[secure boot] Support rw files allowlist

build_image.sh

@@ -133,6 +133,7 @@ elif [ "$IMAGE_TYPE" = "aboot" ]; then
     sed -i -e "s/%%IMAGE_VERSION%%/$IMAGE_VERSION/g" files/Aboot/boot0
     pushd files/Aboot && zip -g $OLDPWD/$OUTPUT_ABOOT_IMAGE boot0; popd
     pushd files/Aboot && zip -g $OLDPWD/$ABOOT_BOOT_IMAGE boot0; popd
+    pushd files/image_config/secureboot && zip -g $OLDPWD/$OUTPUT_ABOOT_IMAGE whitelist; popd
     echo "$IMAGE_VERSION" >> .imagehash
     zip -g $OUTPUT_ABOOT_IMAGE .imagehash
     zip -g $ABOOT_BOOT_IMAGE .imagehash

files/Aboot/boot0.j2

@@ -395,6 +395,9 @@ write_boot_configs() {
         fi
     fi
 
+    # setting secure_boot_enable=true when secure boot enabled
+    [ -f /bin/securebootctl ] && securebootctl secureboot -display | grep -i "Secure Boot enable" -q && echo "secure_boot_enable=true" >> /tmp/append
+
     mkdir -p "$image_path"
     cat /tmp/append > $cmdline_image
     [ -s ${target_path}/machine.conf ] || write_machine_config

files/image_config/secureboot/whitelist

@@ -0,0 +1,32 @@
+# It is the patterns of the relative paths in /host/image-{hash}/rw folder.
+# The patterns will not be used if the Sonic Secure Boot feature is not enabled.
+# The files that are not in the whitelist will be removed when the Sonic System cold reboot.
+
+home/.*
+var/core/.*
+var/log/.*
+etc/group
+etc/gshadow
+etc/hostname
+etc/hosts
+etc/machine-id
+etc/network/interfaces
+etc/nsswitch.conf
+etc/pam.d/common-auth-sonic
+etc/pam.d/sshd
+etc/pam.d/login
+etc/passwd
+etc/rsyslog.conf
+etc/shadow
+etc/sonic/acl.json
+etc/sonic/config_db.json
+etc/sonic/minigraph.xml
+etc/sonic/snmp.yml
+etc/sonic/updategraph.conf
+etc/ssh/ssh_host_rsa_key.pub
+etc/ssh/ssh_host_rsa_key
+etc/subgid
+etc/subuid
+etc/tacplus_nss.conf
+etc/tacplus_user
+lib/systemd/system/[email protected]

files/initramfs-tools/union-mount.j2

@@ -39,10 +39,49 @@ set_tmpfs_log_partition_size()
   [ $maxsize -le $varlogsize ] && varlogsize=$maxsize
 }
 
+whitelist_rw_folder()
+{
+  image_dir=$1
+  whitelist_file=${rootmnt}/host/$image_dir/whitelist
+
+  # Return if the whitelist file does not exist
+  if ! test -f "${whitelist_file}"; then
+    return
+  fi
+
+  # Return if the secure_boot_enable option is not set
+  if cat /proc/cmdline | grep -v -q "secure_boot_enable=true"; then
+    return
+  fi
+
+  whitelist_log=${rootmnt}/host/$image_dir/whitelist.log
+  rw_dir=${rootmnt}/host/$image_dir/rw
+  whitelist=$(cat ${rootmnt}/host/$image_dir/whitelist | grep -v "^\s*#" | awk '{$1=$1};1')
+  set -o noglob
+  find ${rw_dir} -type f |
+  while IFS= read -r file; do
+    found="false"
+    for line in $whitelist; do
+      pattern="^${rw_dir}/${line}\$"
+      if echo "$file" | grep -q "$pattern"; then
+        found="true"
+        break
+      fi
+    done
+    if [ $found = "false" ]; then
+      echo $file >> ${whitelist_log}
+      rm -f $file
+    fi
+  done
+  set +o noglob
+}
+
 ## Mount the overlay file system: rw layer over squashfs
 image_dir=$(cat /proc/cmdline | sed -e 's/.*loop=\(\S*\)\/.*/\1/')
 mkdir -p ${rootmnt}/host/$image_dir/rw
 mkdir -p ${rootmnt}/host/$image_dir/work
+## Whitelist rw folder
+whitelist_rw_folder "$image_dir"
 mount -n -o lowerdir=${rootmnt},upperdir=${rootmnt}/host/$image_dir/rw,workdir=${rootmnt}/host/$image_dir/work -t overlay root-overlay ${rootmnt}
 ## Check if the root block device is still there
 [ -b ${ROOT} ] || mdev -s