[Ci]: Support to sign image for cisco-8000 uefi secure boot (#10616)

Why I did it
[Ci]: Support to sign image for cisco-8000 uefi secure boot
This commit is contained in:
xumia 2022-04-21 12:13:09 +08:00 committed by GitHub
parent 37e2848b3f
commit 508dda6ad3
No account linked to committer's email address
2 changed files with 46 additions and 0 deletions

View File

@ -0,0 +1,33 @@
parameters:
- name: connectionName
type: string
default: sonic-dev-connection
- name: kevaultName
type: string
default: sonic-kv
- name: certificateName
type: string
default: sonic-secure-boot
steps:
- task: AzureKeyVault@2
inputs:
connectedServiceName: ${{ parameters.connectionName }}
keyVaultName: ${{ parameters.kevaultName }}
secretsFilter: ${{ parameters.certificateName }}
- script: |
set -e
TMP_FILE=$(mktemp)
echo "$CERTIFICATE" | base64 -d > $TMP_FILE
sudo mkdir -p /etc/certificates
mkdir -p $(Build.StagingDirectory)/target
# Save the public key
openssl pkcs12 -in $TMP_FILE -clcerts --nokeys -nodes -passin pass: | sed -z -e "s/.*\(-----BEGIN CERTIFICATE\)/\1/" > $(SIGNING_CERT)
# Save the private key
openssl pkcs12 -in $TMP_FILE -nocerts -nodes -passin pass: | sed -z -e "s/.*\(-----BEGIN PRIVATE KEY\)/\1/" | sudo tee $(SIGNING_KEY) 1>/dev/null
ls -lt $(SIGNING_CERT) $(SIGNING_KEY)
rm $TMP_FILE
env:
CERTIFICATE: $(${{ parameters.certificateName }})
displayName: "Save certificate"

View File

@ -22,10 +22,17 @@ resources:
name: Cisco-8000-sonic/platform-cisco-8000 name: Cisco-8000-sonic/platform-cisco-8000
endpoint: cisco-connection endpoint: cisco-connection
variables: variables:
- group: SONIC-AKV-STROAGE-1 - group: SONIC-AKV-STROAGE-1
- name: StorageSASKey - name: StorageSASKey
value: $(sonicstorage-SasToken) value: $(sonicstorage-SasToken)
- name: SONIC_ENABLE_SECUREBOOT_SIGNATURE
value: y
- name: SIGNING_KEY
value: /etc/certificates/sonic-secure-boot-private.pem
- name: SIGNING_CERT
value: $(Build.StagingDirectory)/target/sonic-secure-boot-public.pem
stages: stages:
- stage: Build - stage: Build
@ -41,6 +48,7 @@ stages:
parameters: parameters:
buildOptions: 'USERNAME=admin SONIC_BUILD_JOBS=$(nproc) ${{ variables.VERSION_CONTROL_OPTIONS }}' buildOptions: 'USERNAME=admin SONIC_BUILD_JOBS=$(nproc) ${{ variables.VERSION_CONTROL_OPTIONS }}'
preSteps: preSteps:
- template: azure-pipelines-download-certificate.yml
- checkout: self - checkout: self
submodules: recursive submodules: recursive
path: s path: s
@ -90,5 +98,10 @@ stages:
StorageSASKey: $(StorageSASKey) StorageSASKey: $(StorageSASKey)
condition: ne(variables['Build.Reason'], 'PullRequest') condition: ne(variables['Build.Reason'], 'PullRequest')
displayName: "Override cisco sai packages" displayName: "Override cisco sai packages"
- script: |
echo "SONIC_ENABLE_SECUREBOOT_SIGNATURE := y" >> rules/config.user
echo "SIGNING_KEY := $(SIGNING_KEY)" >> rules/config.user
echo "SIGNING_CERT := $(SIGNING_CERT)" >> rules/config.user
displayName: "Enable secure boot signature"
jobGroups: jobGroups:
- name: cisco-8000 - name: cisco-8000