modules > /dev/null
195177

@@ -696,10 +678,7 @@ sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c "echo 0 > /etc/fips/fips_enable
696678
# #################
697679
# secure boot
698680
# #################
699-
if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" && $SONIC_ENABLE_SECUREBOOT_SIGNATURE != 'y' ]]; then
700-
# note: SONIC_ENABLE_SECUREBOOT_SIGNATURE is a feature that signing just kernel,
701-
# SECURE_UPGRADE_MODE is signing all the boot component including kernel.
702-
# its required to do not enable both features together to avoid conflicts.
681+
if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" ]]; then
703682
echo "Secure Boot support build stage: Starting .."
704683

705684
# debian secure boot dependecies

rules/config

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -227,13 +227,6 @@ MASTER_FLUENTD_VERSION = mariner_20230517.1
227227
# The relative path is build root folder.
228228
SONIC_ENABLE_IMAGE_SIGNATURE ?= n
229229

230-
# SONIC_ENABLE_SECUREBOOT_SIGNATURE - enable SONiC kernel signing to support UEFI secureboot
231-
# To support UEFI secureboot chain of trust requires EFI kernel to be signed as a PE binary
232-
# SIGNING_KEY =
233-
# SIGNING_CERT =
234-
# The absolute path should be provided.
235-
SONIC_ENABLE_SECUREBOOT_SIGNATURE ?= n
236-
237230
# Full Secure Boot feature flags.
238231
# SECURE_UPGRADE_DEV_SIGNING_KEY - path to development signing key, used for image signing during build
239232
# SECURE_UPGRADE_SIGNING_CERT - path to development signing certificate, used for image signing during build

slave.mk

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1327,9 +1327,6 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_RFS_TARGETS)) : $(TARGET_PATH)/% : \
13271327
IMAGE_TYPE=$($(installer)_IMAGE_TYPE) \
13281328
TARGET_PATH=$(TARGET_PATH) \
13291329
TRUSTED_GPG_URLS=$(TRUSTED_GPG_URLS) \
1330-
SONIC_ENABLE_SECUREBOOT_SIGNATURE="$(SONIC_ENABLE_SECUREBOOT_SIGNATURE)" \
1331-
SIGNING_KEY="$(SIGNING_KEY)" \
1332-
SIGNING_CERT="$(SIGNING_CERT)" \
13331330
PACKAGE_URL_PREFIX=$(PACKAGE_URL_PREFIX) \
13341331
DBGOPT='$(DBGOPT)' \
13351332
SONIC_VERSION_CACHE=$(SONIC_VERSION_CACHE) \
@@ -1581,9 +1578,6 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
15811578
ONIE_IMAGE_PART_SIZE=$(ONIE_IMAGE_PART_SIZE) \
15821579
SONIC_ENFORCE_VERSIONS=$(SONIC_ENFORCE_VERSIONS) \
15831580
TRUSTED_GPG_URLS=$(TRUSTED_GPG_URLS) \
1584-
SONIC_ENABLE_SECUREBOOT_SIGNATURE="$(SONIC_ENABLE_SECUREBOOT_SIGNATURE)" \
1585-
SIGNING_KEY="$(SIGNING_KEY)" \
1586-
SIGNING_CERT="$(SIGNING_CERT)" \
15871581
PACKAGE_URL_PREFIX=$(PACKAGE_URL_PREFIX) \
15881582
DBGOPT='$(DBGOPT)' \
15891583
SONIC_VERSION_CACHE=$(SONIC_VERSION_CACHE) \

0 commit comments

Comments
 (0)