sonic-buildimage/rules/config
DavidZagury 4fd2a6297f
[Secure Boot] Add Secure Boot Support (#12692) (#14963)
- Why I did it
Add Secure Boot support to SONiC OS.
Secure Boot (SB) is a verification mechanism for ensuring that code launched by a computer's UEFI firmware is trusted. It is designed to protect a system against malicious code being loaded and executed early in the boot process before the operating system has been loaded.

- How I did it
Added a signing process to sign the following components:
shim, grub, Linux kernel, and kernel modules when doing the build, and when feature is enabled in build time according to the HLD explanations (the feature is disabled by default).

- How to verify it
There are self-verifications of each boot component when building the image, in addition, there is an existing end-to-end test in sonic-mgmt repo that checks that the boot succeeds when loading a secure system (details below).

How to build a sonic image with secure boot feature: (more description in HLD)

Required to use the following build flags from rules/config:
SECURE_UPGRADE_MODE="dev"
SECURE_UPGRADE_DEV_SIGNING_KEY="/path/to/private/key.pem"
SECURE_UPGRADE_DEV_SIGNING_CERT="/path/to/cert/key.pem"
After setting those flags should build the sonic-buildimage.
Before installing the image, should prepared the setup (switch device) with the follow:
check that the device support UEFI
stored pub keys in UEFI DB

enabled Secure Boot flag in UEFI
How to run a test that verify the Secure Boot flow:
The existing test "test_upgrade_path" under "sonic-mgmt/tests/upgrade_path/test_upgrade_path", is enough to validate proper boot
You need to specify the following arguments:
Base_image_list your_secure_image
Taget_image_list your_second_secure_image
Upgrade_type cold
And run the test, basically the test will install the base image given in the parameter and then upgrade to target image by doing cold reboot and validates all the services are up and working correctly

Co-authored-by: davidpil2002 <91657985+davidpil2002@users.noreply.github.com>
2023-05-15 10:13:26 +08:00

284 lines
12 KiB
Plaintext

###############################################################################
## Configuration parameters for SONiC build system
###############################################################################
# SONIC_CONFIG_PRINT_DEPENDENCIES - show dependencies for each invoked target.
# Before executing rule for each target its dependencies are printed to console.
# Uncomment next line to enable:
# SONIC_CONFIG_PRINT_DEPENDENCIES = y
# SONIC_CONFIG_BUILD_JOBS - set number of jobs for parallel build.
# Corresponding -j argument will be passed to make command inside docker
# container.
SONIC_CONFIG_BUILD_JOBS = 1
# SONIC_CONFIG_MAKE_JOBS - set number of parallel make jobs per package.
# Corresponding -j argument will be passed to make/dpkg commands that build separate packages
SONIC_CONFIG_MAKE_JOBS = $(shell nproc)
# DEFAULT_BUILD_LOG_TIMESTAMP - add timestamp in build log
# Supported format: simple, none
DEFAULT_BUILD_LOG_TIMESTAMP = none
# SONIC_USE_DOCKER_BUILDKIT - use docker buildkit for build.
# If set to y SONiC build system will set environment variable DOCKER_BUILDKIT=1
# to enable docker buildkit.
# This options will speed up docker image build time.
# NOTE: SONIC_USE_DOCKER_BUILDKIT will produce larger installable SONiC image
# because of a docker bug (more details: https://github.com/moby/moby/issues/38903)
# SONIC_USE_DOCKER_BUILDKIT = y
# SONIC_CONFIG_USE_NATIVE_DOCKERD_FOR_BUILD - use native dockerd for build.
# If set to y SONiC build container will use native dockerd instead of dind for faster build.
# Special handling of the docker image file names is needed to avoid conflicts with
# other SONiC build jobs on the same server. This requires changes to the Dockerfile.j2 FROM statement
# in the dockers/ and platform/ subdirs to use a variable reference instead of an explicit image name.
# SONIC_CONFIG_USE_NATIVE_DOCKERD_FOR_BUILD = y
# SONIC_CONFIG_ENABLE_COLORS - enable colored output in build system.
# Comment next line to disable:
# SONIC_CONFIG_ENABLE_COLORS = y
# DEFAULT_USERNAME - default username for installer build
DEFAULT_USERNAME = admin
# DEFAULT_PASSWORD - default password for installer build
DEFAULT_PASSWORD = YourPaSsWoRd
# ENABLE_DHCP_GRAPH_SERVICE - specify the source of minigraph to generate configuration file.
# If set to y SONiC will get the minigraph from graph service. Graph service URL need to be
# passed through DHCP option 225.
# If not set (default behavior) the default minigraph built into the image will be used.
# ENABLE_DHCP_GRAPH_SERVICE = y
# ENABLE_ZTP - installs Zero Touch Provisioning support.
# ENABLE_ZTP = y
# INCLUDE_PDE - Enable platform development enviroment
# INCLUDE_PDE = y
# SHUTDOWN_BGP_ON_START - if set to y all bgp sessions will be in admin down state when
# bgp service starts.
# SHUTDOWN_BGP_ON_START = y
# ENABLE_PFCWD_ON_START - if set to y PFC Watchdog (PFCWD) will be enabled all server-facing ports
# by default for TOR switch
# ENABLE_PFCWD_ON_START = y
# INSTALL_DEBUG_TOOLS - installs debugging tools in baseline docker
# Uncomment next line to enable:
# INSTALL_DEBUG_TOOLS = y
# SONIC_USE_PDDF_FRAMEWORK - Use PDDF generic drivers and plugins
# Uncomment next line to enable:
SONIC_USE_PDDF_FRAMEWORK = y
# SONIC_ROUTING_STACK - specify the routing-stack being elected to drive SONiC's control-plane.
# Supported routing stacks on SONiC are:
# routing-stacks: frr.
SONIC_ROUTING_STACK = frr
# ENABLE_SYNCD_RPC - build docker-syncd with rpc packages for testing purposes.
# Uncomment to enable:
# ENABLE_SYNCD_RPC = y
# Enable Origanization Extensions - Specific to the deployment scenarios of the Organization
ENABLE_ORGANIZATION_EXTENSIONS = y
# Debugging option allows sonic debian packages to get built including symbols
# information. Profiling option, disables compiler optimizations (-O0) as well
# as includes symbols information. Given that 'profiling' option is a superset
# of 'debugging' one, user should only enable either one option or the other --
# if both options are enabled, the 'profiling' one will prevail.
#SONIC_DEBUGGING_ON = y
#SONIC_PROFILING_ON = y
# DEFAULT_KERNEL_PROCURE_METHOD - default method for obtaining kernel
# build: build kernel from source
# download: download pre-built kernel from Azure storage.
DEFAULT_KERNEL_PROCURE_METHOD = build
# FRR user and group id values. These only take effect when SONIC_ROUTING_STACK is frr.
# Note: these values match the admin uid/gid of the host's admin account. If these values
# change and user doesn't want the frr uid/gid to potentially match a random user on the
# host, then either the appropriate account and group will need to be created on the host
# manually or changes need to be made when the image is built to create the account and
# group during installation.
FRR_USER_UID = 300
FRR_USER_GID = 300
# DPKG cache allows the .deb files to be stored in the cache path. This allows the submodules
# package to be cached and restored back if its commit hash is not modified and its dependencies are not modified.
# SONIC_DPKG_CACHE_METHOD - Default method of deb package caching
# none : no caching
# rwcache : Use cache if exists else build the source and update the cache
# wcache : Dont use the cache and just build the source and update the cache
# rcache : Use cache if exists, but dont update the cache
# cache : Same as rwcache
# SONIC_DPKG_CACHE_SOURCE - Stores the cache location details
SONIC_DPKG_CACHE_METHOD ?= none
SONIC_DPKG_CACHE_SOURCE ?= /var/cache/sonic/artifacts
# Default VS build memory preparation
DEFAULT_VS_PREPARE_MEM = yes
# INCLUDE_SYSTEM_TELEMETRY - build docker-sonic-telemetry for system telemetry support
INCLUDE_SYSTEM_TELEMETRY = y
# INCLUDE_ICCPD - build docker-iccpd for mclag support
INCLUDE_ICCPD = n
# INCLUDE_SFLOW - build docker-sflow for sFlow support
INCLUDE_SFLOW = y
# ENABLE_SFLOW_DROPMON - support of drop packets monitoring feature for sFlow deamon
ENABLE_SFLOW_DROPMON = n
# INCLUDE_MGMT_FRAMEWORK - build docker-sonic-mgmt-framework for CLI and REST server support
INCLUDE_MGMT_FRAMEWORK = y
# ENABLE_HOST_SERVICE_ON_START - enable sonic-host-server for mgmt-framework and/or
# telemetry containers to access host functionality by default
ENABLE_HOST_SERVICE_ON_START = y
# INCLUDE_RESTAPI - build docker-sonic-restapi for configuring the switch using REST APIs
INCLUDE_RESTAPI = n
# INCLUDE_NAT - build docker-nat for nat support
INCLUDE_NAT = y
# INCLUDE_DHCP_RELAY - build and install dhcp-relay package
INCLUDE_DHCP_RELAY = y
# INCLUDE_P4RT - build docker-p4rt for P4RT support
INCLUDE_P4RT = y
# ENABLE_AUTO_TECH_SUPPORT - Enable the configuration for event-driven techsupport & coredump mgmt feature
ENABLE_AUTO_TECH_SUPPORT = y
# ENABLE_TRANSLIB_WRITE - Enable translib write/config operations via the gNMI interface.
# Uncomment to enable:
# ENABLE_TRANSLIB_WRITE = y
# ENABLE_NATIVE_WRITE - Enable native write/config operations via the gNMI interface.
# Uncomment to enable:
# ENABLE_NATIVE_WRITE = y
# INCLUDE_MACSEC - build docker-macsec for macsec support
INCLUDE_MACSEC = y
# INCLUDE_TEAMD - build docker-teamd for LAG protocol support
INCLUDE_TEAMD ?= y
# INCLUDE_ROUTER_ADVERTISER - build docker-router-advertiser for router advertisements support
INCLUDE_ROUTER_ADVERTISER ?= y
# INCLUDE_KUBERNETES - if set to y kubernetes packages are installed to be able to
# run as worker node in kubernetes cluster.
INCLUDE_KUBERNETES ?= n
KUBE_DOCKER_PROXY = http://172.16.1.1:3128/
# KUBERNETES_VERSION - Set to the required version.
# K8s_GCR_IO_PAUSE_VERSION - Version of k8s universal pause container image
# These are Used *only* when INCLUDE_KUBERNETES=y
# NOTE: As a worker node it has to run version compatible to kubernetes master.
#
KUBERNETES_VERSION = 1.22.2-00
KUBERNETES_CNI_VERSION = 0.8.7-00
K8s_GCR_IO_PAUSE_VERSION = 3.5
# INCLUDE_KUBERNETES_MASTER - if set to y kubernetes packages are installed o be able
# to run as master node in kubernetes cluster
INCLUDE_KUBERNETES_MASTER ?= n
# MASTER_KUBERNETES_VERSION - version of k8s components
# MASTER_PAUSE_VERSION - version of pause container image
# MASTER_COREDNS_VERSION - version of coredns container image
# MASTER_ETCD_VERSION = version of etcd container image
MASTER_KUBERNETES_VERSION = 1.22.2-00
MASTER_KUBERNETES_CONTAINER_IMAGE_VERSION = v1.22.2
MASTER_PAUSE_VERSION = 3.5
MASTER_COREDNS_VERSION = v1.8.4
MASTER_ETCD_VERSION = 3.5.0-0
MASTER_CRI_DOCKERD = 0.2.5
# SONIC_ENABLE_IMAGE_SIGNATURE - enable image signature
# To not use the auto-generated self-signed certificate, the required files to sign the image as below:
# SIGNING_KEY =
# SIGNING_CERT =
# CA_CERT =
# The relative path is build root folder.
SONIC_ENABLE_IMAGE_SIGNATURE ?= n
# SONIC_ENABLE_SECUREBOOT_SIGNATURE - enable SONiC kernel signing to support UEFI secureboot
# To support UEFI secureboot chain of trust requires EFI kernel to be signed as a PE binary
# SIGNING_KEY =
# SIGNING_CERT =
# The absolute path should be provided.
SONIC_ENABLE_SECUREBOOT_SIGNATURE ?= n
# Full Secure Boot feature flags.
# SECURE_UPGRADE_DEV_SIGNING_KEY - path to development signing key, used for image signing during build
# SECURE_UPGRADE_DEV_SIGNING_CERT - path to development signing certificate, used for image signing during build
# SECURE_UPGRADE_MODE - enum value for secure upgrade mode, valid options are "dev", "prod" and "no_sign"
# SECURE_UPGRADE_PROD_SIGNING_TOOL - path to a vendor signing tool for production flow.
SECURE_UPGRADE_DEV_SIGNING_KEY = /sonic/your/private/key/path/private_key.pem
SECURE_UPGRADE_DEV_SIGNING_CERT = /sonic/your/certificate/path/cert.pem
SECURE_UPGRADE_MODE = "no_sign"
SECURE_UPGRADE_PROD_SIGNING_TOOL ?=
# PACKAGE_URL_PREFIX - the package url prefix
PACKAGE_URL_PREFIX ?= https://packages.trafficmanager.net/public/packages
# TRUSTED_GPG_URLS - the trusted gpgs, separated by comma
TRUSTED_GPG_URLS = https://packages.trafficmanager.net/debian/public_key.gpg,https://packages.microsoft.com/keys/microsoft.asc
# SONIC_VERSION_CONTROL_COMPONENTS - Valid values: none|all|components..., the components consist of one or multiple: deb,py2,py3,web,git,docker, seperated by comma
# none : disable the version control
# all : enable the version control for all components
# deb : debian packages
# py2 : python2 packages
# py3 : python3 pakcages
# web : web packages, downloaded by wget, curl
# git : git repositories, donloaded by git clone
# docker: docker base images
SONIC_VERSION_CONTROL_COMPONENTS ?= none
# MIRROR_SNAPSHOT - support mirror snapshot flag
MIRROR_SNAPSHOT ?= n
# SONiC docker registry
#
# Set the env variable ENABLE_DOCKER_BASE_PULL = y to enable pulling sonic-slave docker from registry
REGISTRY_PORT ?= 443
REGISTRY_SERVER ?= sonicdev-microsoft.azurecr.io
# BUILD_MULTIASIC_KVM - if set to y multi-asic KVM images will be generated.
BUILD_MULTIASIC_KVM = n
# INCLUDE_MUX - build docker-mux for dual ToR (Gemini)
INCLUDE_MUX = y
# ENABLE_ASAN - enable address sanitizer
ENABLE_ASAN ?= n
# reset default container registry from dockerhub to other
DEFAULT_CONTAINER_REGISTRY ?=
# INCLUDE_BOOTCHART - install systemd-bootchart
INCLUDE_BOOTCHART = y
# ENABLE_BOOTCHART - whether to enable systemd-bootchart on boot
ENABLE_BOOTCHART = n
# ENABLE_FIPS_FEATURE - support FIPS feature, only for amd64 or arm64, armhf not supported yet
# ENABLE_FIPS - support FIPS flag, if enabled, no additional config requred for the image to support FIPS
ENABLE_FIPS_FEATURE ?= y
ENABLE_FIPS ?= n
# SONIC_SLAVE_DOCKER_DRIVER - set the sonic slave docker storage driver
SONIC_SLAVE_DOCKER_DRIVER ?= vfs
# SONIC_OS_VERSION - sonic os version
SONIC_OS_VERSION ?= 11