a45a71f533
- What I did Added support for secure upgrade. - How I did it During sonic_installer install, added secure upgrade image verification. HLD can be found in the following PR: sonic-net/SONiC#1024 - Why I did it Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it. - How I did it Feature includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities). - How to verify it In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios. - Feature dependencies In order for this feature to work smoothly, need to have secure boot feature implemented as well. The Secure boot feature will be merged in the near future. |
||
---|---|---|
.. | ||
j2cli | ||
build_debian_base_system.sh | ||
build_kvm_image.sh | ||
build_mirror_config.sh | ||
collect_build_version_files.sh | ||
collect_docker_version_files.sh | ||
collect_host_image_version_files.sh | ||
convert-pfx-cert-format.sh | ||
dbg_files.sh | ||
docker_version_control.sh | ||
efi-sign.sh | ||
generate_buildinfo_config.sh | ||
prepare_debian_image_buildinfo.sh | ||
prepare_docker_buildinfo.sh | ||
prepare_slave_container_buildinfo.sh | ||
process_log.sh | ||
run_with_retry | ||
secure_boot_signature_verification.sh | ||
sign_image_dev.sh | ||
sign_image.sh | ||
signing_kernel_modules.sh | ||
signing_secure_boot_dev.sh | ||
versions_manager.py | ||
wait_for_docker.sh |