[Secure Boot] Support to sign swi image (#4627)

* [secure boot] Support to sign swi image

* Fix build issue

* fix tab format issue

* Fix typing issue

* Change the sign_image.sh command line

* Remove SONIC_CETIFICATE_PATH

* Fix bugs
This commit is contained in:
xumia 2020-06-09 15:25:17 +08:00 committed by GitHub
parent af81b8ebcd
commit e28cb8f58e
No account linked to committer's email address
8 changed files with 103 additions and 2 deletions

View File

@ -202,6 +202,7 @@ SONIC_BUILD_INSTRUCTION := make \
SONIC_ENABLE_RESTAPI=$(ENABLE_RESTAPI) \
EXTRA_DOCKER_TARGETS=$(EXTRA_DOCKER_TARGETS) \
BUILD_LOG_TIMESTAMP=$(BUILD_LOG_TIMESTAMP) \
SONIC_ENABLE_IMAGE_SIGNATURE=$(ENABLE_IMAGE_SIGNATURE) \
$(SONIC_OVERRIDE_BUILD_VARS)
.PHONY: sonic-slave-build sonic-slave-bash init reset

View File

@ -146,6 +146,12 @@ elif [ "$IMAGE_TYPE" = "aboot" ]; then
zip -g $OUTPUT_ABOOT_IMAGE $ABOOT_BOOT_IMAGE
rm $ABOOT_BOOT_IMAGE
if [ "$SONIC_ENABLE_IMAGE_SIGNATURE" = "y" ]; then
TARGET_CA_CERT="$TARGET_PATH/ca.cert"
rm -f "$TARGET_CA_CERT"
[ -f "$CA_CERT" ] && cp "$CA_CERT" "$TARGET_CA_CERT"
./scripts/sign_image.sh -i "$OUTPUT_ABOOT_IMAGE" -k "$SIGNING_KEY" -c "$SIGNING_CERT" -a "$TARGET_CA_CERT"
fi
else
echo "Error: Non supported image type $IMAGE_TYPE"
exit 1

View File

@ -145,3 +145,10 @@ KUBERNETES_VERSION = 1.18.0
K8s_GCR_IO_PAUSE_VERSION = 3.2
K8s_CNI_CALICO_VERSION = 3.12.1
# SONIC_ENABLE_IMAGE_SIGNATURE - enable image signature
# To not use the auto-generated self-signed certificate, the required files to sign the image as below:
# SIGNING_KEY =
# SIGNING_CERT =
# CA_CERT =
# The relative path is build root folder.
SONIC_ENABLE_IMAGE_SIGNATURE ?= n

69
scripts/sign_image.sh Executable file
View File

@ -0,0 +1,69 @@
#!/bin/bash -ex
IMAGE=""
SIGNING_KEY=""
SIGNING_CERT=""
CA_CERT=""
usage()
{
echo "Usage: $0 -i <image_path> [-k <signing_key> -c <signing_cert> -a <ca_cert>]"
exit 1
}
generate_signing_key()
{
TMP_CERT_PATH=$(mktemp -d)
SIGNING_KEY="${TMP_CERT_PATH}/signing.key"
SIGNING_CERT="${TMP_CERT_PATH}/signing.crt"
SIGNING_CSR="${TMP_CERT_PATH}/signing.csr"
CA_KEY="${TMP_CERT_PATH}/ca.key"
# Generate the CA key and certificate
openssl genrsa -out $CA_KEY 4096
openssl req -x509 -new -nodes -key $CA_KEY -sha256 -days 3650 -subj "/C=US/ST=Test/L=Test/O=Test/CN=Test" -out $CA_CERT
# Generate the signing key, certificate request and certificate
openssl genrsa -out $SIGNING_KEY 4096
openssl req -new -key $SIGNING_KEY -subj "/C=US/ST=Test/L=Test/O=Test/CN=Test" -out $SIGNING_CSR
openssl x509 -req -in $SIGNING_CSR -CA $CA_CERT -CAkey $CA_KEY -CAcreateserial -out $SIGNING_CERT -days 1825 -sha256
}
while getopts "i:k:c:a:t:" opt; do
case $opt in
i)
IMAGE=$OPTARG
;;
k)
SIGNING_KEY=$OPTARG
;;
c)
SIGNING_CERT=$OPTARG
;;
a)
CA_CERT=$OPTARG
;;
*)
usage
;;
esac
done
[ -z $CA_CERT ] && echo "Not to sign the image since the CA certificate not provided" 1>&2 && exit 1
# Generate the self signed cert if not provided by input
[ ! -f $CA_CERT ] && generate_signing_key
# Verify the required files existing
[ ! -f $SIGNING_KEY ] && echo "$SIGNING_KEY not exist" && exit 1
[ ! -f $SIGNING_CERT ] && echo "$SIGNING_CERT not exist" && exit 1
[ ! -f $CA_CERT ] && echo "$CA_CERT not exist" && exit 1
# Prepare the image
swi-signature prepare $IMAGE
# Sign the image
swi-signature sign $IMAGE $SIGNING_CERT $CA_CERT --key $SIGNING_KEY
exit 0

View File

@ -894,6 +894,11 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
PASSWORD="$(PASSWORD)" \
TARGET_MACHINE=$($*_MACHINE) \
IMAGE_TYPE=$($*_IMAGE_TYPE) \
SONIC_ENABLE_IMAGE_SIGNATURE="$(SONIC_ENABLE_IMAGE_SIGNATURE)" \
SIGNING_KEY="$(SIGNING_KEY)" \
SIGNING_CERT="$(SIGNING_CERT)" \
CA_CERT="$(CA_CERT)" \
TARGET_PATH="$(TARGET_PATH)" \
./build_image.sh $(LOG)
$(foreach docker, $($*_DOCKERS), \

View File

@ -304,7 +304,9 @@ RUN apt-get update && apt-get install -y \
xxd \
# For DHCP Monitor tool
libexplain-dev \
libevent-dev
libevent-dev \
# For SWI Tools
python-m2crypto
## Config dpkg
## install the configuration file if its currently missing
@ -423,3 +425,6 @@ RUN apt-get install -y docker-ce=18.06.3~ce~3-0~debian
{%- endif %}
RUN echo "DOCKER_OPTS=\"--experimental --storage-driver=vfs\"" >> /etc/default/docker
RUN update-alternatives --set iptables /usr/sbin/iptables-legacy
# Install swi tools
RUN python -m pip install git+https://github.com/aristanetworks/swi-tools.git@d51761ec0bb93c73039233f3c01ed48235ffad00

View File

@ -372,3 +372,6 @@ RUN echo "DOCKER_OPTS=\"--experimental --storage-driver=vfs\"" >> /etc/default/d
RUN echo "deb [arch={{ CONFIGURED_ARCH }}] http://archive.debian.org/debian jessie-backports main" >> /etc/apt/sources.list
RUN apt-get -o Acquire::Check-Valid-Until=false update
RUN apt-get -y -o Acquire::Check-Valid-Until=false install ca-certificates-java=20161107~bpo8+1 openjdk-8-jdk
# Install swi tools
RUN python -m pip install git+https://github.com/aristanetworks/swi-tools.git@d51761ec0bb93c73039233f3c01ed48235ffad00

View File

@ -300,7 +300,9 @@ RUN apt-get update && apt-get install -y \
xxd \
# For DHCP Monitor tool
libexplain-dev \
libevent-dev
libevent-dev \
# For SWI Tools
python-m2crypto
## Config dpkg
## install the configuration file if its currently missing
@ -437,3 +439,6 @@ RUN apt-get install -y docker-ce=5:18.09.5~3-0~debian-stretch docker-ce-cli=5:18
RUN apt-get install -y docker-ce=18.06.3~ce~3-0~debian
{%- endif %}
RUN echo "DOCKER_OPTS=\"--experimental --storage-driver=vfs\"" >> /etc/default/docker
# Install swi tools
RUN python -m pip install git+https://github.com/aristanetworks/swi-tools.git@d51761ec0bb93c73039233f3c01ed48235ffad00