Commit Graph

931 Commits

Author SHA1 Message Date
Mai Bui
95bb7f3b78
[device/ragile] Mitigation for security vulnerability (#11744)
Signed-off-by: maipbui <maibui@microsoft.com>
#### Why I did it
The [xml.etree.ElementTree](https://docs.python.org/3/library/xml.etree.elementtree.html#module-xml.etree.ElementTree) module is not secure against maliciously constructed data.
`os` - not secure against maliciously constructed input and dangerous if used to evaluate dynamic content
`subprocess.getstatusoutput` is dangerous because include shell=True in the implementation
#### How I did it
Remove xml. Use [lxml](https://pypi.org/project/lxml/) XML parsers package that prevent potentially malicious operation.
Replace `os` by `subprocess`
Use command as an array instead of string
Use `getstatusoutput_noshell` in `sonic_py_common` lib
2022-11-29 11:54:37 -05:00
Mai Bui
35c4e9912d
[ruijie] Replace os.system and remove subprocess with shell=True (#12107)
Signed-off-by: maipbui <maibui@microsoft.com>
Dependency: [https://github.com/sonic-net/sonic-buildimage/pull/12065](https://github.com/sonic-net/sonic-buildimage/pull/12065)
#### Why I did it
1. `getstatusoutput` is used without a static string and it uses `shell=True`
2. `subprocess()` - when using with `shell=True` is dangerous. Using subprocess function without a static string can lead to command injection.
3. `os` - not secure against maliciously constructed input and dangerous if used to evaluate dynamic content.
#### How I did it
1. use `getstatusoutput` without shell=True
2. `subprocess()` - use `shell=False` instead. use an array string. Ref: [https://semgrep.dev/docs/cheat-sheets/python-command-injection/#mitigation](https://semgrep.dev/docs/cheat-sheets/python-command-injection/#mitigation)
3. `os` - use with `subprocess`
2022-11-28 12:43:43 -05:00
Richard.Yu
19e3d8ce98
[submodule]Advance sairdis with sai 1.11 and add brcm and mlnx sai sdk (#12471)
* rebase code

advance sairedis

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

* Update Mellanox SDK/FW to 4026

Signed-off-by: Kebo Liu <kebol@nvidia.com>

* Update Mellanox SAI to 2211.23.1.0

Signed-off-by: Kebo Liu <kebol@nvidia.com>

* update Switch-SDK-drivers pointer

Signed-off-by: Kebo Liu <kebol@nvidia.com>

* git update sai header in saibcm

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

* mapping to sairedis 202211

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>
Signed-off-by: Kebo Liu <kebol@nvidia.com>
Co-authored-by: Kebo Liu <kebol@nvidia.com>
2022-11-23 09:02:36 -08:00
Mai Bui
2f6b34a637
[device/juniper] Mitigation for security vulnerability (#11838)
Signed-off-by: maipbui maibui@microsoft.com
Dependency: [https://github.com/sonic-net/sonic-buildimage/pull/12065](https://github.com/sonic-net/sonic-buildimage/pull/12065)
#### Why I did it
`commands` module is not secure
command injection in `getstatusoutput` being used without a static string
#### How I did it
Eliminate `commands` module, use `subprocess` module only
Convert Python 2 to Python 3
2022-11-22 10:46:12 -05:00
Guohan Lu
a618728d91 Revert "[SAI PTF]Support sai ptf v2 Syncd-rpc (#12761)"
This reverts commit 9734b427ff.
2022-11-21 07:22:26 +00:00
Richard.Yu
9734b427ff
[SAI PTF]Support sai ptf v2 Syncd-rpc (#12761)
Make syncd rpc docker which supports sai-ptf v2

local bulild the target

NOSTRETCH=y NOJESSIE=y make configure PLATFORM=vs
NOSTRETCH=y NOJESSIE=y NOBULLSEYE=y SAITHRIFT_V2=y make target/docker-ptf-sai.gz

NOSTRETCH=y NOJESSIE=y make configure PLATFORM=vs
NOSTRETCH=y NOJESSIE=y NOBULLSEYE=y make target/docker-ptf.gz

NOSTRETCH=y NOJESSIE=y make configure PLATFORM=broadcom
NOSTRETCH=y NOJESSIE=y ENABLE_SYNCD_RPC=y SAITHRIFT_V2=y make target/docker-syncd-brcm-rpcv2.gz
NOSTRETCH=y NOJESSIE=y ENABLE_SYNCD_RPC=y SAITHRIFT_V2=y make target/docker-saiserverv2-brcm.gz

Test done:
#12619
NOSTRETCH=y NOJESSIE=y make configure PLATFORM=broadcom
NOSTRETCH=y NOJESSIE=y ENABLE_SYNCD_RPC=y make target/docker-syncd-brcm-rpc.gz
NOSTRETCH=y NOJESSIE=y ENABLE_SYNCD_RPC=y make target/docker-saiserver-brcm.gz

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>
2022-11-20 20:50:39 -08:00
Samuel Angebault
23962a8979
[Arista] Update platform library submodules (#12736)
add partial reboot cause support for linecards
add watchdog support for linecards
add power draw information for chassis
properly implement Chassis.get_port_or_cage_type
fix pcieutil on chassis with powered off cards
fix watchdog-control.service crash
misc fixes and cleanups
2022-11-18 13:24:13 -08:00
Saikrishna Arcot
672367c33e
Update Linux kernel from 5.10.103 to 5.10.140 (#12660)
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2022-11-14 16:33:34 -08:00
Liu Shilong
6d78199d6f
Revert "[SAI PTF]Syncd-rpc and PTF docker support sai ptf v2 (#11610)" (#12677)
This reverts commit f0873f29d8.
2022-11-14 09:56:10 +08:00
tjchadaga
1799f6fc9a
Update BRCM SAI version to 7.1.21.4 (#12680) 2022-11-11 15:00:10 -08:00
Mai Bui
5b0c4ec1e6
[device/accton] Replace os.system and remove subprocess with shell=True (#11985)
Signed-off-by: maipbui <maibui@microsoft.com>
#### Why I did it
`subprocess.Popen()` and `subprocess.run()` is used with `shell=True`, which is very dangerous for shell injection.
`os` - not secure against maliciously constructed input and dangerous if used to evaluate dynamic content
#### How I did it
Replace `os` by `subprocess`
Remove unused functions
2022-11-07 10:31:32 -05:00
Richard.Yu
f0873f29d8
[SAI PTF]Syncd-rpc and PTF docker support sai ptf v2 (#11610)
* support sai-ptf-v2 in libsaithrift vs

* add build target docker-ptf-sai syncd-rpcv2 and saiserverv2

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

* add docker ptf sai

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

* add build condition for broadcom

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

* add docker syncd dbg and add debug symbol to docker-saiserverv2

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

* correct the build option

* change the azure pipeline build template

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

* change build option for docker-ptf-sai

* enable ptf-sai docker build

* remove the build for syncd-rpcv2

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

* fix issue in build tempalte

* ignore useless package build when build sai-ptf

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

* remove scapy version contraint

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

* remove duplicated target docker-ptf

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

* change template for testing the pipeline

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

* remove duplicated target

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

* fix error in make script

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

* add shel to setup env

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

* replace with certain platform name

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

* disable cache for syncd-rpcv2

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

* test without cache

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

* disable cache

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

* testing: disable the cache for build syncd-rpcv2

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

* add cache back and get the code ready for testing

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

* refactor code

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

* add workaround for issue in rules/sairedis.dep

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

* refactor code

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>
2022-11-07 21:47:52 +08:00
jerseyang
7fb8bf7012
Fix the pddf_custom_wdt driver rarely reports kernel dump issue while reboot in belgite platform (#12322)
Why I did it
SONiC will report the kernel dump while system reboot in Belgite platform as the following shows:

How I did it
Cause:

Invalid cdev container pointer from the inode is being accessing in misc
device open, which causes a memory corruption in the slub.
Because of the slub corruption, random crash is seen during reboot.
Fix: - Instead of cdev pointer from the inode, mdev container pointer is
used from the file->privdate_data member.

Action: update the pddf_custom_wdt driver,

How to verify it
Do the reboot stress test to check whether there is kernel dump during reboot progress
2022-11-04 19:26:18 +08:00
zitingguo-ms
a60ebd387c
Update BRCM SAI version to 7.1.17.4 (#12546)
Signed-off-by: zitingguo-ms <zitingguo@microsoft.com>

Signed-off-by: zitingguo-ms <zitingguo@microsoft.com>
2022-10-31 20:08:45 +08:00
tjchadaga
89f76829fc
Update BRCM SAI version to 7.1.16.4 (#12515) 2022-10-27 13:31:34 -07:00
Samuel Angebault
cf20aea1c4
[Arista] Update platform driver library (#12450)
fix linecard provisioning issue (500 error)
fix some value types for get_system_eeprom_info API
refactor code to leverage pci topology (enabling dynamic Pcie plugin)
refactor asic declaration logic to new style
misc fixes
2022-10-20 23:15:48 +08:00
Mai Bui
6f67a3ac6a
[device/quanta] Mitigation for security vulnerability (#11867)
Signed-off-by: maipbui <maibui@microsoft.com>
Dependency: [https://github.com/sonic-net/sonic-buildimage/pull/12065](https://github.com/sonic-net/sonic-buildimage/pull/12065)
#### Why I did it
`shell=True` is dangerous because this call will spawn the command using a shell process
`os` - not secure against maliciously constructed input and dangerous if used to evaluate dynamic content.
#### How I did it
`os` - use with `subprocess`
Use `shell=False` with shell features
- redirection: [https://stackoverflow.com/questions/4965159/how-to-redirect-output-with-subprocess-in-python/6482200#6482200?newreg=53afb91b3ebd47c5930be627fcdf2930](https://stackoverflow.com/questions/4965159/how-to-redirect-output-with-subprocess-in-python/6482200#6482200?newreg=53afb91b3ebd47c5930be627fcdf2930)
- `|` operator: [https://docs.python.org/2/library/subprocess.html#replacing-shell-pipeline](https://docs.python.org/2/library/subprocess.html#replacing-shell-pipeline)
2022-10-19 10:05:36 -04:00
vmittal-msft
dc2cc9d507
Updated BRCM SAI to version 7.1.10.4 (#12423) 2022-10-17 15:22:53 -07:00
Mai Bui
92d25be08f
[inventec] Replace os.system and remove subprocess with shell=True (#12108)
Signed-off-by: maipbui <maibui@microsoft.com>
Dependency: [https://github.com/sonic-net/sonic-buildimage/pull/12065](https://github.com/sonic-net/sonic-buildimage/pull/12065)
#### Why I did it
1. `getstatusoutput` is used without a static string and it uses `shell=True`
2. `subprocess()` - when using with `shell=True` is dangerous. Using subprocess function without a static string can lead to command injection.
3. `os` - not secure against maliciously constructed input and dangerous if used to evaluate dynamic content.
#### How I did it
1. use `getstatusoutput` without shell=True
2. `subprocess()` - use `shell=False` instead. use an array string. Ref: [https://semgrep.dev/docs/cheat-sheets/python-command-injection/#mitigation](https://semgrep.dev/docs/cheat-sheets/python-command-injection/#mitigation)
3. `os` - use with `subprocess`
2022-10-14 10:21:44 -04:00
Marty Y. Lok
fc99265fd2
[Nokia] Update the nokia platform submodule for Nokia-IXR7250E platform (#12305)
Signed-off-by: mlok <marty.lok@nokia.com>
2022-10-10 18:49:51 -07:00
Mai Bui
94c998965c
[broadcom] Replace popen function (#12106)
Signed-off-by: maipbui <maibui@microsoft.com>
#### Why I did it
`os` - not secure against maliciously constructed input and dangerous if used to evaluate dynamic content.
#### How I did it
`os` - use with `subprocess`
#### How to verify it
2022-10-10 10:12:26 -04:00
Samuel Angebault
18850e4e28
[Arista] Update platform submodules (#12225)
Implement input power psu API
Report DC power output via API
Add bootloader Component in API
Fix issue where naming was not unique for Component
2022-09-30 16:03:40 +08:00
Xichen96
8af369a7c9
Enable swap for haliburton device. (#11746)
Signed-off-by: Xichen Lin <lukelin0907@gmail.com>

Signed-off-by: Xichen Lin <lukelin0907@gmail.com>
2022-09-22 13:57:52 +08:00
juntseng62
23de13feeb
[Alphanetworks] Add new platform BES2348T (#11196)
* Add BES2348T

Signed-off-by: juntseng62 <juntseng62@gmail.com>

* add get_serial_number

Signed-off-by: juntseng62 <juntseng62@gmail.com>

Signed-off-by: juntseng62 <juntseng62@gmail.com>
2022-09-15 21:34:52 -07:00
Samuel Angebault
055fbf5aaa
[Arista] Update platform submodules (#12020) 2022-09-13 19:39:49 -07:00
arunlk-dell
f82c1fd8ae
Z9432F kernel dependency of platform module (#11941)
Why I did it
Z9432F Update the kernel dependency of platform module

How I did it
Modified the kernel version to current latest 5.10.0-12-2
2022-09-01 16:55:41 -07:00
Arun Saravanan Balachandran
092e0394b5
DellEMC: Z9332f - Graceful platform reboot (#10240)
Why I did it
To gracefully unmount filesystems and stop containers while performing a cold reboot.
Unmount ONIE-BOOT if mounted during fast/soft/warm reboot
How I did it
Override systemd-reboot service to perform a cold reboot.
Unmount ONIE-BOOT if mounted using fast/soft/warm-reboot plugins.
How to verify it
On reboot, verify that the container stop and filesystem unmount services have completed execution before the platform reboot.
2022-08-30 11:23:52 -07:00
Samuel Angebault
8ccae96bfe
[Arista] Update platform submodule (#11853) 2022-08-26 09:38:45 -07:00
Richard.Yu
a1eae940d5
[SAIServer] support saiserver v2 in bullseye (#11849)
Upgrade libboost-atomic1.71 to libboost-atomic1.74

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>
2022-08-25 22:51:53 -07:00
arunlk-dell
13bd63e73a
DellEMC: S5296F Platform API 2.0 changes (#11162)
Why I did it
S5296F - Platform API 2.0 changes

How I did it
Implemented the functional API's needed for Platform API 2.0

How to verify it
Used the API 2.0 test suite to validate the test cases.
2022-08-25 17:07:23 -07:00
roberthong-qct
234b4973cd
[Quanta] Update files for Bullseye and kernel 5.10 with enhancements (#11755)
* [Quanta][device][platform] Update files for IX7

Signed-off-by: roberthong-qct <10606901@qcttw.com>

* [Quanta][device][platform] Update files for IX7_BDE

Signed-off-by: roberthong-qct <10606901@qcttw.com>

* [Quanta][device][platform] Update files for IX8

Signed-off-by: roberthong-qct <10606901@qcttw.com>

* [Quanta][device][platform] Update files for IX8A_BDE

Signed-off-by: roberthong-qct <10606901@qcttw.com>

* [Quanta][device][platform] Update files for IX8C

Signed-off-by: roberthong-qct <10606901@qcttw.com>

* [Quanta][device][platform] Update files for IX9

Signed-off-by: roberthong-qct <10606901@qcttw.com>

Signed-off-by: roberthong-qct <10606901@qcttw.com>
2022-08-23 10:10:08 -07:00
Junhua Zhai
fb774dd46a
[gbsyncd] Build docker-gbsyncd-broncos image (#11748)
The libsaibroncos debian package is published at $(LIBSAI_BRONCOS)_URL. Enable building docker-gbsyncd-broncos image on PLATFORM broadcom.
2022-08-23 12:38:08 +08:00
Junhua Zhai
770cb80017
[BRCM SAI 7.1.7.2] catch up CS00012257483 patch (#11768)
Why I did it
It solves a swss orchagent crash issue on PikeZ device, due to link-training setting of external PHY port.

How I did it
Catch up the fix for CS00012257483 in version 7.1.7.2.
2022-08-23 12:34:04 +08:00
jerseyang
ca546ddec3
Sync platform-modules-belgite deb's kernel version 5.10.0-8-2 with master runtime kernel version 5.10.0-12-2 (#10946)
# Why I did it
platform-modules-belgite's deb requests linux-image-5.10.0-8-2-amd64-unsigned, which does not match the runtime kernel version

# How I did it
update the belgite's deb configuration in deb's control

# How to verify it
check the firsttime boot log in belgite platform

Co-authored-by: nicwu-cel <nicwu@celestica.com>
2022-08-18 12:56:04 +08:00
Michael Li
055b7d5fad
Update BRCM KNET modules to support new psample definitions from sflow… (#11709)
* Update BRCM KNET module to support new psample definitions from sflow dropmon feature

* Update BRCM KNET module to support new psample definitions from sflow dropmon feature

* Advance saibcm-modules-dnx
2022-08-16 11:46:03 -07:00
Samuel Angebault
02fd3c520c
[Arista] Update platform library (#11703)
- Add Watchdog remaining time API
 - Add support for non-swappable fans via a FixedDrawer 
 - Add ASIC voltage tweaks for PikeZ product
 - Add better pylint support
 - Fix reboot-cause decision issue for future products
 - Fix thermal issue for RJ45 ports
 - Deprecate Catalina prototype support
2022-08-11 10:47:20 -07:00
gechiang
6f06fee2e9
[BRCM SAI 7.1.7.1] catch up on all pending fix patches for REL_7.0/7.1 (#11693) 2022-08-11 09:07:39 -07:00
Saikrishna Arcot
c953168a87
Update Broadcom SAI to 7.1.0.0-9 (#11612)
This brings in a SAI library that is compiled on Bullseye.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2022-08-09 09:41:07 -07:00
judyjoseph
1fb853614d
Update the DNX SAI to 7.1.0.0-7 and this don't have macsec support (#11529) 2022-08-08 10:04:57 -07:00
Santhosh Kumar T
847a29088b
[DellEMC] S6100 Platform Service optimization porting in master (#11330)
To reduce rc.local script execution time. Porting changes from [DellEMC] S6100 Platform Service optimization #10989
Changes:
Moving platform-modules-s6100.service and s6100-lpc-monitor.service asynchronous to rc.local script.
2022-08-02 09:56:17 -07:00
zitingguo-ms
ae0d8a2740
[bcm sai] upgrade Broadcom XGS SAI to 7.1.0.0-8 (#11568)
this upgrade contains two changes:

1. Add the following MacSec Initialization Condition:
- When MacSec feature is not included MacSec block should not be brought out of reset irrespective of the value of the newly added config variable.
- When included its initialization is controlled by the newly added config variable.

2. DNX buf fix: increase _BRCM_SAI_MAX_ACL_TABLES to 128

Signed-off-by: zitingguo <zitingguo@microsoft.com>
2022-07-28 10:30:03 -07:00
Samuel Angebault
0703f3175f
[Arista] Update platform library (#11439)
Fix an issue with front panel port led introduced in previous PR
Implement status led for linecards
Implement full power cycle for linecards
Improve reboot cause reporting for Ucd devices
Add fan support for PikeZ
Miscellaneous fixes and improvements
2022-07-20 11:38:10 +08:00
zitingguo-ms
228853bb57
[bcm sai]upgrade Broadcom SAI to 7.1.0.0-6 (#11410)
- Default Not to report Single bit ECC correctable events to avoid the need to set SOC porperties.

Signed-off-by: zitingguo <zitingguo@microsoft.com>
2022-07-18 21:39:14 -07:00
andywongarista
88d0ce5ce8
Add gbsyncd container for broncos (#11154)
* Add docker-gbsyncd-broncos support
* Address review comments
* Add socket to gbsyncd
* Upgrade gbsyncd-broncos to bullseye
2022-07-18 10:57:27 +08:00
賓少鈺
f92aca837d
PDE migration to bullseye (#10836)
#### Why I did it
Upgrade docker-pde to bullseye

#### How to verify it
Check Azp status
2022-07-13 11:58:47 -07:00
Samuel Angebault
8791a32ca1
[Arista] Update platform library submodules (#11375) 2022-07-12 14:30:17 -07:00
Arun Saravanan Balachandran
d974ffd707
DellEMC Z9332f: 'update_firmware' component API return False if firmware image not found (#10797)
Why I did it
To return 'False' in update_firmware component API in DellEMC Z9332f platform, if the firmware image is not present in the provided image path.

How I did it
Updated 'update_firmware' in component.py to return False if image is not found in location provided by 'image_path'

How to verify it
Verified that the API returns False when an invalid image path is specified.
2022-06-29 09:30:58 -07:00
Senthil Kumar Guruswamy
b756e2971c
Upgrade broadcom platform containers(syncd/ saiserver/ syncd-rpc/ syncd-dnx-rpc) to bullseye (#10864) 2022-06-27 13:54:08 -07:00
Ying Xie
d30d84b4c6
[bcm sai] upgrade Broadcom SAI to 7.1.0.0-5 (#11236)
* [bcm sai] upgrade Broadcom SAI to 7.1.0.0-5

- Enable Microsoft AN/LT patch
- Create infrastructure to allow upgrading DNX/XGS SAI independently.

Signed-off-by: Ying Xie <ying.xie@microsoft.com>
2022-06-23 15:34:51 -07:00
saksarav-nokia
875e20f99c
Update platform/broadcom/sonic-platform-modules-nokia (#11107) 2022-06-18 10:47:13 -07:00