[Ci]: Support to sign image for cisco-8000 uefi secure boot (#10616)
Why I did it [Ci]: Support to sign image for cisco-8000 uefi secure boot
This commit is contained in:
parent
e6c18fa6dd
commit
55a6faf925
33
.azure-pipelines/azure-pipelines-download-certificate.yml
Normal file
33
.azure-pipelines/azure-pipelines-download-certificate.yml
Normal file
@ -0,0 +1,33 @@
|
||||
parameters:
|
||||
- name: connectionName
|
||||
type: string
|
||||
default: sonic-dev-connection
|
||||
- name: kevaultName
|
||||
type: string
|
||||
default: sonic-kv
|
||||
- name: certificateName
|
||||
type: string
|
||||
default: sonic-secure-boot
|
||||
|
||||
steps:
|
||||
- task: AzureKeyVault@2
|
||||
inputs:
|
||||
connectedServiceName: ${{ parameters.connectionName }}
|
||||
keyVaultName: ${{ parameters.kevaultName }}
|
||||
secretsFilter: ${{ parameters.certificateName }}
|
||||
|
||||
- script: |
|
||||
set -e
|
||||
TMP_FILE=$(mktemp)
|
||||
echo "$CERTIFICATE" | base64 -d > $TMP_FILE
|
||||
sudo mkdir -p /etc/certificates
|
||||
mkdir -p $(Build.StagingDirectory)/target
|
||||
# Save the public key
|
||||
openssl pkcs12 -in $TMP_FILE -clcerts --nokeys -nodes -passin pass: | sed -z -e "s/.*\(-----BEGIN CERTIFICATE\)/\1/" > $(SIGNING_CERT)
|
||||
# Save the private key
|
||||
openssl pkcs12 -in $TMP_FILE -nocerts -nodes -passin pass: | sed -z -e "s/.*\(-----BEGIN PRIVATE KEY\)/\1/" | sudo tee $(SIGNING_KEY) 1>/dev/null
|
||||
ls -lt $(SIGNING_CERT) $(SIGNING_KEY)
|
||||
rm $TMP_FILE
|
||||
env:
|
||||
CERTIFICATE: $(${{ parameters.certificateName }})
|
||||
displayName: "Save certificate"
|
@ -22,10 +22,17 @@ resources:
|
||||
name: Cisco-8000-sonic/platform-cisco-8000
|
||||
endpoint: cisco-connection
|
||||
|
||||
|
||||
variables:
|
||||
- group: SONIC-AKV-STROAGE-1
|
||||
- name: StorageSASKey
|
||||
value: $(sonicstorage-SasToken)
|
||||
- name: SONIC_ENABLE_SECUREBOOT_SIGNATURE
|
||||
value: y
|
||||
- name: SIGNING_KEY
|
||||
value: /etc/certificates/sonic-secure-boot-private.pem
|
||||
- name: SIGNING_CERT
|
||||
value: $(Build.StagingDirectory)/target/sonic-secure-boot-public.pem
|
||||
|
||||
stages:
|
||||
- stage: Build
|
||||
@ -41,6 +48,7 @@ stages:
|
||||
parameters:
|
||||
buildOptions: 'USERNAME=admin SONIC_BUILD_JOBS=$(nproc) ${{ variables.VERSION_CONTROL_OPTIONS }}'
|
||||
preSteps:
|
||||
- template: azure-pipelines-download-certificate.yml
|
||||
- checkout: self
|
||||
submodules: recursive
|
||||
path: s
|
||||
@ -90,5 +98,10 @@ stages:
|
||||
StorageSASKey: $(StorageSASKey)
|
||||
condition: ne(variables['Build.Reason'], 'PullRequest')
|
||||
displayName: "Override cisco sai packages"
|
||||
- script: |
|
||||
echo "SONIC_ENABLE_SECUREBOOT_SIGNATURE := y" >> rules/config.user
|
||||
echo "SIGNING_KEY := $(SIGNING_KEY)" >> rules/config.user
|
||||
echo "SIGNING_CERT := $(SIGNING_CERT)" >> rules/config.user
|
||||
displayName: "Enable secure boot signature"
|
||||
jobGroups:
|
||||
- name: cisco-8000
|
||||
|
Loading…
Reference in New Issue
Block a user