matthew/sonic-buildimage
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
8d72c484f8
sonic-buildimage/sonic-slave-bullseye
History
Sachin Naik 749bbb6ea4 secureboot: Enable signing SONiC kernel (#10557) 
Why I did it
To sign SONiC kernel image and allow secure boot based system to verify SONiC image before loading into the system.

How I did it
Pass following parameter to rules/config.user
Ex:
SONIC_ENABLE_SECUREBOOT_SIGNATURE := y
SIGNING_KEY := /path/to/key/private.key
SIGNING_CERT := /path/to/public/public.cert

How to verify it
Secure boot enabled system enrolled with right public key of the, image in the platform UEFI database will able to verify image before load.

Alternatively one can verify with offline sbsign tool as below.

export SBSIGN_KEY=/abc/bcd/xyz/
sbverify --cert $SBSIGN_KEY/public_cert.cert fsroot-platform-XYZ/boot/vmlinuz-5.10.0-8-2-amd64 mage

O/P:
Signature verification OK
2022-04-24 21:13:32 -07:00
..
Dockerfile.j2 secureboot: Enable signing SONiC kernel (#10557) 2022-04-24 21:13:32 -07:00
Dockerfile.user.j2 Define the Bullseye-based slave container 2021-07-15 00:02:18 -07:00
no-check-valid-until Define the Bullseye-based slave container 2021-07-15 00:02:18 -07:00
sonic-jenkins-id_rsa.pub Define the Bullseye-based slave container 2021-07-15 00:02:18 -07:00