diff --git a/Makefile.work b/Makefile.work index 93d6c58cf6..b849c435f1 100644 --- a/Makefile.work +++ b/Makefile.work @@ -315,8 +315,8 @@ endif ifneq ($(SECURE_UPGRADE_DEV_SIGNING_KEY),) DOCKER_RUN += -v $(SECURE_UPGRADE_DEV_SIGNING_KEY):$(SECURE_UPGRADE_DEV_SIGNING_KEY):ro endif -ifneq ($(SECURE_UPGRADE_DEV_SIGNING_CERT),) - DOCKER_RUN += -v $(SECURE_UPGRADE_DEV_SIGNING_CERT):$(SECURE_UPGRADE_DEV_SIGNING_CERT):ro +ifneq ($(SECURE_UPGRADE_SIGNING_CERT),) + DOCKER_RUN += -v $(SECURE_UPGRADE_SIGNING_CERT):$(SECURE_UPGRADE_SIGNING_CERT):ro endif # Mount the Signing prod tool in the slave container $(info "SECURE_UPGRADE_PROD_SIGNING_TOOL": "$(SECURE_UPGRADE_PROD_SIGNING_TOOL)") @@ -545,7 +545,7 @@ SONIC_BUILD_INSTRUCTION := $(MAKE) \ SONIC_ENABLE_SECUREBOOT_SIGNATURE=$(SONIC_ENABLE_SECUREBOOT_SIGNATURE) \ SECURE_UPGRADE_MODE=$(SECURE_UPGRADE_MODE) \ SECURE_UPGRADE_DEV_SIGNING_KEY=$(SECURE_UPGRADE_DEV_SIGNING_KEY) \ - SECURE_UPGRADE_DEV_SIGNING_CERT=$(SECURE_UPGRADE_DEV_SIGNING_CERT) \ + SECURE_UPGRADE_SIGNING_CERT=$(SECURE_UPGRADE_SIGNING_CERT) \ SECURE_UPGRADE_PROD_SIGNING_TOOL=$(SECURE_UPGRADE_PROD_SIGNING_TOOL) \ SONIC_DEFAULT_CONTAINER_REGISTRY=$(DEFAULT_CONTAINER_REGISTRY) \ ENABLE_HOST_SERVICE_ON_START=$(ENABLE_HOST_SERVICE_ON_START) \ diff --git a/build_debian.sh b/build_debian.sh index f789a2d011..6ead422e1b 100755 --- a/build_debian.sh +++ b/build_debian.sh @@ -651,8 +651,8 @@ if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" && $SONIC_ shim-unsigned \ grub-efi - if [ ! -f $SECURE_UPGRADE_DEV_SIGNING_CERT ]; then - echo "Error: SONiC SECURE_UPGRADE_DEV_SIGNING_CERT=$SECURE_UPGRADE_DEV_SIGNING_CERT key missing" + if [ ! -f $SECURE_UPGRADE_SIGNING_CERT ]; then + echo "Error: SONiC SECURE_UPGRADE_SIGNING_CERT=$SECURE_UPGRADE_SIGNING_CERT key missing" exit 1 fi @@ -667,7 +667,7 @@ if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" && $SONIC_ sudo ./scripts/signing_secure_boot_dev.sh -a $CONFIGURED_ARCH \ -r $FILESYSTEM_ROOT \ -l $LINUX_KERNEL_VERSION \ - -c $SECURE_UPGRADE_DEV_SIGNING_CERT \ + -c $SECURE_UPGRADE_SIGNING_CERT \ -p $SECURE_UPGRADE_DEV_SIGNING_KEY elif [[ $SECURE_UPGRADE_MODE == "prod" ]]; then # Here Vendor signing should be implemented @@ -682,12 +682,12 @@ if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" && $SONIC_ # verifying all EFI files and kernel modules in $OUTPUT_SEC_BOOT_DIR sudo ./scripts/secure_boot_signature_verification.sh -e $OUTPUT_SEC_BOOT_DIR \ - -c $SECURE_UPGRADE_DEV_SIGNING_CERT \ + -c $SECURE_UPGRADE_SIGNING_CERT \ -k $FILESYSTEM_ROOT # verifying vmlinuz file. sudo ./scripts/secure_boot_signature_verification.sh -e $FILESYSTEM_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-${CONFIGURED_ARCH} \ - -c $SECURE_UPGRADE_DEV_SIGNING_CERT \ + -c $SECURE_UPGRADE_SIGNING_CERT \ -k $FILESYSTEM_ROOT fi echo "Secure Boot support build stage: END." diff --git a/rules/config b/rules/config index cb2b83bf55..dc718014f4 100644 --- a/rules/config +++ b/rules/config @@ -223,11 +223,11 @@ SONIC_ENABLE_SECUREBOOT_SIGNATURE ?= n # Full Secure Boot feature flags. # SECURE_UPGRADE_DEV_SIGNING_KEY - path to development signing key, used for image signing during build -# SECURE_UPGRADE_DEV_SIGNING_CERT - path to development signing certificate, used for image signing during build +# SECURE_UPGRADE_SIGNING_CERT - path to development signing certificate, used for image signing during build # SECURE_UPGRADE_MODE - enum value for secure upgrade mode, valid options are "dev", "prod" and "no_sign" # SECURE_UPGRADE_PROD_SIGNING_TOOL - path to a vendor signing tool for production flow. SECURE_UPGRADE_DEV_SIGNING_KEY ?= -SECURE_UPGRADE_DEV_SIGNING_CERT ?= +SECURE_UPGRADE_SIGNING_CERT ?= SECURE_UPGRADE_MODE = "no_sign" SECURE_UPGRADE_PROD_SIGNING_TOOL ?= # PACKAGE_URL_PREFIX - the package url prefix diff --git a/rules/linux-kernel.dep b/rules/linux-kernel.dep index 7e2dd47414..e577ca7f44 100644 --- a/rules/linux-kernel.dep +++ b/rules/linux-kernel.dep @@ -4,7 +4,7 @@ DEP_FILES := rules/linux-kernel.mk rules/linux-kernel.dep SMDEP_FILES := $(addprefix $(SPATH)/,$(shell cd $(SPATH) && git ls-files)) DEP_FLAGS := $(SONIC_COMMON_FLAGS_LIST) \ - $(KERNEL_PROCURE_METHOD) $(KERNEL_CACHE_PATH) $(SECURE_UPGRADE_MODE) $(SECURE_UPGRADE_DEV_SIGNING_CERT) + $(KERNEL_PROCURE_METHOD) $(KERNEL_CACHE_PATH) $(SECURE_UPGRADE_MODE) $(SECURE_UPGRADE_SIGNING_CERT) $(LINUX_HEADERS_COMMON)_CACHE_MODE := GIT_CONTENT_SHA $(LINUX_HEADERS_COMMON)_DEP_FLAGS := $(DEP_FLAGS) diff --git a/slave.mk b/slave.mk index 1144541be2..719ddeebfc 100644 --- a/slave.mk +++ b/slave.mk @@ -381,7 +381,7 @@ $(info "PASSWORD" : "$(PASSWORD)") $(info "CHANGE_DEFAULT_PASSWORD" : "$(CHANGE_DEFAULT_PASSWORD)") $(info "SECURE_UPGRADE_MODE" : "$(SECURE_UPGRADE_MODE)") $(info "SECURE_UPGRADE_DEV_SIGNING_KEY" : "$(SECURE_UPGRADE_DEV_SIGNING_KEY)") -$(info "SECURE_UPGRADE_DEV_SIGNING_CERT" : "$(SECURE_UPGRADE_DEV_SIGNING_CERT)") +$(info "SECURE_UPGRADE_SIGNING_CERT" : "$(SECURE_UPGRADE_SIGNING_CERT)") $(info "SECURE_UPGRADE_PROD_SIGNING_TOOL": "$(SECURE_UPGRADE_PROD_SIGNING_TOOL)") $(info "ENABLE_DHCP_GRAPH_SERVICE" : "$(ENABLE_DHCP_GRAPH_SERVICE)") $(info "SHUTDOWN_BGP_ON_START" : "$(SHUTDOWN_BGP_ON_START)") @@ -1267,7 +1267,7 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \ export include_teamd="$(INCLUDE_TEAMD)" export include_router_advertiser="$(INCLUDE_ROUTER_ADVERTISER)" export sonic_su_dev_signing_key="$(SECURE_UPGRADE_DEV_SIGNING_KEY)" - export sonic_su_dev_signing_cert="$(SECURE_UPGRADE_DEV_SIGNING_CERT)" + export sonic_su_signing_cert="$(SECURE_UPGRADE_SIGNING_CERT)" export sonic_su_mode="$(SECURE_UPGRADE_MODE)" export sonic_su_prod_signing_tool="$(SECURE_UPGRADE_PROD_SIGNING_TOOL)" export include_system_telemetry="$(INCLUDE_SYSTEM_TELEMETRY)" @@ -1441,7 +1441,7 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \ SONIC_ENABLE_IMAGE_SIGNATURE="$(SONIC_ENABLE_IMAGE_SIGNATURE)" \ SECURE_UPGRADE_MODE="$(SECURE_UPGRADE_MODE)" \ SECURE_UPGRADE_DEV_SIGNING_KEY="$(SECURE_UPGRADE_DEV_SIGNING_KEY)" \ - SECURE_UPGRADE_DEV_SIGNING_CERT="$(SECURE_UPGRADE_DEV_SIGNING_CERT)" \ + SECURE_UPGRADE_SIGNING_CERT="$(SECURE_UPGRADE_SIGNING_CERT)" \ SECURE_UPGRADE_PROD_SIGNING_TOOL="$(SECURE_UPGRADE_PROD_SIGNING_TOOL)" \ SIGNING_KEY="$(SIGNING_KEY)" \ SIGNING_CERT="$(SIGNING_CERT)" \