From 2d0a12af6d69dad5f705c8f81363a8b7659127c5 Mon Sep 17 00:00:00 2001 From: DavidZagury <32644413+DavidZagury@users.noreply.github.com> Date: Tue, 2 May 2023 09:13:16 +0300 Subject: [PATCH] Fix issue with prod script not found, change the prod signing to work with flags to align to the dev script (#14580) - Why I did it Fix issue with signing tool not running due to being call with the path from the host and not the path it is mounted on inside the docker-slave - How I did it Modified the path on the SECURE_UPGRADE_PROD_SIGNING_TOOL flag to the path where it is mounted inside the slave docker - How to verify it Build SONiC using your own prod script --- Makefile.work | 4 +--- build_debian.sh | 8 ++++---- slave.mk | 2 +- 3 files changed, 6 insertions(+), 8 deletions(-) diff --git a/Makefile.work b/Makefile.work index b849c435f1..efa105b514 100644 --- a/Makefile.work +++ b/Makefile.work @@ -321,9 +321,7 @@ endif # Mount the Signing prod tool in the slave container $(info "SECURE_UPGRADE_PROD_SIGNING_TOOL": "$(SECURE_UPGRADE_PROD_SIGNING_TOOL)") ifneq ($(SECURE_UPGRADE_PROD_SIGNING_TOOL),) - SECURE_UPGRADE_PROD_SIGNING_TOOL_DST = /sonic/scripts/$(shell basename -- $(SECURE_UPGRADE_PROD_SIGNING_TOOL)) - DOCKER_RUN += -v $(SECURE_UPGRADE_PROD_SIGNING_TOOL):$(SECURE_UPGRADE_PROD_SIGNING_TOOL_DST):ro - SECURE_UPGRADE_PROD_SIGNING_TOOL := $(SECURE_UPGRADE_PROD_SIGNING_TOOL_DST) + DOCKER_RUN += -v $(SECURE_UPGRADE_PROD_SIGNING_TOOL):/sonic/scripts/$(shell basename -- $(SECURE_UPGRADE_PROD_SIGNING_TOOL)):ro endif ifneq ($(SONIC_DPKG_CACHE_SOURCE),) diff --git a/build_debian.sh b/build_debian.sh index f319c5a853..4eae97dbe8 100755 --- a/build_debian.sh +++ b/build_debian.sh @@ -669,13 +669,13 @@ if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" && $SONIC_ # Here Vendor signing should be implemented OUTPUT_SEC_BOOT_DIR=$FILESYSTEM_ROOT/boot - if [ ! -f $SECURE_UPGRADE_PROD_SIGNING_TOOL ]; then - echo "Error: SONiC SECURE_UPGRADE_PROD_SIGNING_TOOL=$SECURE_UPGRADE_PROD_SIGNING_TOOL script missing" + if [ ! -f $sonic_su_prod_signing_tool ]; then + echo "Error: SONiC sonic_su_prod_signing_tool=$sonic_su_prod_signing_tool script missing" exit 1 fi - sudo $SECURE_UPGRADE_PROD_SIGNING_TOOL $CONFIGURED_ARCH $FILESYSTEM_ROOT $LINUX_KERNEL_VERSION $OUTPUT_SEC_BOOT_DIR - + sudo $sonic_su_prod_signing_tool $CONFIGURED_ARCH $FILESYSTEM_ROOT $LINUX_KERNEL_VERSION $OUTPUT_SEC_BOOT_DIR + # verifying all EFI files and kernel modules in $OUTPUT_SEC_BOOT_DIR sudo ./scripts/secure_boot_signature_verification.sh -e $OUTPUT_SEC_BOOT_DIR \ -c $SECURE_UPGRADE_SIGNING_CERT \ diff --git a/slave.mk b/slave.mk index 719ddeebfc..a3909be1d7 100644 --- a/slave.mk +++ b/slave.mk @@ -1269,7 +1269,7 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \ export sonic_su_dev_signing_key="$(SECURE_UPGRADE_DEV_SIGNING_KEY)" export sonic_su_signing_cert="$(SECURE_UPGRADE_SIGNING_CERT)" export sonic_su_mode="$(SECURE_UPGRADE_MODE)" - export sonic_su_prod_signing_tool="$(SECURE_UPGRADE_PROD_SIGNING_TOOL)" + export sonic_su_prod_signing_tool="/sonic/scripts/$(shell basename -- $(SECURE_UPGRADE_PROD_SIGNING_TOOL))" export include_system_telemetry="$(INCLUDE_SYSTEM_TELEMETRY)" export include_restapi="$(INCLUDE_RESTAPI)" export include_nat="$(INCLUDE_NAT)"