Fix issue with prod script not found, change the prod signing to work with flags to align to the dev script (#14580)
- Why I did it Fix issue with signing tool not running due to being call with the path from the host and not the path it is mounted on inside the docker-slave - How I did it Modified the path on the SECURE_UPGRADE_PROD_SIGNING_TOOL flag to the path where it is mounted inside the slave docker - How to verify it Build SONiC using your own prod script
This commit is contained in:
parent
65f40a188e
commit
cfa36bbd7b
@ -299,9 +299,7 @@ endif
|
||||
# Mount the Signing prod tool in the slave container
|
||||
$(info "SECURE_UPGRADE_PROD_SIGNING_TOOL": "$(SECURE_UPGRADE_PROD_SIGNING_TOOL)")
|
||||
ifneq ($(SECURE_UPGRADE_PROD_SIGNING_TOOL),)
|
||||
SECURE_UPGRADE_PROD_SIGNING_TOOL_DST = /sonic/scripts/$(shell basename -- $(SECURE_UPGRADE_PROD_SIGNING_TOOL))
|
||||
DOCKER_RUN += -v $(SECURE_UPGRADE_PROD_SIGNING_TOOL):$(SECURE_UPGRADE_PROD_SIGNING_TOOL_DST):ro
|
||||
SECURE_UPGRADE_PROD_SIGNING_TOOL := $(SECURE_UPGRADE_PROD_SIGNING_TOOL_DST)
|
||||
DOCKER_RUN += -v $(SECURE_UPGRADE_PROD_SIGNING_TOOL):/sonic/scripts/$(shell basename -- $(SECURE_UPGRADE_PROD_SIGNING_TOOL)):ro
|
||||
endif
|
||||
|
||||
ifneq ($(SONIC_DPKG_CACHE_SOURCE),)
|
||||
|
@ -658,13 +658,13 @@ if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" && $SONIC_
|
||||
# Here Vendor signing should be implemented
|
||||
OUTPUT_SEC_BOOT_DIR=$FILESYSTEM_ROOT/boot
|
||||
|
||||
if [ ! -f $SECURE_UPGRADE_PROD_SIGNING_TOOL ]; then
|
||||
echo "Error: SONiC SECURE_UPGRADE_PROD_SIGNING_TOOL=$SECURE_UPGRADE_PROD_SIGNING_TOOL script missing"
|
||||
if [ ! -f $sonic_su_prod_signing_tool ]; then
|
||||
echo "Error: SONiC sonic_su_prod_signing_tool=$sonic_su_prod_signing_tool script missing"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
sudo $SECURE_UPGRADE_PROD_SIGNING_TOOL $CONFIGURED_ARCH $FILESYSTEM_ROOT $LINUX_KERNEL_VERSION $OUTPUT_SEC_BOOT_DIR
|
||||
|
||||
sudo $sonic_su_prod_signing_tool $CONFIGURED_ARCH $FILESYSTEM_ROOT $LINUX_KERNEL_VERSION $OUTPUT_SEC_BOOT_DIR
|
||||
|
||||
# verifying all EFI files and kernel modules in $OUTPUT_SEC_BOOT_DIR
|
||||
sudo ./scripts/secure_boot_signature_verification.sh -e $OUTPUT_SEC_BOOT_DIR \
|
||||
-c $SECURE_UPGRADE_DEV_SIGNING_CERT \
|
||||
|
2
slave.mk
2
slave.mk
@ -1237,7 +1237,7 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
|
||||
export sonic_su_dev_signing_key="$(SECURE_UPGRADE_DEV_SIGNING_KEY)"
|
||||
export sonic_su_dev_signing_cert="$(SECURE_UPGRADE_DEV_SIGNING_CERT)"
|
||||
export sonic_su_mode="$(SECURE_UPGRADE_MODE)"
|
||||
export sonic_su_prod_signing_tool="$(SECURE_UPGRADE_PROD_SIGNING_TOOL)"
|
||||
export sonic_su_prod_signing_tool="/sonic/scripts/$(shell basename -- $(SECURE_UPGRADE_PROD_SIGNING_TOOL))"
|
||||
export include_system_telemetry="$(INCLUDE_SYSTEM_TELEMETRY)"
|
||||
export include_restapi="$(INCLUDE_RESTAPI)"
|
||||
export include_nat="$(INCLUDE_NAT)"
|
||||
|
Loading…
Reference in New Issue
Block a user