[Ci]: Support to sign image for cisco-8000 uefi secure boot (#10616)
Why I did it [Ci]: Support to sign image for cisco-8000 uefi secure boot
This commit is contained in:
xumia
GitHub
parent
37e2848b3f
commit
508dda6ad3
33
.azure-pipelines/azure-pipelines-download-certificate.yml
Normal file
33
.azure-pipelines/azure-pipelines-download-certificate.yml
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
parameters:
|
||||||
|
- name: connectionName
|
||||||
|
type: string
|
||||||
|
default: sonic-dev-connection
|
||||||
|
- name: kevaultName
|
||||||
|
type: string
|
||||||
|
default: sonic-kv
|
||||||
|
- name: certificateName
|
||||||
|
type: string
|
||||||
|
default: sonic-secure-boot
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- task: AzureKeyVault@2
|
||||||
|
inputs:
|
||||||
|
connectedServiceName: ${{ parameters.connectionName }}
|
||||||
|
keyVaultName: ${{ parameters.kevaultName }}
|
||||||
|
secretsFilter: ${{ parameters.certificateName }}
|
||||||
|
|
||||||
|
- script: |
|
||||||
|
set -e
|
||||||
|
TMP_FILE=$(mktemp)
|
||||||
|
echo "$CERTIFICATE" | base64 -d > $TMP_FILE
|
||||||
|
sudo mkdir -p /etc/certificates
|
||||||
|
mkdir -p $(Build.StagingDirectory)/target
|
||||||
|
# Save the public key
|
||||||
|
openssl pkcs12 -in $TMP_FILE -clcerts --nokeys -nodes -passin pass: | sed -z -e "s/.*\(-----BEGIN CERTIFICATE\)/\1/" > $(SIGNING_CERT)
|
||||||
|
# Save the private key
|
||||||
|
openssl pkcs12 -in $TMP_FILE -nocerts -nodes -passin pass: | sed -z -e "s/.*\(-----BEGIN PRIVATE KEY\)/\1/" | sudo tee $(SIGNING_KEY) 1>/dev/null
|
||||||
|
ls -lt $(SIGNING_CERT) $(SIGNING_KEY)
|
||||||
|
rm $TMP_FILE
|
||||||
|
env:
|
||||||
|
CERTIFICATE: $(${{ parameters.certificateName }})
|
||||||
|
displayName: "Save certificate"
|
||||||
@ -22,10 +22,17 @@ resources:
|
|||||||
name: Cisco-8000-sonic/platform-cisco-8000
|
name: Cisco-8000-sonic/platform-cisco-8000
|
||||||
endpoint: cisco-connection
|
endpoint: cisco-connection
|
||||||
|
|
||||||
|
|
||||||
variables:
|
variables:
|
||||||
- group: SONIC-AKV-STROAGE-1
|
- group: SONIC-AKV-STROAGE-1
|
||||||
- name: StorageSASKey
|
- name: StorageSASKey
|
||||||
value: $(sonicstorage-SasToken)
|
value: $(sonicstorage-SasToken)
|
||||||
|
- name: SONIC_ENABLE_SECUREBOOT_SIGNATURE
|
||||||
|
value: y
|
||||||
|
- name: SIGNING_KEY
|
||||||
|
value: /etc/certificates/sonic-secure-boot-private.pem
|
||||||
|
- name: SIGNING_CERT
|
||||||
|
value: $(Build.StagingDirectory)/target/sonic-secure-boot-public.pem
|
||||||
|
|
||||||
stages:
|
stages:
|
||||||
- stage: Build
|
- stage: Build
|
||||||
@ -41,6 +48,7 @@ stages:
|
|||||||
parameters:
|
parameters:
|
||||||
buildOptions: 'USERNAME=admin SONIC_BUILD_JOBS=$(nproc) ${{ variables.VERSION_CONTROL_OPTIONS }}'
|
buildOptions: 'USERNAME=admin SONIC_BUILD_JOBS=$(nproc) ${{ variables.VERSION_CONTROL_OPTIONS }}'
|
||||||
preSteps:
|
preSteps:
|
||||||
|
- template: azure-pipelines-download-certificate.yml
|
||||||
- checkout: self
|
- checkout: self
|
||||||
submodules: recursive
|
submodules: recursive
|
||||||
path: s
|
path: s
|
||||||
@ -90,5 +98,10 @@ stages:
|
|||||||
StorageSASKey: $(StorageSASKey)
|
StorageSASKey: $(StorageSASKey)
|
||||||
condition: ne(variables['Build.Reason'], 'PullRequest')
|
condition: ne(variables['Build.Reason'], 'PullRequest')
|
||||||
displayName: "Override cisco sai packages"
|
displayName: "Override cisco sai packages"
|
||||||
|
- script: |
|
||||||
|
echo "SONIC_ENABLE_SECUREBOOT_SIGNATURE := y" >> rules/config.user
|
||||||
|
echo "SIGNING_KEY := $(SIGNING_KEY)" >> rules/config.user
|
||||||
|
echo "SIGNING_CERT := $(SIGNING_CERT)" >> rules/config.user
|
||||||
|
displayName: "Enable secure boot signature"
|
||||||
jobGroups:
|
jobGroups:
|
||||||
- name: cisco-8000
|
- name: cisco-8000
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user