SONiC bootloader signing for UEFI secureboot#12901
Closed
sacnaik wants to merge 1 commit intosonic-net:masterfrom
sacnaik:secure_bootloader
Closed
SONiC bootloader signing for UEFI secureboot#12901sacnaik wants to merge 1 commit intosonic-net:masterfrom sacnaik:secure_bootloader
sacnaik wants to merge 1 commit intosonic-net:masterfrom
sacnaik:secure_bootloader
Conversation
Why I did it
This enables build framework to sign EFI bootloader images such as Grubx64.efi and Shimx64.efi.
These signed bootloader gets verified on secure boot enabled system. The systems secure boot chain
of trust ensures that it runs only verifiable boot loaders.
The secure boot chain of trust verifies images as below
UEFI FW -> SHIM -> GRUB -> Linux Kernel
Currently the UEFI signing is supported at Linux kernel.
This fix fills gap of signing and verification path between UEFI FW and Linux kernel.
How I did it
1. Added debian GRUB2 & SHIM source package to the SONiC build system.
2. Added signing hook in build_debian.sh for signing GRUB2 and SHIM efi image.
3. Defined build configurable hook in rules/config, for secure boot configuration.
4. By default signing hook uses sbsign-tool for signing these EFI images.
5. Added framework to configure build system to integrate SONiC vendor's specific signing tools.
6. Added installer.sh to install signed SHIM and GRUB in EFI system partition.
How to verify it
Boot the signed images on UEFI secureboot enabled system.
Signed-off-by: Sachin Naik <[email protected]>
|
|
Contributor
|
@davidpil2002 for viz. |
Contributor
|
@sacnaik please add comment and close this |
Contributor
Author
|
A similar feature is added by #12692. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
SONiC bootloader signing for UEFI secureboot
Signed-off-by: Sachin Naik [email protected]
Why I did it
How I did it
How to verify it
Build SONiC image with UEFI secure boot enable which produces signed SHIM, GRUB and Linux Kernel images
Load them on UEFI secure boot enabled system. The necessary verification keys should be enrolled in the system for secure boot image verification.
Which release branch to backport (provide reason below if selected)
Description for the changelog
Mechanism in SONiC build systems to produce signed EFI images.
Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.
Link to config_db schema for YANG module changes
A picture of a cute animal (not mandatory but encouraged)