Change SECURE_UPGRADE_DEV_SIGNING_CERT to SECURE_UPGRADE_SIGNING_CERT (#14591)

Depends on https://github.com/sonic-net/sonic-linux-kernel/pull/315 #### Why I did it The name SECURE_UPGRADE_DEV_SIGNING_CERT is misleading, this flag is relevant to both to dev and prod signing. #### How I did it Rename all mentions of name SECURE_UPGRADE_DEV_SIGNING_CERT to SECURE_UPGRADE_SIGNING_CERT - this is also done with PR in sonic-linux-kernel repository #### How to verify it Build SONiC using your own prod script
2023-04-24 21:17:51 +03:00 · 2023-04-24 21:17:51 +03:00 · 90f45d9774
commit 90f45d9774
parent c422cab5eb
5 changed files with 14 additions and 14 deletions
--- a/Makefile.work
+++ b/Makefile.work
@ -315,8 +315,8 @@ endif
 ifneq ($(SECURE_UPGRADE_DEV_SIGNING_KEY),)
    DOCKER_RUN += -v $(SECURE_UPGRADE_DEV_SIGNING_KEY):$(SECURE_UPGRADE_DEV_SIGNING_KEY):ro
 endif
-ifneq ($(SECURE_UPGRADE_DEV_SIGNING_CERT),)
-    DOCKER_RUN += -v $(SECURE_UPGRADE_DEV_SIGNING_CERT):$(SECURE_UPGRADE_DEV_SIGNING_CERT):ro
+ifneq ($(SECURE_UPGRADE_SIGNING_CERT),)
+    DOCKER_RUN += -v $(SECURE_UPGRADE_SIGNING_CERT):$(SECURE_UPGRADE_SIGNING_CERT):ro
 endif
 # Mount the Signing prod tool in the slave container
 $(info "SECURE_UPGRADE_PROD_SIGNING_TOOL": "$(SECURE_UPGRADE_PROD_SIGNING_TOOL)")
@ -545,7 +545,7 @@ SONIC_BUILD_INSTRUCTION :=  $(MAKE) \
                           SONIC_ENABLE_SECUREBOOT_SIGNATURE=$(SONIC_ENABLE_SECUREBOOT_SIGNATURE) \
                           SECURE_UPGRADE_MODE=$(SECURE_UPGRADE_MODE) \
                           SECURE_UPGRADE_DEV_SIGNING_KEY=$(SECURE_UPGRADE_DEV_SIGNING_KEY) \
-                           SECURE_UPGRADE_DEV_SIGNING_CERT=$(SECURE_UPGRADE_DEV_SIGNING_CERT) \
+                           SECURE_UPGRADE_SIGNING_CERT=$(SECURE_UPGRADE_SIGNING_CERT) \
                           SECURE_UPGRADE_PROD_SIGNING_TOOL=$(SECURE_UPGRADE_PROD_SIGNING_TOOL) \
                           SONIC_DEFAULT_CONTAINER_REGISTRY=$(DEFAULT_CONTAINER_REGISTRY) \
                           ENABLE_HOST_SERVICE_ON_START=$(ENABLE_HOST_SERVICE_ON_START) \
--- a/build_debian.sh
+++ b/build_debian.sh
@ -651,8 +651,8 @@ if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" && $SONIC_
        shim-unsigned \
        grub-efi
    
-    if [ ! -f $SECURE_UPGRADE_DEV_SIGNING_CERT ]; then
-        echo "Error: SONiC SECURE_UPGRADE_DEV_SIGNING_CERT=$SECURE_UPGRADE_DEV_SIGNING_CERT key missing"
+    if [ ! -f $SECURE_UPGRADE_SIGNING_CERT ]; then
+        echo "Error: SONiC SECURE_UPGRADE_SIGNING_CERT=$SECURE_UPGRADE_SIGNING_CERT key missing"
        exit 1
    fi

@ -667,7 +667,7 @@ if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" && $SONIC_
        sudo ./scripts/signing_secure_boot_dev.sh -a $CONFIGURED_ARCH \
                                                  -r $FILESYSTEM_ROOT \
                                                  -l $LINUX_KERNEL_VERSION \
-                                                  -c $SECURE_UPGRADE_DEV_SIGNING_CERT \
+                                                  -c $SECURE_UPGRADE_SIGNING_CERT \
                                                  -p $SECURE_UPGRADE_DEV_SIGNING_KEY
    elif [[ $SECURE_UPGRADE_MODE == "prod" ]]; then
        #  Here Vendor signing should be implemented
@ -682,12 +682,12 @@ if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" && $SONIC_
        
        # verifying all EFI files and kernel modules in $OUTPUT_SEC_BOOT_DIR
        sudo ./scripts/secure_boot_signature_verification.sh -e $OUTPUT_SEC_BOOT_DIR \
-                                                             -c $SECURE_UPGRADE_DEV_SIGNING_CERT \
+                                                             -c $SECURE_UPGRADE_SIGNING_CERT \
                                                             -k $FILESYSTEM_ROOT

        # verifying vmlinuz file.
        sudo ./scripts/secure_boot_signature_verification.sh -e $FILESYSTEM_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-${CONFIGURED_ARCH} \
-                                                             -c $SECURE_UPGRADE_DEV_SIGNING_CERT \
+                                                             -c $SECURE_UPGRADE_SIGNING_CERT \
                                                             -k $FILESYSTEM_ROOT
    fi
    echo "Secure Boot support build stage: END."
--- a/rules/config
+++ b/rules/config
@ -223,11 +223,11 @@ SONIC_ENABLE_SECUREBOOT_SIGNATURE ?= n

 # Full Secure Boot feature flags.
 # SECURE_UPGRADE_DEV_SIGNING_KEY - path to development signing key, used for image signing during build
-# SECURE_UPGRADE_DEV_SIGNING_CERT - path to development signing certificate, used for image signing during build
+# SECURE_UPGRADE_SIGNING_CERT - path to development signing certificate, used for image signing during build
 # SECURE_UPGRADE_MODE - enum value for secure upgrade mode, valid options are "dev", "prod" and "no_sign"
 # SECURE_UPGRADE_PROD_SIGNING_TOOL - path to a vendor signing tool for production flow.
 SECURE_UPGRADE_DEV_SIGNING_KEY ?= 
-SECURE_UPGRADE_DEV_SIGNING_CERT ?= 
+SECURE_UPGRADE_SIGNING_CERT ?= 
 SECURE_UPGRADE_MODE = "no_sign"
 SECURE_UPGRADE_PROD_SIGNING_TOOL ?=
 # PACKAGE_URL_PREFIX - the package url prefix
--- a/rules/linux-kernel.dep
+++ b/rules/linux-kernel.dep
@ -4,7 +4,7 @@ DEP_FILES   := rules/linux-kernel.mk rules/linux-kernel.dep
 SMDEP_FILES := $(addprefix $(SPATH)/,$(shell cd $(SPATH) && git ls-files))

 DEP_FLAGS := $(SONIC_COMMON_FLAGS_LIST) \
-	         $(KERNEL_PROCURE_METHOD) $(KERNEL_CACHE_PATH) $(SECURE_UPGRADE_MODE) $(SECURE_UPGRADE_DEV_SIGNING_CERT)
+	         $(KERNEL_PROCURE_METHOD) $(KERNEL_CACHE_PATH) $(SECURE_UPGRADE_MODE) $(SECURE_UPGRADE_SIGNING_CERT)

 $(LINUX_HEADERS_COMMON)_CACHE_MODE  := GIT_CONTENT_SHA
 $(LINUX_HEADERS_COMMON)_DEP_FLAGS   := $(DEP_FLAGS)
--- a/slave.mk
+++ b/slave.mk
@ -381,7 +381,7 @@ $(info "PASSWORD"                        : "$(PASSWORD)")
 $(info "CHANGE_DEFAULT_PASSWORD"         : "$(CHANGE_DEFAULT_PASSWORD)")
 $(info "SECURE_UPGRADE_MODE"             : "$(SECURE_UPGRADE_MODE)")
 $(info "SECURE_UPGRADE_DEV_SIGNING_KEY"  : "$(SECURE_UPGRADE_DEV_SIGNING_KEY)")
-$(info "SECURE_UPGRADE_DEV_SIGNING_CERT" : "$(SECURE_UPGRADE_DEV_SIGNING_CERT)")
+$(info "SECURE_UPGRADE_SIGNING_CERT" : "$(SECURE_UPGRADE_SIGNING_CERT)")
 $(info "SECURE_UPGRADE_PROD_SIGNING_TOOL": "$(SECURE_UPGRADE_PROD_SIGNING_TOOL)")
 $(info "ENABLE_DHCP_GRAPH_SERVICE"       : "$(ENABLE_DHCP_GRAPH_SERVICE)")
 $(info "SHUTDOWN_BGP_ON_START"           : "$(SHUTDOWN_BGP_ON_START)")
@ -1267,7 +1267,7 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
 	export include_teamd="$(INCLUDE_TEAMD)"
 	export include_router_advertiser="$(INCLUDE_ROUTER_ADVERTISER)"
 	export sonic_su_dev_signing_key="$(SECURE_UPGRADE_DEV_SIGNING_KEY)"
-	export sonic_su_dev_signing_cert="$(SECURE_UPGRADE_DEV_SIGNING_CERT)"
+	export sonic_su_signing_cert="$(SECURE_UPGRADE_SIGNING_CERT)"
 	export sonic_su_mode="$(SECURE_UPGRADE_MODE)"
 	export sonic_su_prod_signing_tool="$(SECURE_UPGRADE_PROD_SIGNING_TOOL)"
 	export include_system_telemetry="$(INCLUDE_SYSTEM_TELEMETRY)"
@ -1441,7 +1441,7 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
 		SONIC_ENABLE_IMAGE_SIGNATURE="$(SONIC_ENABLE_IMAGE_SIGNATURE)" \
 		SECURE_UPGRADE_MODE="$(SECURE_UPGRADE_MODE)" \
 		SECURE_UPGRADE_DEV_SIGNING_KEY="$(SECURE_UPGRADE_DEV_SIGNING_KEY)" \
-		SECURE_UPGRADE_DEV_SIGNING_CERT="$(SECURE_UPGRADE_DEV_SIGNING_CERT)" \
+		SECURE_UPGRADE_SIGNING_CERT="$(SECURE_UPGRADE_SIGNING_CERT)" \
 		SECURE_UPGRADE_PROD_SIGNING_TOOL="$(SECURE_UPGRADE_PROD_SIGNING_TOOL)" \
 		SIGNING_KEY="$(SIGNING_KEY)" \
 		SIGNING_CERT="$(SIGNING_CERT)" \