Secure boot fix instalation with devices that used ONIE version older than 2021.11

[davidpil2002]

Why I did it

solution to BUG below/
#14316
bug report also in this issue:
backport: secureboot support #14246

How I did it

When installing an image secure boot is checking if the UEFI have the secure boot flag enabled or disabled using a tool name mokutil this tool its not exist in ONIE version older than 2021.11 so its crasshing the install.
To fix that we add a coded that checking if the tool exist, if not exist it will assume that you ONIE its older an proceed with the installation with grub.

How to verify it

Install the image in a device with ONIE version older than 2021.11 and check that the installation and boot succeed (all docker up).

Which release branch to backport (provide reason below if selected)

• 201811
• 201911
• 202006
• 202012
• 202106
• 202111
• 202205
• [X ] 202211
• master

Description for the changelog

Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

[davidpil2002]

pls @ITJamie can you review this fix
pls @sacnaik you are welcome to review as well also in the good flow, with new ONIE version to see no degradation in your system when Secure Boot enabled

(We are reviewing it also, but still pending for a device with the correct version to test it fully.)

[davidpil2002]

rerun, failed in build time, but the commit didn't modify anything than influence the build flow.

[davidpil2002]

/azp run Azure.sonic-buildimage

[azure-pipelines]

Commenter does not have sufficient privileges for PR 14429 in repo sonic-net/sonic-buildimage

[davidpil2002]

/azp run

[azure-pipelines]

Commenter does not have sufficient privileges for PR 14429 in repo sonic-net/sonic-buildimage

[davidpil2002]

/azpw run

[mssonicbld]

/AzurePipelines run

[azure-pipelines]

You have several pipelines (over 10) configured to build pull requests in this repository. Specify which pipelines you would like to run by using /azp run [pipelines] command. You can specify multiple pipelines using a comma separated list.

[davidpil2002]

Hi @liat-grozovik ,
This PR is a fix about an issue related to Secure Boot that influence device that have ONIE version older than 2021.11.
can you be in the loop as reviewer?
in addition, I'm trying to rerun the PR, and probably the syntax or privileged to rerun was change, can you help?

[davidpil2002]

@DavidZagury FYI

[davidpil2002]

/ azp run Azure.sonic-buildimage

[SyunciLi]

Hi David

I download image from this page Supported Platforms today.

But it install fails and feedback "mokutil: not found", when I try to install SONiC image for Accton AS9716-32D,
Install log as below
mokutil_not_found.txt

maybe our switch version is too old. is it should still install or without and skip for mokutil ?

[davidpil2002]

Hi David

I download image from this page Supported Platforms today.

But it install fails and feedback "mokutil: not found", when I try to install SONiC image for Accton AS9716-32D, Install log as below mokutil_not_found.txt

maybe our switch version is too old. is it should still install or without and skip for mokutil ?

this PR contained the fix for your issue.

[happyttm24]

Hello, I am also have the same issue. The switch I am using is 100bf-32x. During the process of installing SONiC for 100bf-32x, I encountered an error "mokutil not found" and the installation process did not proceed.

[luigitalboy]

Hello @davidpil2002 , do you know when the new sonic-broadcom.bin file containing the PR for mokutil absence will be ready for download in the supported platform page?
Thanks!!!

[davidpil2002]

this PR is ready.
@qiluo-msft pls can you approve they are pending this fix.
thanks

[davidpil2002]

there is some build issue about some unitest of hostcfgd, but my commits in the PR are not related.
sent an email to:
sonicbuildadmin@microsoft.com

[luigitalboy]

Thanks @davidpil2002! Do you think we can test the images this monday?

[davidpil2002]

Thanks @davidpil2002! Do you think we can test the images this monday?

This fix its pending approvemt from community.
in general, if you build your image with this fix you should be able to install the image in any ONIE version.

[luigitalboy]

Great :-) which branch should I select from the drop down list?

[davidpil2002]

Great :-) which branch should I select from the drop down list?

the fixed its not merge, so basicly the fix it just in this PR that was created from master.
if you like to check this fix in other branch you can cherry pick the commit to other branch (its just one commit.)

[Stephengzh-Ragilenetworks]

Same issue on Ragile RA-B6510-48V8C, please someone approves this PR soon.

[davidpil2002]

Same issue on Ragile RA-B6510-48V8C, please someone approves this PR soon.

@qiluo-msft kind reminder to review this PR.

[liat-grozovik]

@ITJamie could you please confirm the fix is working for BRCM? we cannot fully test it. If so, I can go a head and merge it.

[davidpil2002]

@ITJamie We found other solution, using efivar and doing specific parsing to secure boot. if you can wait until end of this weel, we will upstream this solution as well.
PS: with this solution we will not use mokutils.

basicly by doing the follow command:
hexdump /sys/firmware/efi/efivars/SecureBoot-* | awk '{print $4}'

The new fix PR: #14589