From 508dda6ad331b90cc679b0b3f59ac8068cd5c34c Mon Sep 17 00:00:00 2001 From: xumia <59720581+xumia@users.noreply.github.com> Date: Thu, 21 Apr 2022 12:13:09 +0800 Subject: [PATCH] [Ci]: Support to sign image for cisco-8000 uefi secure boot (#10616) Why I did it [Ci]: Support to sign image for cisco-8000 uefi secure boot --- .../azure-pipelines-download-certificate.yml | 33 +++++++++++++++++++ .../official-build-cisco-8000.yml | 13 ++++++++ 2 files changed, 46 insertions(+) create mode 100644 .azure-pipelines/azure-pipelines-download-certificate.yml diff --git a/.azure-pipelines/azure-pipelines-download-certificate.yml b/.azure-pipelines/azure-pipelines-download-certificate.yml new file mode 100644 index 0000000000..3e1a58582f --- /dev/null +++ b/.azure-pipelines/azure-pipelines-download-certificate.yml @@ -0,0 +1,33 @@ +parameters: +- name: connectionName + type: string + default: sonic-dev-connection +- name: kevaultName + type: string + default: sonic-kv +- name: certificateName + type: string + default: sonic-secure-boot + +steps: +- task: AzureKeyVault@2 + inputs: + connectedServiceName: ${{ parameters.connectionName }} + keyVaultName: ${{ parameters.kevaultName }} + secretsFilter: ${{ parameters.certificateName }} + +- script: | + set -e + TMP_FILE=$(mktemp) + echo "$CERTIFICATE" | base64 -d > $TMP_FILE + sudo mkdir -p /etc/certificates + mkdir -p $(Build.StagingDirectory)/target + # Save the public key + openssl pkcs12 -in $TMP_FILE -clcerts --nokeys -nodes -passin pass: | sed -z -e "s/.*\(-----BEGIN CERTIFICATE\)/\1/" > $(SIGNING_CERT) + # Save the private key + openssl pkcs12 -in $TMP_FILE -nocerts -nodes -passin pass: | sed -z -e "s/.*\(-----BEGIN PRIVATE KEY\)/\1/" | sudo tee $(SIGNING_KEY) 1>/dev/null + ls -lt $(SIGNING_CERT) $(SIGNING_KEY) + rm $TMP_FILE + env: + CERTIFICATE: $(${{ parameters.certificateName }}) + displayName: "Save certificate" diff --git a/.azure-pipelines/official-build-cisco-8000.yml b/.azure-pipelines/official-build-cisco-8000.yml index 61b6b03171..474d3e743f 100644 --- a/.azure-pipelines/official-build-cisco-8000.yml +++ b/.azure-pipelines/official-build-cisco-8000.yml @@ -22,10 +22,17 @@ resources: name: Cisco-8000-sonic/platform-cisco-8000 endpoint: cisco-connection + variables: - group: SONIC-AKV-STROAGE-1 - name: StorageSASKey value: $(sonicstorage-SasToken) +- name: SONIC_ENABLE_SECUREBOOT_SIGNATURE + value: y +- name: SIGNING_KEY + value: /etc/certificates/sonic-secure-boot-private.pem +- name: SIGNING_CERT + value: $(Build.StagingDirectory)/target/sonic-secure-boot-public.pem stages: - stage: Build @@ -41,6 +48,7 @@ stages: parameters: buildOptions: 'USERNAME=admin SONIC_BUILD_JOBS=$(nproc) ${{ variables.VERSION_CONTROL_OPTIONS }}' preSteps: + - template: azure-pipelines-download-certificate.yml - checkout: self submodules: recursive path: s @@ -90,5 +98,10 @@ stages: StorageSASKey: $(StorageSASKey) condition: ne(variables['Build.Reason'], 'PullRequest') displayName: "Override cisco sai packages" + - script: | + echo "SONIC_ENABLE_SECUREBOOT_SIGNATURE := y" >> rules/config.user + echo "SIGNING_KEY := $(SIGNING_KEY)" >> rules/config.user + echo "SIGNING_CERT := $(SIGNING_CERT)" >> rules/config.user + displayName: "Enable secure boot signature" jobGroups: - name: cisco-8000