diff --git a/Makefile.work b/Makefile.work index d3f507f98fc..a51a656e362 100644 --- a/Makefile.work +++ b/Makefile.work @@ -293,8 +293,8 @@ endif ifneq ($(SECURE_UPGRADE_DEV_SIGNING_KEY),) DOCKER_RUN += -v $(SECURE_UPGRADE_DEV_SIGNING_KEY):$(SECURE_UPGRADE_DEV_SIGNING_KEY):ro endif -ifneq ($(SECURE_UPGRADE_DEV_SIGNING_CERT),) - DOCKER_RUN += -v $(SECURE_UPGRADE_DEV_SIGNING_CERT):$(SECURE_UPGRADE_DEV_SIGNING_CERT):ro +ifneq ($(SECURE_UPGRADE_SIGNING_CERT),) + DOCKER_RUN += -v $(SECURE_UPGRADE_SIGNING_CERT):$(SECURE_UPGRADE_SIGNING_CERT):ro endif # Mount the Signing prod tool in the slave container $(info "SECURE_UPGRADE_PROD_SIGNING_TOOL": "$(SECURE_UPGRADE_PROD_SIGNING_TOOL)") @@ -516,7 +516,7 @@ SONIC_BUILD_INSTRUCTION := $(MAKE) \ SONIC_ENABLE_SECUREBOOT_SIGNATURE=$(SONIC_ENABLE_SECUREBOOT_SIGNATURE) \ SECURE_UPGRADE_MODE=$(SECURE_UPGRADE_MODE) \ SECURE_UPGRADE_DEV_SIGNING_KEY=$(SECURE_UPGRADE_DEV_SIGNING_KEY) \ - SECURE_UPGRADE_DEV_SIGNING_CERT=$(SECURE_UPGRADE_DEV_SIGNING_CERT) \ + SECURE_UPGRADE_SIGNING_CERT=$(SECURE_UPGRADE_SIGNING_CERT) \ SECURE_UPGRADE_PROD_SIGNING_TOOL=$(SECURE_UPGRADE_PROD_SIGNING_TOOL) \ SONIC_DEFAULT_CONTAINER_REGISTRY=$(DEFAULT_CONTAINER_REGISTRY) \ ENABLE_HOST_SERVICE_ON_START=$(ENABLE_HOST_SERVICE_ON_START) \ diff --git a/build_debian.sh b/build_debian.sh index d57a05226ea..9b5705d3313 100755 --- a/build_debian.sh +++ b/build_debian.sh @@ -636,8 +636,8 @@ if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" && $SONIC_ shim-unsigned \ grub-efi - if [ ! -f $SECURE_UPGRADE_DEV_SIGNING_CERT ]; then - echo "Error: SONiC SECURE_UPGRADE_DEV_SIGNING_CERT=$SECURE_UPGRADE_DEV_SIGNING_CERT key missing" + if [ ! -f $SECURE_UPGRADE_SIGNING_CERT ]; then + echo "Error: SONiC SECURE_UPGRADE_SIGNING_CERT=$SECURE_UPGRADE_SIGNING_CERT key missing" exit 1 fi @@ -652,7 +652,7 @@ if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" && $SONIC_ sudo ./scripts/signing_secure_boot_dev.sh -a $CONFIGURED_ARCH \ -r $FILESYSTEM_ROOT \ -l $LINUX_KERNEL_VERSION \ - -c $SECURE_UPGRADE_DEV_SIGNING_CERT \ + -c $SECURE_UPGRADE_SIGNING_CERT \ -p $SECURE_UPGRADE_DEV_SIGNING_KEY elif [[ $SECURE_UPGRADE_MODE == "prod" ]]; then # Here Vendor signing should be implemented @@ -667,12 +667,12 @@ if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" && $SONIC_ # verifying all EFI files and kernel modules in $OUTPUT_SEC_BOOT_DIR sudo ./scripts/secure_boot_signature_verification.sh -e $OUTPUT_SEC_BOOT_DIR \ - -c $SECURE_UPGRADE_DEV_SIGNING_CERT \ + -c $SECURE_UPGRADE_SIGNING_CERT \ -k $FILESYSTEM_ROOT # verifying vmlinuz file. sudo ./scripts/secure_boot_signature_verification.sh -e $FILESYSTEM_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-${CONFIGURED_ARCH} \ - -c $SECURE_UPGRADE_DEV_SIGNING_CERT \ + -c $SECURE_UPGRADE_SIGNING_CERT \ -k $FILESYSTEM_ROOT fi echo "Secure Boot support build stage: END." diff --git a/rules/config b/rules/config index 6c82823cfaa..b33335f5d16 100644 --- a/rules/config +++ b/rules/config @@ -220,11 +220,11 @@ SONIC_ENABLE_SECUREBOOT_SIGNATURE ?= n # Full Secure Boot feature flags. # SECURE_UPGRADE_DEV_SIGNING_KEY - path to development signing key, used for image signing during build -# SECURE_UPGRADE_DEV_SIGNING_CERT - path to development signing certificate, used for image signing during build +# SECURE_UPGRADE_SIGNING_CERT - path to development signing certificate, used for image signing during build # SECURE_UPGRADE_MODE - enum value for secure upgrade mode, valid options are "dev", "prod" and "no_sign" # SECURE_UPGRADE_PROD_SIGNING_TOOL - path to a vendor signing tool for production flow. SECURE_UPGRADE_DEV_SIGNING_KEY ?= -SECURE_UPGRADE_DEV_SIGNING_CERT ?= +SECURE_UPGRADE_SIGNING_CERT ?= SECURE_UPGRADE_MODE = "no_sign" SECURE_UPGRADE_PROD_SIGNING_TOOL ?= # PACKAGE_URL_PREFIX - the package url prefix diff --git a/rules/linux-kernel.dep b/rules/linux-kernel.dep index 7e2dd474148..e577ca7f44c 100644 --- a/rules/linux-kernel.dep +++ b/rules/linux-kernel.dep @@ -4,7 +4,7 @@ DEP_FILES := rules/linux-kernel.mk rules/linux-kernel.dep SMDEP_FILES := $(addprefix $(SPATH)/,$(shell cd $(SPATH) && git ls-files)) DEP_FLAGS := $(SONIC_COMMON_FLAGS_LIST) \ - $(KERNEL_PROCURE_METHOD) $(KERNEL_CACHE_PATH) $(SECURE_UPGRADE_MODE) $(SECURE_UPGRADE_DEV_SIGNING_CERT) + $(KERNEL_PROCURE_METHOD) $(KERNEL_CACHE_PATH) $(SECURE_UPGRADE_MODE) $(SECURE_UPGRADE_SIGNING_CERT) $(LINUX_HEADERS_COMMON)_CACHE_MODE := GIT_CONTENT_SHA $(LINUX_HEADERS_COMMON)_DEP_FLAGS := $(DEP_FLAGS) diff --git a/slave.mk b/slave.mk index 4662a51305d..c5d31019dce 100644 --- a/slave.mk +++ b/slave.mk @@ -374,7 +374,7 @@ $(info "USERNAME" : "$(USERNAME)") $(info "PASSWORD" : "$(PASSWORD)") $(info "SECURE_UPGRADE_MODE" : "$(SECURE_UPGRADE_MODE)") $(info "SECURE_UPGRADE_DEV_SIGNING_KEY" : "$(SECURE_UPGRADE_DEV_SIGNING_KEY)") -$(info "SECURE_UPGRADE_DEV_SIGNING_CERT" : "$(SECURE_UPGRADE_DEV_SIGNING_CERT)") +$(info "SECURE_UPGRADE_SIGNING_CERT" : "$(SECURE_UPGRADE_SIGNING_CERT)") $(info "SECURE_UPGRADE_PROD_SIGNING_TOOL": "$(SECURE_UPGRADE_PROD_SIGNING_TOOL)") $(info "ENABLE_DHCP_GRAPH_SERVICE" : "$(ENABLE_DHCP_GRAPH_SERVICE)") $(info "SHUTDOWN_BGP_ON_START" : "$(SHUTDOWN_BGP_ON_START)") @@ -1235,7 +1235,7 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \ export include_teamd="$(INCLUDE_TEAMD)" export include_router_advertiser="$(INCLUDE_ROUTER_ADVERTISER)" export sonic_su_dev_signing_key="$(SECURE_UPGRADE_DEV_SIGNING_KEY)" - export sonic_su_dev_signing_cert="$(SECURE_UPGRADE_DEV_SIGNING_CERT)" + export sonic_su_signing_cert="$(SECURE_UPGRADE_SIGNING_CERT)" export sonic_su_mode="$(SECURE_UPGRADE_MODE)" export sonic_su_prod_signing_tool="$(SECURE_UPGRADE_PROD_SIGNING_TOOL)" export include_system_telemetry="$(INCLUDE_SYSTEM_TELEMETRY)" @@ -1437,7 +1437,7 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \ SONIC_ENABLE_IMAGE_SIGNATURE="$(SONIC_ENABLE_IMAGE_SIGNATURE)" \ SECURE_UPGRADE_MODE="$(SECURE_UPGRADE_MODE)" \ SECURE_UPGRADE_DEV_SIGNING_KEY="$(SECURE_UPGRADE_DEV_SIGNING_KEY)" \ - SECURE_UPGRADE_DEV_SIGNING_CERT="$(SECURE_UPGRADE_DEV_SIGNING_CERT)" \ + SECURE_UPGRADE_SIGNING_CERT="$(SECURE_UPGRADE_SIGNING_CERT)" \ SECURE_UPGRADE_PROD_SIGNING_TOOL="$(SECURE_UPGRADE_PROD_SIGNING_TOOL)" \ SIGNING_KEY="$(SIGNING_KEY)" \ SIGNING_CERT="$(SIGNING_CERT)" \