From 0552d6b1722f51c028b0c69d1b3d54f0b0e4268f Mon Sep 17 00:00:00 2001
From: xumia <59720581+xumia@users.noreply.github.com>
Date: Thu, 2 Jun 2022 15:35:17 +0800
Subject: [PATCH] Support symcrypt fips config for aboot/uboot (#10729)

Why I did it
Support symcrypt fips config for aboot/uboot
---
 build_image.sh                       | 8 ++++++++
 files/Aboot/boot0.j2                 | 2 +-
 installer/arm64/install.sh           | 3 +++
 installer/armhf/install.sh           | 3 +++
 platform/centec-arm64/platform.conf  | 6 ++++--
 platform/marvell-arm64/platform.conf | 2 +-
 platform/marvell-armhf/platform.conf | 2 +-
 7 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/build_image.sh b/build_image.sh
index 71351dbfe7..0963ff4a48 100755
--- a/build_image.sh
+++ b/build_image.sh
@@ -200,6 +200,14 @@ elif [ "$IMAGE_TYPE" = "aboot" ]; then
     generate_device_list ".platforms_asic"
     zip -g $OUTPUT_ABOOT_IMAGE .platforms_asic
 
+    if [ "$ENABLE_FIPS" = "y" ]; then
+        echo "sonic_fips=1" > kernel-cmdline
+    else
+        echo "sonic_fips=0" > kernel-cmdline
+    fi
+    zip -g $OUTPUT_ABOOT_IMAGE kernel-cmdline
+    rm kernel-cmdline
+
     zip -g $OUTPUT_ABOOT_IMAGE $ABOOT_BOOT_IMAGE
     rm $ABOOT_BOOT_IMAGE
     if [ "$SONIC_ENABLE_IMAGE_SIGNATURE" = "y" ]; then
diff --git a/files/Aboot/boot0.j2 b/files/Aboot/boot0.j2
index 5fe64b6884..ad7540df09 100644
--- a/files/Aboot/boot0.j2
+++ b/files/Aboot/boot0.j2
@@ -86,7 +86,7 @@ installer_image_path="$image_path/$installer_image"
 
 boot_config="$target_path/boot-config"
 
-cmdline_allowlist="crashkernel hwaddr_ma1"
+cmdline_allowlist="crashkernel hwaddr_ma1 sonic_fips"
 
 # for backward compatibility with the sonic_upgrade= behavior
 install="${install:-${sonic_upgrade:-}}"
diff --git a/installer/arm64/install.sh b/installer/arm64/install.sh
index dee3ceec90..445b2007fa 100755
--- a/installer/arm64/install.sh
+++ b/installer/arm64/install.sh
@@ -181,6 +181,9 @@ if [ "$install_env" = "onie" ]; then
     fi
 fi
 
+extra_cmdline_linux=%%EXTRA_CMDLINE_LINUX%%
+echo "EXTRA_CMDLINE_LINUX=$extra_cmdline_linux"
+
 # Update Bootloader Menu with installed image
 bootloader_menu_config
 
diff --git a/installer/armhf/install.sh b/installer/armhf/install.sh
index 9ade40d514..0dd6e48a08 100755
--- a/installer/armhf/install.sh
+++ b/installer/armhf/install.sh
@@ -181,6 +181,9 @@ if [ "$install_env" = "onie" ]; then
     fi
 fi
 
+extra_cmdline_linux=%%EXTRA_CMDLINE_LINUX%%
+echo "EXTRA_CMDLINE_LINUX=$extra_cmdline_linux"
+
 # Update Bootloader Menu with installed image
 bootloader_menu_config
 
diff --git a/platform/centec-arm64/platform.conf b/platform/centec-arm64/platform.conf
index 39dc4b7023..09cf9be6e8 100755
--- a/platform/centec-arm64/platform.conf
+++ b/platform/centec-arm64/platform.conf
@@ -16,9 +16,10 @@ mount_partition() {
 
 bootloader_menu_config() {
     if [ "$install_env" = "onie" ]; then
+        fw_setenv -f linuxargs "${extra_cmdline_linux}"
         fw_setenv -f nos_bootcmd "test -n \$boot_once && setenv do_boot_once \$boot_once && setenv boot_once && saveenv && run do_boot_once; run boot_next"
 
-        fw_setenv -f sonic_image_1 "ext4load mmc 0:1 \$loadaddr \$sonic_dir_1/boot/sonic_arm64.fit && setenv bootargs quiet console=\$consoledev,\$baudrate root=/dev/mmcblk0p1 rw rootwait rootfstype=ext4 loopfstype=squashfs loop=\$sonic_dir_1/fs.squashfs systemd.unified_cgroup_hierarchy=0 && bootm \$loadaddr"
+        fw_setenv -f sonic_image_1 "ext4load mmc 0:1 \$loadaddr \$sonic_dir_1/boot/sonic_arm64.fit && setenv bootargs quiet console=\$consoledev,\$baudrate root=/dev/mmcblk0p1 rw rootwait rootfstype=ext4 loopfstype=squashfs loop=\$sonic_dir_1/fs.squashfs systemd.unified_cgroup_hierarchy=0 \${linuxargs} && bootm \$loadaddr"
         fw_setenv -f sonic_image_2 "NONE"
         fw_setenv -f sonic_dir_1 $image_dir
         fw_setenv -f sonic_dir_2 "NONE"
@@ -37,9 +38,10 @@ bootloader_menu_config() {
             fi
         done
 
+        fw_setenv linuxargs "${extra_cmdline_linux}"
         fw_setenv nos_bootcmd "test -n \$boot_once && setenv do_boot_once \$boot_once && setenv boot_once && saveenv && run do_boot_once; run boot_next"
 
-        fw_setenv sonic_image_$idx "ext4load mmc 0:1 \$loadaddr \$sonic_dir_$idx/boot/sonic_arm64.fit && setenv bootargs quiet console=\$consoledev,\$baudrate root=/dev/mmcblk0p1 rw rootwait rootfstype=ext4 loopfstype=squashfs loop=\$sonic_dir_$idx/fs.squashfs systemd.unified_cgroup_hierarchy=0 && bootm \$loadaddr"
+        fw_setenv sonic_image_$idx "ext4load mmc 0:1 \$loadaddr \$sonic_dir_$idx/boot/sonic_arm64.fit && setenv bootargs quiet console=\$consoledev,\$baudrate root=/dev/mmcblk0p1 rw rootwait rootfstype=ext4 loopfstype=squashfs loop=\$sonic_dir_$idx/fs.squashfs systemd.unified_cgroup_hierarchy=0 \${linuxargs} && bootm \$loadaddr"
         fw_setenv sonic_dir_$idx $image_dir
         fw_setenv sonic_version_$idx `echo $image_dir | sed "s/^image-/SONiC-OS-/g"`
 
diff --git a/platform/marvell-arm64/platform.conf b/platform/marvell-arm64/platform.conf
index 8ecdfa3174..4ef62d36b8 100644
--- a/platform/marvell-arm64/platform.conf
+++ b/platform/marvell-arm64/platform.conf
@@ -108,7 +108,7 @@ prepare_boot_menu() {
     BORDER='echo "---------------------------------------------------";echo;'
     fw_setenv ${FW_ARG} print_menu $BORDER $BOOT1 $BOOT2 $BOOT3 $BORDER > /dev/null
 
-    fw_setenv ${FW_ARG} linuxargs "net.ifnames=0 loopfstype=squashfs loop=$image_dir/$FILESYSTEM_SQUASHFS systemd.unified_cgroup_hierarchy=0 varlog_size=$VAR_LOG" > /dev/null
+    fw_setenv ${FW_ARG} linuxargs "net.ifnames=0 loopfstype=squashfs loop=$image_dir/$FILESYSTEM_SQUASHFS systemd.unified_cgroup_hierarchy=0 varlog_size=$VAR_LOG ${extra_cmdline_linux}" > /dev/null
     fw_setenv ${FW_ARG} linuxargs_old "net.ifnames=0 loopfstype=squashfs loop=$image_dir_old/$FILESYSTEM_SQUASHFS systemd.unified_cgroup_hierarchy=0 varlog_size=$VAR_LOG" > /dev/null
     sonic_bootargs_old='setenv bootargs root='$demo_dev' rw rootwait rootfstype=ext4 panic=1 console=ttyS0,115200 ${othbootargs} ${mtdparts} ${linuxargs_old}'
     fw_setenv ${FW_ARG} sonic_bootargs_old $sonic_bootargs_old > /dev/null || true
diff --git a/platform/marvell-armhf/platform.conf b/platform/marvell-armhf/platform.conf
index 6dd8e238f9..df71c5d1b1 100644
--- a/platform/marvell-armhf/platform.conf
+++ b/platform/marvell-armhf/platform.conf
@@ -147,7 +147,7 @@ prepare_boot_menu() {
     BORDER='echo "---------------------------------------------------";echo;'
     fw_setenv ${FW_ARG} print_menu $BORDER $BOOT1 $BOOT2 $BOOT3 $BORDER > /dev/null
 
-    fw_setenv ${FW_ARG} linuxargs "net.ifnames=0 loopfstype=squashfs loop=$image_dir/$FILESYSTEM_SQUASHFS systemd.unified_cgroup_hierarchy=0 varlog_size=$VAR_LOG loglevel=4" > /dev/null
+    fw_setenv ${FW_ARG} linuxargs "net.ifnames=0 loopfstype=squashfs loop=$image_dir/$FILESYSTEM_SQUASHFS systemd.unified_cgroup_hierarchy=0 varlog_size=$VAR_LOG loglevel=4 ${extra_cmdline_linux}" > /dev/null
     fw_setenv ${FW_ARG} linuxargs_old "net.ifnames=0 loopfstype=squashfs loop=$image_dir_old/$FILESYSTEM_SQUASHFS systemd.unified_cgroup_hierarchy=0 varlog_size=$VAR_LOG loglevel=4" > /dev/null
 
     # Set boot configs