[Secure Boot] Support to sign swi image (#4627)

* [secure boot] Support to sign swi image

* Fix build issue

* fix tab format issue

* Fix typing issue

* Change the sign_image.sh command line

* Remove SONIC_CETIFICATE_PATH

* Fix bugs

Makefile.work

@@ -202,6 +202,7 @@ SONIC_BUILD_INSTRUCTION :=  make \
                            SONIC_ENABLE_RESTAPI=$(ENABLE_RESTAPI) \
                            EXTRA_DOCKER_TARGETS=$(EXTRA_DOCKER_TARGETS) \
                            BUILD_LOG_TIMESTAMP=$(BUILD_LOG_TIMESTAMP) \
+                           SONIC_ENABLE_IMAGE_SIGNATURE=$(ENABLE_IMAGE_SIGNATURE) \
                            $(SONIC_OVERRIDE_BUILD_VARS)
 
 .PHONY: sonic-slave-build sonic-slave-bash init reset

build_image.sh

@@ -146,6 +146,12 @@ elif [ "$IMAGE_TYPE" = "aboot" ]; then
 
     zip -g $OUTPUT_ABOOT_IMAGE $ABOOT_BOOT_IMAGE
     rm $ABOOT_BOOT_IMAGE
+    if [ "$SONIC_ENABLE_IMAGE_SIGNATURE" = "y" ]; then
+        TARGET_CA_CERT="$TARGET_PATH/ca.cert"
+        rm -f "$TARGET_CA_CERT"
+        [ -f "$CA_CERT" ] && cp "$CA_CERT" "$TARGET_CA_CERT"
+        ./scripts/sign_image.sh -i "$OUTPUT_ABOOT_IMAGE" -k "$SIGNING_KEY" -c "$SIGNING_CERT" -a "$TARGET_CA_CERT"
+    fi
 else
     echo "Error: Non supported image type $IMAGE_TYPE"
     exit 1

rules/config

@@ -145,3 +145,10 @@ KUBERNETES_VERSION = 1.18.0
 K8s_GCR_IO_PAUSE_VERSION = 3.2
 K8s_CNI_CALICO_VERSION = 3.12.1
 
+# SONIC_ENABLE_IMAGE_SIGNATURE - enable image signature
+# To not use the auto-generated self-signed certificate, the required files to sign the image as below:
+#     SIGNING_KEY =
+#     SIGNING_CERT =
+#     CA_CERT =
+# The relative path is build root folder.
+SONIC_ENABLE_IMAGE_SIGNATURE ?= n

scripts/sign_image.sh

@@ -0,0 +1,69 @@
+#!/bin/bash -ex
+
+
+IMAGE=""
+SIGNING_KEY=""
+SIGNING_CERT=""
+CA_CERT=""
+
+usage()
+{
+    echo "Usage:  $0 -i <image_path> [-k <signing_key> -c <signing_cert> -a <ca_cert>]"
+    exit 1
+}
+
+generate_signing_key()
+{
+    TMP_CERT_PATH=$(mktemp -d)
+    SIGNING_KEY="${TMP_CERT_PATH}/signing.key"
+    SIGNING_CERT="${TMP_CERT_PATH}/signing.crt"
+    SIGNING_CSR="${TMP_CERT_PATH}/signing.csr"
+    CA_KEY="${TMP_CERT_PATH}/ca.key"
+
+    # Generate the CA key and certificate
+    openssl genrsa -out $CA_KEY 4096
+    openssl req -x509 -new -nodes -key $CA_KEY -sha256 -days 3650 -subj "/C=US/ST=Test/L=Test/O=Test/CN=Test" -out $CA_CERT
+
+    # Generate the signing key, certificate request and certificate
+    openssl genrsa -out $SIGNING_KEY 4096
+    openssl req -new -key $SIGNING_KEY -subj "/C=US/ST=Test/L=Test/O=Test/CN=Test" -out $SIGNING_CSR
+    openssl x509 -req -in $SIGNING_CSR -CA $CA_CERT -CAkey $CA_KEY -CAcreateserial -out $SIGNING_CERT -days 1825 -sha256
+}
+
+while getopts "i:k:c:a:t:" opt; do
+    case $opt in
+        i)
+            IMAGE=$OPTARG
+            ;;
+        k)
+            SIGNING_KEY=$OPTARG
+            ;;
+        c)
+            SIGNING_CERT=$OPTARG
+            ;;
+        a)
+            CA_CERT=$OPTARG
+            ;;
+        *)
+            usage
+            ;;
+    esac
+done
+
+[ -z $CA_CERT ] && echo "Not to sign the image since the CA certificate not provided" 1>&2 && exit 1
+
+# Generate the self signed cert if not provided by input
+[ ! -f $CA_CERT ] && generate_signing_key
+
+# Verify the required files existing
+[ ! -f $SIGNING_KEY ] && echo "$SIGNING_KEY not exist" && exit 1
+[ ! -f $SIGNING_CERT ] && echo "$SIGNING_CERT not exist" && exit 1
+[ ! -f $CA_CERT ] && echo "$CA_CERT not exist" && exit 1
+
+# Prepare the image
+swi-signature prepare $IMAGE
+
+# Sign the image
+swi-signature sign $IMAGE $SIGNING_CERT $CA_CERT --key $SIGNING_KEY
+
+exit 0

slave.mk

@@ -894,6 +894,11 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
 	PASSWORD="$(PASSWORD)" \
 	TARGET_MACHINE=$($*_MACHINE) \
 	IMAGE_TYPE=$($*_IMAGE_TYPE) \
+	SONIC_ENABLE_IMAGE_SIGNATURE="$(SONIC_ENABLE_IMAGE_SIGNATURE)" \
+	SIGNING_KEY="$(SIGNING_KEY)" \
+	SIGNING_CERT="$(SIGNING_CERT)" \
+	CA_CERT="$(CA_CERT)" \
+	TARGET_PATH="$(TARGET_PATH)" \
 		./build_image.sh $(LOG)
 
 	$(foreach docker, $($*_DOCKERS), \

sonic-slave-buster/Dockerfile.j2

@@ -304,7 +304,9 @@ RUN apt-get update && apt-get install -y \
         xxd \
 # For DHCP Monitor tool
         libexplain-dev \
-        libevent-dev
+        libevent-dev \
+# For SWI Tools
+        python-m2crypto
 
 ## Config dpkg
 ## install the configuration file if it’s currently missing
@@ -423,3 +425,6 @@ RUN apt-get install -y docker-ce=18.06.3~ce~3-0~debian
 {%- endif %}
 RUN echo "DOCKER_OPTS=\"--experimental --storage-driver=vfs\"" >> /etc/default/docker
 RUN update-alternatives --set iptables /usr/sbin/iptables-legacy
+
+# Install swi tools
+RUN python -m pip install git+https://github.com/aristanetworks/swi-tools.git@d51761ec0bb93c73039233f3c01ed48235ffad00

sonic-slave-jessie/Dockerfile.j2

@@ -372,3 +372,6 @@ RUN echo "DOCKER_OPTS=\"--experimental --storage-driver=vfs\"" >> /etc/default/d
 RUN echo "deb [arch={{ CONFIGURED_ARCH }}] http://archive.debian.org/debian jessie-backports main" >> /etc/apt/sources.list
 RUN apt-get -o Acquire::Check-Valid-Until=false update
 RUN apt-get -y -o Acquire::Check-Valid-Until=false install ca-certificates-java=20161107~bpo8+1 openjdk-8-jdk
+
+# Install swi tools
+RUN python -m pip install git+https://github.com/aristanetworks/swi-tools.git@d51761ec0bb93c73039233f3c01ed48235ffad00

sonic-slave-stretch/Dockerfile.j2

@@ -300,7 +300,9 @@ RUN apt-get update && apt-get install -y \
         xxd \
 # For DHCP Monitor tool
         libexplain-dev \
-        libevent-dev
+        libevent-dev \
+# For SWI Tools
+        python-m2crypto
 
 ## Config dpkg
 ## install the configuration file if it’s currently missing
@@ -437,3 +439,6 @@ RUN apt-get install -y docker-ce=5:18.09.5~3-0~debian-stretch docker-ce-cli=5:18
 RUN apt-get install -y docker-ce=18.06.3~ce~3-0~debian
 {%- endif %}
 RUN echo "DOCKER_OPTS=\"--experimental --storage-driver=vfs\"" >> /etc/default/docker
+
+# Install swi tools
+RUN python -m pip install git+https://github.com/aristanetworks/swi-tools.git@d51761ec0bb93c73039233f3c01ed48235ffad00