matthew/sonic-buildimage
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
This repository has been archived on 2025-03-20. You can view files and clone it, but cannot push or open issues or pull requests.
8098bc4bf5
sonic-buildimage/scripts/signing_secure_boot_dev.sh
davidpil2002 8098bc4bf5
Add Secure Boot Support (#12692) 
- Why I did it
Add Secure Boot support to SONiC OS.
Secure Boot (SB) is a verification mechanism for ensuring that code launched by a computer's UEFI firmware is trusted. It is designed to protect a system against malicious code being loaded and executed early in the boot process before the operating system has been loaded.

- How I did it
Added a signing process to sign the following components:
shim, grub, Linux kernel, and kernel modules when doing the build, and when feature is enabled in build time according to the HLD explanations (the feature is disabled by default).

- How to verify it
There are self-verifications of each boot component when building the image, in addition, there is an existing end-to-end test in sonic-mgmt repo that checks that the boot succeeds when loading a secure system (details below).

How to build a sonic image with secure boot feature: (more description in HLD)

Required to use the following build flags from rules/config:
SECURE_UPGRADE_MODE="dev"
SECURE_UPGRADE_DEV_SIGNING_KEY="/path/to/private/key.pem"
SECURE_UPGRADE_DEV_SIGNING_CERT="/path/to/cert/key.pem"
After setting those flags should build the sonic-buildimage.
Before installing the image, should prepared the setup (switch device) with the follow:
check that the device support UEFI
stored pub keys in UEFI DB

enabled Secure Boot flag in UEFI
How to run a test that verify the Secure Boot flow:
The existing test "test_upgrade_path" under "sonic-mgmt/tests/upgrade_path/test_upgrade_path", is enough to validate proper boot
You need to specify the following arguments:
Base_image_list your_secure_image
Taget_image_list your_second_secure_image
Upgrade_type cold
And run the test, basically the test will install the base image given in the parameter and then upgrade to target image by doing cold reboot and validates all the services are up and working correctly
2023-03-14 14:55:22 +02:00

122 lines
3.3 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# This script is signing boot components: shim, mmx, grub, kernel and kernel modules in development env.
## Enable debug output for script & exit code when failing occurs
set -x -e
print_usage() {
cat <<EOF
$0: Usage
$0 -r <FS_ROOT> -l <LINUX_KERNEL_VERSION> -c <PEM_CERT> -p <PEM_PRIV_KEY>
EOF
}
clean_file() {
if [ -f $1 ]; then
echo "clean old file named: $1"
echo "rm -f $1"
rm -f $1
fi
}
while getopts 'a:r:l:c:p:hv' flag; do
case "${flag}" in
a) CONFIGURED_ARCH="${OPTARG}" ;;
r) FS_ROOT="${OPTARG}" ;;
l) LINUX_KERNEL_VERSION="${OPTARG}" ;;
c) PEM_CERT="${OPTARG}" ;;
p) PEM_PRIV_KEY="${OPTARG}" ;;
v) VERBOSE='true' ;;
h) print_usage
exit 1 ;;
esac
done
if [ $OPTIND -eq 1 ]; then echo "no options were pass"; print_usage; exit 1 ;fi
echo "$0 signing & verifying EFI files and Kernel Modules start ..."
if [ -z ${CONFIGURED_ARCH} ]; then
echo "ERROR: CONFIGURED_ARCH=${CONFIGURED_ARCH} is empty"
print_usage
exit 1
fi
if [ -z ${FS_ROOT} ]; then
echo "ERROR: FS_ROOT=${FS_ROOT} is empty"
print_usage
exit 1
fi
if [ -z ${LINUX_KERNEL_VERSION} ]; then
echo "ERROR: LINUX_KERNEL_VERSION=${LINUX_KERNEL_VERSION} is empty"
print_usage
exit 1
fi
if [ ! -f "${PEM_CERT}" ]; then
echo "ERROR: PEM_CERT=${PEM_CERT} file does not exist"
print_usage
exit 1
fi
if [ ! -f "${PEM_PRIV_KEY}" ]; then
echo "ERROR: PEM_PRIV_KEY=${PEM_PRIV_KEY} file does not exist"
print_usage
exit 1
fi
# efi-sign.sh is used to sign: shim, mmx, grub, and kernel (vmlinuz)
EFI_SIGNING=scripts/efi-sign.sh
# ######################################
# Signing EFI files: mm, shim, grub
# #####################################
efi_file_list=$(sudo find ${KERNEL_MODULES_DIR} -name "*.efi")
for efi in $efi_file_list
do
# grep filename from full path
efi_filename=$(echo $efi | grep -o '[^/]*$')
if echo $efi_filename | grep -e "shim" -e "grub" -e "mm"; then
clean_file ${efi}-signed
echo "signing efi file - full path: ${efi} filename: ${efi_filename}"
echo "sudo ${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${efi} -s ${efi}-signed"
${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${efi} -s ${efi}-signed
# cp shim & mmx signed files to boot directory in the fs.
cp ${efi}-signed $FS_ROOT/boot/${efi_filename}
# verifying signature of mm & shim efi files.
./scripts/secure_boot_signature_verification.sh -c $PEM_CERT -e $FS_ROOT/boot/${efi_filename}
fi
done
######################
## vmlinuz signing
######################
CURR_VMLINUZ=$FS_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-${CONFIGURED_ARCH}
# clean old files
clean_file ${CURR_VMLINUZ}-signed
echo "signing ${CURR_VMLINUZ} .."
${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${CURR_VMLINUZ} -s ${CURR_VMLINUZ}-signed
# rename signed vmlinuz with the name vmlinuz without signed suffix
mv ${CURR_VMLINUZ}-signed ${CURR_VMLINUZ}
./scripts/secure_boot_signature_verification.sh -c $PEM_CERT -e ${CURR_VMLINUZ}
#########################
# Kernel Modules signing
#########################
./scripts/signing_kernel_modules.sh -l $LINUX_KERNEL_VERSION -c ${PEM_CERT} -p ${PEM_PRIV_KEY} -k ${FS_ROOT}
echo "$0 signing & verifying EFI files and Kernel Modules DONE"
Reference in New Issue View Git Blame Copy Permalink