Support symcrypt fips config for aboot/uboot

[xumia]

Why I did it

Support symcrypt fips config for aboot/uboot

How I did it

For uboot, use fw_setenv to variable linuxargs to change the boot options.

fw_setenv linuxargs "$OTHER_OPTIONS sonic_fips=1"

For Aboot, add the config in /host/image-{version}/kernel-cmdline, example:

reboot=p console=ttyS0 acpi=on Aboot=Aboot-norcal7-7.2.0-pcie2x4-6128821 <other parameters...> sonic_fips=1

How to verify it

Download the image sonic-aboot-broadcom.swi from the pipeline in the PR checks. The sonic_fips=1 can be found in /proc/cmdline

Aboot# boot sonic-aboot-broadcom.swi
448.25: Cleaning flash content /mnt/flash
448.25: Generating boot-config, machine.conf and cmdline
448.41: Installing image under /mnt/flash/image-master-10729.100664-f781129cc
...
oot@sonic:/host/image-master-10729.100664-f781129cc# cat kernel-cmdline 
reboot=p console=ttyS0 acpi=on Aboot=Aboot-norcal6-6.1.2-4757975 block_flash=pci0000:00/0000:00:14.7/mmc_host/.*$ block_usb1=pci0000:00/0000:00:12.0/usb1/1-1/1-1.1/.*$ block_usb2=pci0000:00/0000:00:12.0/usb1/1-1/1-1.4/.*$ block_drive=pci0000:00/0000:00:11.0/.*host./target.:0:0/.*$ net_ma1=pci0000:00/0000:00:02.4/.*$ platform=crow sid=Upperlake cmdline-aboot-end modprobe.blacklist=radeon,sp5100_tco amd_iommu=off modprobe.blacklist=snd_hda_intel,hdaudio logs_inram=on varlog_size=256 sonic.mode=fixed security=apparmor apparmor=1 rw net.ifnames=0 systemd.unified_cgroup_hierarchy=0 quiet systemd.show_status=auto hwaddr_ma1=28:99:3a:17:1c:08 root=UUID=805ffc5b-0cf7-4abb-a1f4-f7424699fff7 loop=image-master-10729.100664-f781129cc/fs.squashfs loopfstype=squashfs sonic_fips=1

admin@sonic:~$ cat /proc/cmdline 
reboot=p console=ttyS0 acpi=on Aboot=Aboot-norcal6-6.1.2-4757975 block_flash=pci0000:00/0000:00:14.7/mmc_host/.*$ block_usb1=pci0000:00/0000:00:12.0/usb1/1-1/1-1.1/.*$ block_usb2=pci0000:00/0000:00:12.0/usb1/1-1/1-1.4/.*$ block_drive=pci0000:00/0000:00:11.0/.*host./target.:0:0/.*$ net_ma1=pci0000:00/0000:00:02.4/.*$ platform=crow sid=Upperlake cmdline-aboot-end modprobe.blacklist=radeon,sp5100_tco amd_iommu=off modprobe.blacklist=snd_hda_intel,hdaudio logs_inram=on varlog_size=256 sonic.mode=fixed security=apparmor apparmor=1 rw net.ifnames=0 systemd.unified_cgroup_hierarchy=0 quiet systemd.show_status=auto hwaddr_ma1=28:99:3a:17:1c:08 root=UUID=805ffc5b-0cf7-4abb-a1f4-f7424699fff7 loop=image-master-10729.100664-f781129cc/fs.squashfs loopfstype=squashfs sonic_fips=1  kexec_jump_back_entry=0xffffffff
admin@sonic:~$ 
admin@sonic:~$ sudo openssl engine -vv | grep symcrypt
(symcrypt) SCOSSL (SymCrypt engine for OpenSSL)
admin@sonic:~$ 

Which release branch to backport (provide reason below if selected)

• 201811
• 201911
• 202006
• 202012
• 202106
• 202111

Description for the changelog

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

[xumia]

/azp run Azure.sonic-buildimage

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[qiluo-msft]

sonic_fips fips

Do you have document to explain both? #Closed

[xumia]

I will add in the Design doc, the option fips is taken by linux kernel option, we are not ready for it now, so use sonic_fips instead.

[xumia]

See sonic-net/SONiC#997

[qiluo-msft]

sonic_fips

How about fips? #Closed

[qiluo-msft]

linuxargs

Use extra_cmdline_linux directly? Like your changes in other platform.conf files.

[xumia]

Currently, marvell arm64/armhf has already used the parameter linuxargs, we do not want to define another parameter for centec-arm64.
And it will be easy to add a Cli for FIPS setting for uboot, without considering different platforms.
Only the uboot boodloader uses it, the other platforms do not use it.

[qiluo-msft]

I am proposing

        fw_setenv -f sonic_image_1 "ext4load mmc 0:1 \$loadaddr \$sonic_dir_1/boot/sonic_arm64.fit && setenv bootargs quiet console=\$consoledev,\$baudrate root=/dev/mmcblk0p1 rw rootwait rootfstype=ext4 loopfstype=squashfs loop=\$sonic_dir_1/fs.squashfs systemd.unified_cgroup_hierarchy=0 \${extra_cmdline_linux} && bootm \$loadaddr"

[xumia]

It makes the centec uboot config the same as marvell when adding a command line support, see uboot.py in https://github.com/Azure/sonic-utilities/pull/2154/files

[qiluo-msft]

@Staphylo Could you check Aboot change?

[xumia]

@Staphylo , could you please help review it? Thanks.

[Staphylo]

Sorry for the late review, I had a wrong filter. Please feel free to shoot me an email directly if this happens again.

[Staphylo]

Your solution using kernel-cmdline will work.
One note, even though the kernel handles multiple definitions of the same parameter properly, it's probably not worth crowding the cmdline when enabling fips (will append sonic_fips=0 sonic_fips=1 which can be confusing)

If the plan is to configure FIPS only at build time I would suggest making a modification to boot0.j2 and add a new variable enable_fips set via Jinja templating to true or false.
Then adding some logic in the boot0 code to call cmdline_add in the write_image_specific_config function
https://github.com/Azure/sonic-buildimage/blob/f6927606b3720d4f526b9e734b4431f012d21ee3/files/Aboot/boot0.j2#L617
This would prevent anyone from disabling sonic_fips by changing the cmdline in the context of secureboot.
However if the plan is to be able to disable fips at runtime or for a next reboot, your solution works better.

[xumia]

@Staphylo , it makes the user have chance to enable or disable it in the next reboot. ENABLE_FIPS=1 will enable the fips by default, the default value is "n", not enabled. If want to enable it, we need to set the sonic_fips=1 in kernel-cmdline after installed or upgraded.

[Staphylo]

Fair enough, your solution is probably the best then.
I still think you should change the code that crafts the kernel-cmdline content.
I'm thinking of something like the following (Note that the test equality sign is = and not == as you currently have, so there's a bug here)

if [ "$ENABLE_FIPS" = "y" ]; then
   echo sonic_fips=1 > kernel-cmdline
else
   echo sonic_fips=0 > kernel-cmdline
fi

[xumia]

@Staphylo , thanks for your comment.
The shell bash supports "==", but it makes sense to use the same way with the others in the script, I have changed it.

[xumia]

@Staphylo, could you please help approve it, if you do not have more comments, thanks.

[xumia]

/azp run Azure.sonic-buildimage

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).