[secure boot] Support rw files allowlist

build_image.sh

@@ -133,6 +133,7 @@ elif [ "$IMAGE_TYPE" = "aboot" ]; then
     sed -i -e "s/%%IMAGE_VERSION%%/$IMAGE_VERSION/g" files/Aboot/boot0
     pushd files/Aboot && zip -g $OLDPWD/$OUTPUT_ABOOT_IMAGE boot0; popd
     pushd files/Aboot && zip -g $OLDPWD/$ABOOT_BOOT_IMAGE boot0; popd
+    pushd files/image_config/secureboot && zip -g $OLDPWD/$OUTPUT_ABOOT_IMAGE whitelist_paths.conf; popd
     echo "$IMAGE_VERSION" >> .imagehash
     zip -g $OUTPUT_ABOOT_IMAGE .imagehash
     zip -g $ABOOT_BOOT_IMAGE .imagehash

files/Aboot/boot0.j2

@@ -395,6 +395,9 @@ write_boot_configs() {
         fi
     fi
 
+    # setting secure_boot_enable=true when secure boot enabled
+    [ -f /bin/securebootctl ] && securebootctl secureboot -display | grep -i "Secure Boot enable" -q && echo "secure_boot_enable=y" >> /tmp/append
+
     mkdir -p "$image_path"
     cat /tmp/append > $cmdline_image
     [ -s ${target_path}/machine.conf ] || write_machine_config

files/image_config/secureboot/whitelist_paths.conf

@@ -0,0 +1,28 @@
+home/.*
+var/core/.*
+var/log/.*
+etc/group
+etc/gshadow
+etc/hostname
+etc/hosts
+etc/machine-id
+etc/network/interfaces
+etc/nsswitch.conf
+etc/pam.d/common-auth-sonic
+etc/pam.d/sshd
+etc/pam.d/login
+etc/passwd
+etc/rsyslog.conf
+etc/shadow
+etc/sonic/acl.json
+etc/sonic/config_db.json
+etc/sonic/minigraph.xml
+etc/sonic/snmp.yml
+etc/sonic/updategraph.conf
+etc/ssh/ssh_host_rsa_key.pub
+etc/ssh/ssh_host_rsa_key
+etc/subgid
+etc/subuid
+etc/tacplus_nss.conf
+etc/tacplus_user
+lib/systemd/system/serial-getty@.service

files/image_config/secureboot/whitelist_paths.md

@@ -0,0 +1,11 @@
+# Configuration Guide
+It is the patterns of the relative paths in /host/image-{{hash}}/rw folder.
+The patterns will not be used if the Sonic Secure Boot feature is not enabled.
+The files that are not in the whitelist will be removed when the Sonic System cold reboot.
+
+### Example to whitelist all the files in a folder
+home/.*
+
+### Example to whitelist a file
+etc/nsswitch.conf
+

files/initramfs-tools/union-mount.j2

@@ -39,10 +39,38 @@ set_tmpfs_log_partition_size()
   [ $maxsize -le $varlogsize ] && varlogsize=$maxsize
 }
 
+whitelist_rw_folder()
+{
+  image_dir=$1
+  whitelist_file=${rootmnt}/host/$image_dir/whitelist_paths.conf
+
+  # Return if the whitelist file does not exist
+  if ! test -f "${whitelist_file}"; then
+    return
+  fi
+
+  # Return if the secure_boot_enable option is not set
+  if ! (cat /proc/cmdline | grep -i -q "secure_boot_enable=[y1]"); then
+    return
+  fi
+
+  rw_dir=${rootmnt}/host/$image_dir/rw
+
+  # Set the grep pattern file, remove the blank line in config file
+  whitelist_pattern_file=${rootmnt}/host/$image_dir/whitelist_paths.pattern
+  awk -v rw_dir="$rw_dir" 'NF {print rw_dir"/"$0"$"}' ${whitelist_file} > $whitelist_pattern_file
+
+  # Find the files in the rw folder, and remove the files not in the whitelist
+  find ${rw_dir} -type f | grep -v -f $whitelist_pattern_file | xargs /bin/rm -f
+  rm -f $whitelist_pattern_file
+}
+
 ## Mount the overlay file system: rw layer over squashfs
 image_dir=$(cat /proc/cmdline | sed -e 's/.*loop=\(\S*\)\/.*/\1/')
 mkdir -p ${rootmnt}/host/$image_dir/rw
 mkdir -p ${rootmnt}/host/$image_dir/work
+## Whitelist rw folder
+whitelist_rw_folder "$image_dir"
 mount -n -o lowerdir=${rootmnt},upperdir=${rootmnt}/host/$image_dir/rw,workdir=${rootmnt}/host/$image_dir/work -t overlay root-overlay ${rootmnt}
 ## Check if the root block device is still there
 [ -b ${ROOT} ] || mdev -s