From 749bbb6ea4f1711d405bc4f0f2c92eb57580b6da Mon Sep 17 00:00:00 2001
From: Sachin Naik <sacnaik@gmail.com>
Date: Mon, 18 Apr 2022 22:23:15 -0700
Subject: [PATCH] secureboot: Enable signing SONiC kernel (#10557)

Why I did it
To sign SONiC kernel image and allow secure boot based system to verify SONiC image before loading into the system.

How I did it
Pass following parameter to rules/config.user
Ex:
SONIC_ENABLE_SECUREBOOT_SIGNATURE := y
SIGNING_KEY := /path/to/key/private.key
SIGNING_CERT := /path/to/public/public.cert

How to verify it
Secure boot enabled system enrolled with right public key of the, image in the platform UEFI database will able to verify image before load.

Alternatively one can verify with offline sbsign tool as below.

export SBSIGN_KEY=/abc/bcd/xyz/
sbverify --cert $SBSIGN_KEY/public_cert.cert fsroot-platform-XYZ/boot/vmlinuz-5.10.0-8-2-amd64 mage

O/P:
Signature verification OK
---
 Makefile.work                      | 12 ++++++++++++
 build_debian.sh                    | 17 +++++++++++++++++
 rules/config                       |  7 +++++++
 slave.mk                           |  3 +++
 sonic-slave-bullseye/Dockerfile.j2 |  1 +
 sonic-slave-buster/Dockerfile.j2   |  1 +
 6 files changed, 41 insertions(+)

diff --git a/Makefile.work b/Makefile.work
index f2610ab34e..7da4c03482 100644
--- a/Makefile.work
+++ b/Makefile.work
@@ -188,6 +188,17 @@ ifneq ($(SONIC_DPKG_CACHE_SOURCE),)
 	DOCKER_RUN += -v "$(SONIC_DPKG_CACHE_SOURCE):/dpkg_cache:rw"
 endif
 
+ifeq ($(SONIC_ENABLE_SECUREBOOT_SIGNATURE), y)
+ifneq ($(SIGNING_KEY),)
+	DOCKER_SIGNING_SOURCE := $(shell dirname $(SIGNING_KEY))
+	DOCKER_RUN += -v "$(DOCKER_SIGNING_SOURCE):$(DOCKER_SIGNING_SOURCE):ro"
+endif
+ifneq ($(SIGNING_CERT),)
+	DOCKER_SIGNING_SOURCE := $(shell dirname $(SIGNING_CERT))
+	DOCKER_RUN += -v "$(DOCKER_SIGNING_SOURCE):$(DOCKER_SIGNING_SOURCE):ro"
+endif
+endif
+
 ifeq ($(SONIC_CONFIG_USE_NATIVE_DOCKERD_FOR_BUILD), y)
 ifneq ($(MULTIARCH_QEMU_ENVIRON), y)
     DOCKER_RUN += -v /var/run/docker.sock:/var/run/docker.sock
@@ -290,6 +301,7 @@ SONIC_BUILD_INSTRUCTION :=  make \
                            EXTRA_DOCKER_TARGETS=$(EXTRA_DOCKER_TARGETS) \
                            BUILD_LOG_TIMESTAMP=$(BUILD_LOG_TIMESTAMP) \
                            SONIC_ENABLE_IMAGE_SIGNATURE=$(ENABLE_IMAGE_SIGNATURE) \
+                           SONIC_ENABLE_SECUREBOOT_SIGNATURE=$(SONIC_ENABLE_SECUREBOOT_SIGNATURE) \
                            SONIC_DEFAULT_CONTAINER_REGISTRY=$(DEFAULT_CONTAINER_REGISTRY) \
                            ENABLE_HOST_SERVICE_ON_START=$(ENABLE_HOST_SERVICE_ON_START) \
                            SLAVE_DIR=$(SLAVE_DIR) \
diff --git a/build_debian.sh b/build_debian.sh
index fb5c0be720..8431432198 100755
--- a/build_debian.sh
+++ b/build_debian.sh
@@ -143,6 +143,23 @@ if [[ $CONFIGURED_ARCH == amd64 ]]; then
     sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install dmidecode hdparm
 fi
 
+## Sign the Linux kernel
+if [ "$SONIC_ENABLE_SECUREBOOT_SIGNATURE" = "y" ]; then
+    if [ ! -f $SIGNING_KEY ]; then
+       echo "Error: SONiC linux kernel signing key missing"
+       exit 1
+    fi
+    if [ ! -f $SIGNING_CERT ]; then
+       echo "Error: SONiC linux kernel signing certificate missing"
+       exit 1
+    fi
+
+    echo '[INFO] Signing SONiC linux kernel image'
+    K=$FILESYSTEM_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-amd64
+    sbsign --key $SIGNING_KEY --cert $SIGNING_CERT --output /tmp/${K##*/} ${K}
+    sudo cp -f /tmp/${K##*/} ${K}
+fi
+
 ## Update initramfs for booting with squashfs+overlay
 cat files/initramfs-tools/modules | sudo tee -a $FILESYSTEM_ROOT/etc/initramfs-tools/modules > /dev/null
 
diff --git a/rules/config b/rules/config
index a4959e6af7..af43f51280 100644
--- a/rules/config
+++ b/rules/config
@@ -180,6 +180,13 @@ K8s_GCR_IO_PAUSE_VERSION = 3.4.1
 # The relative path is build root folder.
 SONIC_ENABLE_IMAGE_SIGNATURE ?= n
 
+# SONIC_ENABLE_SECUREBOOT_SIGNATURE - enable SONiC kernel signing to support UEFI secureboot
+# To support UEFI secureboot chain of trust requires EFI kernel to be signed as a PE binary
+#     SIGNING_KEY =
+#     SIGNING_CERT =
+# The absolute path should be provided.
+SONIC_ENABLE_SECUREBOOT_SIGNATURE ?= n
+
 # PACKAGE_URL_PREFIX - the package url prefix
 PACKAGE_URL_PREFIX ?= https://packages.trafficmanager.net/public/packages
 
diff --git a/slave.mk b/slave.mk
index e8317bc7be..9dd3a3d69e 100644
--- a/slave.mk
+++ b/slave.mk
@@ -1167,6 +1167,9 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
 		TARGET_PATH=$(TARGET_PATH) \
 		SONIC_ENFORCE_VERSIONS=$(SONIC_ENFORCE_VERSIONS) \
 		TRUSTED_GPG_URLS=$(TRUSTED_GPG_URLS) \
+		SONIC_ENABLE_SECUREBOOT_SIGNATURE="$(SONIC_ENABLE_SECUREBOOT_SIGNATURE)" \
+		SIGNING_KEY="$(SIGNING_KEY)" \
+		SIGNING_CERT="$(SIGNING_CERT)" \
 		PACKAGE_URL_PREFIX=$(PACKAGE_URL_PREFIX) \
 		MULTIARCH_QEMU_ENVIRON=$(MULTIARCH_QEMU_ENVIRON) \
 			./build_debian.sh $(LOG)
diff --git a/sonic-slave-bullseye/Dockerfile.j2 b/sonic-slave-bullseye/Dockerfile.j2
index 3ce35390c6..7ce2cbe1a2 100644
--- a/sonic-slave-bullseye/Dockerfile.j2
+++ b/sonic-slave-bullseye/Dockerfile.j2
@@ -118,6 +118,7 @@ RUN apt-get update && apt-get install -y \
         devscripts \
         quilt \
         stgit \
+        sbsigntool \
 # For platform-modules build
         module-assistant \
 # For thrift build\
diff --git a/sonic-slave-buster/Dockerfile.j2 b/sonic-slave-buster/Dockerfile.j2
index 974fab8c8e..13cb214a21 100644
--- a/sonic-slave-buster/Dockerfile.j2
+++ b/sonic-slave-buster/Dockerfile.j2
@@ -125,6 +125,7 @@ RUN apt-get update && apt-get install -y \
         devscripts \
         quilt \
         stgit \
+        sbsigntool \
 # For platform-modules build
         module-assistant \
 # For thrift build\