Add SECURE_UPGRADE_PROD_TOOL_ARGS flag to make it possible for vendors to pass their own arguments on the prod signing script (#14581) (#15095)
This commit is contained in:
parent
a443f15617
commit
a9ffcc8a6d
@ -516,6 +516,7 @@ SONIC_BUILD_INSTRUCTION := $(MAKE) \
|
||||
SECURE_UPGRADE_DEV_SIGNING_KEY=$(SECURE_UPGRADE_DEV_SIGNING_KEY) \
|
||||
SECURE_UPGRADE_SIGNING_CERT=$(SECURE_UPGRADE_SIGNING_CERT) \
|
||||
SECURE_UPGRADE_PROD_SIGNING_TOOL=$(SECURE_UPGRADE_PROD_SIGNING_TOOL) \
|
||||
SECURE_UPGRADE_PROD_TOOL_ARGS=$(SECURE_UPGRADE_PROD_TOOL_ARGS) \
|
||||
SONIC_DEFAULT_CONTAINER_REGISTRY=$(DEFAULT_CONTAINER_REGISTRY) \
|
||||
ENABLE_HOST_SERVICE_ON_START=$(ENABLE_HOST_SERVICE_ON_START) \
|
||||
SLAVE_DIR=$(SLAVE_DIR) \
|
||||
|
@ -663,7 +663,11 @@ if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" && $SONIC_
|
||||
exit 1
|
||||
fi
|
||||
|
||||
sudo $sonic_su_prod_signing_tool $CONFIGURED_ARCH $FILESYSTEM_ROOT $LINUX_KERNEL_VERSION $OUTPUT_SEC_BOOT_DIR
|
||||
sudo $sonic_su_prod_signing_tool -a $CONFIGURED_ARCH \
|
||||
-r $FILESYSTEM_ROOT \
|
||||
-l $LINUX_KERNEL_VERSION \
|
||||
-o $OUTPUT_SEC_BOOT_DIR \
|
||||
$SECURE_UPGRADE_PROD_TOOL_ARGS
|
||||
|
||||
# verifying all EFI files and kernel modules in $OUTPUT_SEC_BOOT_DIR
|
||||
sudo ./scripts/secure_boot_signature_verification.sh -e $OUTPUT_SEC_BOOT_DIR \
|
||||
|
@ -223,10 +223,12 @@ SONIC_ENABLE_SECUREBOOT_SIGNATURE ?= n
|
||||
# SECURE_UPGRADE_SIGNING_CERT - path to development signing certificate, used for image signing during build
|
||||
# SECURE_UPGRADE_MODE - enum value for secure upgrade mode, valid options are "dev", "prod" and "no_sign"
|
||||
# SECURE_UPGRADE_PROD_SIGNING_TOOL - path to a vendor signing tool for production flow.
|
||||
# SECURE_UPGRADE_PROD_TOOL_ARGS - Extra arguments options for vendor to use to run his specific prod signing script
|
||||
SECURE_UPGRADE_DEV_SIGNING_KEY ?=
|
||||
SECURE_UPGRADE_SIGNING_CERT ?=
|
||||
SECURE_UPGRADE_MODE = "no_sign"
|
||||
SECURE_UPGRADE_PROD_SIGNING_TOOL ?=
|
||||
SECURE_UPGRADE_PROD_TOOL_ARGS ?=
|
||||
# PACKAGE_URL_PREFIX - the package url prefix
|
||||
PACKAGE_URL_PREFIX ?= https://packages.trafficmanager.net/public/packages
|
||||
|
||||
|
2
slave.mk
2
slave.mk
@ -376,6 +376,7 @@ $(info "SECURE_UPGRADE_MODE" : "$(SECURE_UPGRADE_MODE)")
|
||||
$(info "SECURE_UPGRADE_DEV_SIGNING_KEY" : "$(SECURE_UPGRADE_DEV_SIGNING_KEY)")
|
||||
$(info "SECURE_UPGRADE_SIGNING_CERT" : "$(SECURE_UPGRADE_SIGNING_CERT)")
|
||||
$(info "SECURE_UPGRADE_PROD_SIGNING_TOOL": "$(SECURE_UPGRADE_PROD_SIGNING_TOOL)")
|
||||
$(info "SECURE_UPGRADE_PROD_TOOL_ARGS" : "$(SECURE_UPGRADE_PROD_TOOL_ARGS)")
|
||||
$(info "ENABLE_DHCP_GRAPH_SERVICE" : "$(ENABLE_DHCP_GRAPH_SERVICE)")
|
||||
$(info "SHUTDOWN_BGP_ON_START" : "$(SHUTDOWN_BGP_ON_START)")
|
||||
$(info "ENABLE_PFCWD_ON_START" : "$(ENABLE_PFCWD_ON_START)")
|
||||
@ -1439,6 +1440,7 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
|
||||
SECURE_UPGRADE_DEV_SIGNING_KEY="$(SECURE_UPGRADE_DEV_SIGNING_KEY)" \
|
||||
SECURE_UPGRADE_SIGNING_CERT="$(SECURE_UPGRADE_SIGNING_CERT)" \
|
||||
SECURE_UPGRADE_PROD_SIGNING_TOOL="$(SECURE_UPGRADE_PROD_SIGNING_TOOL)" \
|
||||
SECURE_UPGRADE_PROD_TOOL_ARGS="$(SECURE_UPGRADE_PROD_TOOL_ARGS)" \
|
||||
SIGNING_KEY="$(SIGNING_KEY)" \
|
||||
SIGNING_CERT="$(SIGNING_CERT)" \
|
||||
CA_CERT="$(CA_CERT)" \
|
||||
|
Loading…
Reference in New Issue
Block a user