matthew/sonic-buildimage
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
ccf1cd57ca
sonic-buildimage/build_image.sh
ycoheNvidia ccf1cd57ca
Add support for secure upgrade (#11862) 
- What I did
Added support for secure upgrade.

- How I did it
During sonic_installer install, added secure upgrade image verification.
HLD can be found in the following PR: sonic-net/SONiC#1024

- Why I did it
Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it.

- How I did it
Feature includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities).

- How to verify it
In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios.

- Feature dependencies
In order for this feature to work smoothly, need to have secure boot feature implemented as well.
The Secure boot feature will be merged in the near future.
2023-06-26 12:04:40 +03:00

224 lines
7.1 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
## This script is to generate an ONIE installer image based on a file system overload
## Enable debug output for script
set -x -e
## Read ONIE image related config file
CONFIGURED_ARCH=$([ -f .arch ] && cat .arch || echo amd64)
if [[ $CONFIGURED_ARCH == armhf || $CONFIGURED_ARCH == arm64 ]]; then
. ./onie-image-${CONFIGURED_ARCH}.conf
else
. ./onie-image.conf
fi
[ -n "$ONIE_IMAGE_PART_SIZE" ] || {
echo "Error: Invalid ONIE_IMAGE_PART_SIZE in onie image config file"
exit 1
}
[ -n "$ONIE_INSTALLER_PAYLOAD" ] || {
echo "Error: Invalid ONIE_INSTALLER_PAYLOAD in onie image config file"
exit 1
}
IMAGE_VERSION="${SONIC_IMAGE_VERSION}"
generate_kvm_image()
{
NUM_ASIC=$1
if [ $NUM_ASIC == 4 ]; then
KVM_IMAGE=$OUTPUT_KVM_4ASIC_IMAGE
RECOVERY_ISO=$onie_recovery_kvm_4asic_image
elif [ $NUM_ASIC == 6 ]; then
KVM_IMAGE=$OUTPUT_KVM_6ASIC_IMAGE
RECOVERY_ISO=$onie_recovery_kvm_6asic_image
else
KVM_IMAGE=$OUTPUT_KVM_IMAGE
RECOVERY_ISO=$onie_recovery_image
NUM_ASIC=1
fi
echo "Build $NUM_ASIC-asic KVM image"
KVM_IMAGE_DISK=${KVM_IMAGE%.gz}
sudo rm -f $KVM_IMAGE_DISK $KVM_IMAGE_DISK.gz
SONIC_USERNAME=$USERNAME PASSWD=$PASSWORD sudo -E ./scripts/build_kvm_image.sh $KVM_IMAGE_DISK $RECOVERY_ISO $OUTPUT_ONIE_IMAGE $KVM_IMAGE_DISK_SIZE
if [ $? -ne 0 ]; then
echo "Error : build kvm image failed"
exit 1
fi
[ -r $KVM_IMAGE_DISK ] || {
echo "Error : $KVM_IMAGE_DISK not generated!"
exit 1
}
$GZ_COMPRESS_PROGRAM $KVM_IMAGE_DISK
[ -r $KVM_IMAGE_DISK.gz ] || {
echo "Error : $GZ_COMPRESS_PROGRAM $KVM_IMAGE_DISK failed!"
exit 1
}
echo "The compressed kvm image is in $KVM_IMAGE_DISK.gz"
}
generate_onie_installer_image()
{
output_file=$OUTPUT_ONIE_IMAGE
[ -n "$1" ] && output_file=$1
# Copy platform-specific ONIE installer config files where onie-mk-demo.sh expects them
rm -rf ./installer/platforms/
mkdir -p ./installer/platforms/
for VENDOR in `ls ./device`; do
for PLATFORM in `ls ./device/$VENDOR | grep ^${TARGET_PLATFORM}`; do
if [ -f ./device/$VENDOR/$PLATFORM/installer.conf ]; then
cp ./device/$VENDOR/$PLATFORM/installer.conf ./installer/platforms/$PLATFORM
fi
done
done
## Generate an ONIE installer image
## Note: Don't leave blank between lines. It is single line command.
./onie-mk-demo.sh $CONFIGURED_ARCH $TARGET_MACHINE $TARGET_PLATFORM-$TARGET_MACHINE-$ONIEIMAGE_VERSION \
installer platform/$TARGET_MACHINE/platform.conf $output_file OS $IMAGE_VERSION $ONIE_IMAGE_PART_SIZE \
$ONIE_INSTALLER_PAYLOAD $SECURE_UPGRADE_SIGNING_CERT $SECURE_UPGRADE_DEV_SIGNING_KEY
}
# Generate asic-specific device list
generate_device_list()
{
local platforms_asic=$1
# Create an empty function, and later append to it
echo -n > $platforms_asic
for d in `find -L ./device -maxdepth 2 -mindepth 2 -type d`; do
if [ -f $d/platform_asic ]; then
if [ "$TARGET_MACHINE" = "generic" ] || grep -Fxq "$TARGET_MACHINE" $d/platform_asic; then
echo "${d##*/}" >> "$platforms_asic";
fi;
fi;
done
}
if [ "$IMAGE_TYPE" = "onie" ]; then
echo "Build ONIE installer"
mkdir -p `dirname $OUTPUT_ONIE_IMAGE`
sudo rm -f $OUTPUT_ONIE_IMAGE
generate_device_list "./installer/platforms_asic"
generate_onie_installer_image
## Build a raw partition dump image using the ONIE installer that can be
## used to dd' in-lieu of using the onie-nos-installer. Used while migrating
## into SONiC from other NOS.
elif [ "$IMAGE_TYPE" = "raw" ]; then
echo "Build RAW image"
tmp_output_onie_image=${OUTPUT_ONIE_IMAGE}.tmp
mkdir -p `dirname $OUTPUT_RAW_IMAGE`
sudo rm -f $OUTPUT_RAW_IMAGE
generate_device_list "./installer/platforms_asic"
generate_onie_installer_image "$tmp_output_onie_image"
echo "Creating SONiC raw partition : $OUTPUT_RAW_IMAGE of size $RAW_IMAGE_DISK_SIZE MB"
fallocate -l "$RAW_IMAGE_DISK_SIZE"M $OUTPUT_RAW_IMAGE
# ensure proc is mounted
sudo mount proc /proc -t proc || true
## Generate a partition dump that can be used to 'dd' in-lieu of using the onie-nos-installer
## Run the installer
## The 'build' install mode of the installer is used to generate this dump.
sudo chmod a+x $tmp_output_onie_image
sudo ./$tmp_output_onie_image
rm $tmp_output_onie_image
[ -r $OUTPUT_RAW_IMAGE ] || {
echo "Error : $OUTPUT_RAW_IMAGE not generated!"
exit 1
}
$GZ_COMPRESS_PROGRAM $OUTPUT_RAW_IMAGE
[ -r $OUTPUT_RAW_IMAGE.gz ] || {
echo "Error : $GZ_COMPRESS_PROGRAM $OUTPUT_RAW_IMAGE failed!"
exit 1
}
mv $OUTPUT_RAW_IMAGE.gz $OUTPUT_RAW_IMAGE
echo "The compressed raw image is in $OUTPUT_RAW_IMAGE"
elif [ "$IMAGE_TYPE" = "kvm" ]; then
generate_device_list "./installer/platforms_asic"
generate_onie_installer_image
# Generate single asic KVM image
generate_kvm_image
if [ "$BUILD_MULTIASIC_KVM" == "y" ]; then
# Genrate 4-asic KVM image
generate_kvm_image 4
# Generate 6-asic KVM image
generate_kvm_image 6
fi
## Use 'aboot' as target machine category which includes Aboot as bootloader
elif [ "$IMAGE_TYPE" = "aboot" ]; then
echo "Build Aboot installer"
mkdir -p `dirname $OUTPUT_ABOOT_IMAGE`
sudo rm -f $OUTPUT_ABOOT_IMAGE
sudo rm -f $ABOOT_BOOT_IMAGE
## Add main payload
cp $ONIE_INSTALLER_PAYLOAD $OUTPUT_ABOOT_IMAGE
## Add Aboot boot0 file
j2 -f env files/Aboot/boot0.j2 ./onie-image.conf > files/Aboot/boot0
sed -i -e "s/%%IMAGE_VERSION%%/$IMAGE_VERSION/g" files/Aboot/boot0
pushd files/Aboot && zip -g $OLDPWD/$OUTPUT_ABOOT_IMAGE boot0; popd
pushd files/Aboot && zip -g $OLDPWD/$ABOOT_BOOT_IMAGE boot0; popd
pushd files/image_config/secureboot && zip -g $OLDPWD/$OUTPUT_ABOOT_IMAGE allowlist_paths.conf; popd
echo "$IMAGE_VERSION" >> .imagehash
zip -g $OUTPUT_ABOOT_IMAGE .imagehash
zip -g $ABOOT_BOOT_IMAGE .imagehash
rm .imagehash
echo "SWI_VERSION=42.0.0" > version
echo "BUILD_DATE=$(date -d "${build_date}" -u +%Y%m%dT%H%M%SZ)" >> version
echo "SWI_MAX_HWEPOCH=2" >> version
echo "SWI_VARIANT=US" >> version
zip -g $OUTPUT_ABOOT_IMAGE version
zip -g $ABOOT_BOOT_IMAGE version
rm version
generate_device_list ".platforms_asic"
zip -g $OUTPUT_ABOOT_IMAGE .platforms_asic
if [ "$ENABLE_FIPS" = "y" ]; then
echo "sonic_fips=1" >> kernel-cmdline-append
else
echo "sonic_fips=0" >> kernel-cmdline-append
fi
zip -g $OUTPUT_ABOOT_IMAGE kernel-cmdline-append
rm kernel-cmdline-append
zip -g $OUTPUT_ABOOT_IMAGE $ABOOT_BOOT_IMAGE
rm $ABOOT_BOOT_IMAGE
if [ "$SONIC_ENABLE_IMAGE_SIGNATURE" = "y" ]; then
TARGET_CA_CERT="$TARGET_PATH/ca.cert"
rm -f "$TARGET_CA_CERT"
[ -f "$CA_CERT" ] && cp "$CA_CERT" "$TARGET_CA_CERT"
./scripts/sign_image.sh -i "$OUTPUT_ABOOT_IMAGE" -k "$SIGNING_KEY" -c "$SIGNING_CERT" -a "$TARGET_CA_CERT"
fi
else
echo "Error: Non supported image type $IMAGE_TYPE"
exit 1
fi
Reference in New Issue View Git Blame Copy Permalink