[Ci]: Support to sign image for cisco-8000 uefi secure boot (#10616)

Why I did it [Ci]: Support to sign image for cisco-8000 uefi secure boot
2022-04-21 12:13:09 +08:00 · 2022-04-21 12:13:09 +08:00 · 508dda6ad3
commit 508dda6ad3
parent 37e2848b3f
2 changed files with 46 additions and 0 deletions
--- a/.azure-pipelines/azure-pipelines-download-certificate.yml
+++ b/.azure-pipelines/azure-pipelines-download-certificate.yml
@ -0,0 +1,33 @@
+parameters:
+- name: connectionName
+  type: string
+  default: sonic-dev-connection
+- name: kevaultName
+  type: string
+  default: sonic-kv
+- name: certificateName
+  type: string
+  default: sonic-secure-boot
+
+steps:
+- task: AzureKeyVault@2
+  inputs:
+    connectedServiceName: ${{ parameters.connectionName }}
+    keyVaultName: ${{ parameters.kevaultName }}
+    secretsFilter: ${{ parameters.certificateName }}
+
+- script: |
+    set -e
+    TMP_FILE=$(mktemp)
+    echo "$CERTIFICATE" | base64 -d > $TMP_FILE
+    sudo mkdir -p /etc/certificates
+    mkdir -p $(Build.StagingDirectory)/target
+    # Save the public key
+    openssl pkcs12 -in $TMP_FILE -clcerts --nokeys -nodes -passin pass: | sed -z -e "s/.*\(-----BEGIN CERTIFICATE\)/\1/" > $(SIGNING_CERT)
+    # Save the private key
+    openssl pkcs12 -in $TMP_FILE -nocerts -nodes -passin pass: | sed -z -e "s/.*\(-----BEGIN PRIVATE KEY\)/\1/" | sudo tee $(SIGNING_KEY) 1>/dev/null
+    ls -lt $(SIGNING_CERT) $(SIGNING_KEY)
+    rm $TMP_FILE
+  env:
+    CERTIFICATE: $(${{ parameters.certificateName }})
+  displayName: "Save certificate"
--- a/.azure-pipelines/official-build-cisco-8000.yml
+++ b/.azure-pipelines/official-build-cisco-8000.yml
@ -22,10 +22,17 @@ resources:
    name: Cisco-8000-sonic/platform-cisco-8000
    endpoint: cisco-connection

+
 variables:
 - group: SONIC-AKV-STROAGE-1
 - name: StorageSASKey
  value: $(sonicstorage-SasToken)
+- name: SONIC_ENABLE_SECUREBOOT_SIGNATURE
+  value: y
+- name: SIGNING_KEY
+  value: /etc/certificates/sonic-secure-boot-private.pem
+- name: SIGNING_CERT
+  value: $(Build.StagingDirectory)/target/sonic-secure-boot-public.pem

 stages:
 - stage: Build
@ -41,6 +48,7 @@ stages:
    parameters:
      buildOptions: 'USERNAME=admin SONIC_BUILD_JOBS=$(nproc) ${{ variables.VERSION_CONTROL_OPTIONS }}'
      preSteps:
+      - template: azure-pipelines-download-certificate.yml
      - checkout: self
        submodules: recursive
        path: s
@ -90,5 +98,10 @@ stages:
          StorageSASKey: $(StorageSASKey)
        condition: ne(variables['Build.Reason'], 'PullRequest')
        displayName: "Override cisco sai packages"
+      - script: |
+          echo "SONIC_ENABLE_SECUREBOOT_SIGNATURE := y" >> rules/config.user
+          echo "SIGNING_KEY := $(SIGNING_KEY)" >> rules/config.user
+          echo "SIGNING_CERT := $(SIGNING_CERT)" >> rules/config.user
+        displayName: "Enable secure boot signature"
      jobGroups:
      - name: cisco-8000