8098bc4bf5
- Why I did it Add Secure Boot support to SONiC OS. Secure Boot (SB) is a verification mechanism for ensuring that code launched by a computer's UEFI firmware is trusted. It is designed to protect a system against malicious code being loaded and executed early in the boot process before the operating system has been loaded. - How I did it Added a signing process to sign the following components: shim, grub, Linux kernel, and kernel modules when doing the build, and when feature is enabled in build time according to the HLD explanations (the feature is disabled by default). - How to verify it There are self-verifications of each boot component when building the image, in addition, there is an existing end-to-end test in sonic-mgmt repo that checks that the boot succeeds when loading a secure system (details below). How to build a sonic image with secure boot feature: (more description in HLD) Required to use the following build flags from rules/config: SECURE_UPGRADE_MODE="dev" SECURE_UPGRADE_DEV_SIGNING_KEY="/path/to/private/key.pem" SECURE_UPGRADE_DEV_SIGNING_CERT="/path/to/cert/key.pem" After setting those flags should build the sonic-buildimage. Before installing the image, should prepared the setup (switch device) with the follow: check that the device support UEFI stored pub keys in UEFI DB enabled Secure Boot flag in UEFI How to run a test that verify the Secure Boot flow: The existing test "test_upgrade_path" under "sonic-mgmt/tests/upgrade_path/test_upgrade_path", is enough to validate proper boot You need to specify the following arguments: Base_image_list your_secure_image Taget_image_list your_second_secure_image Upgrade_type cold And run the test, basically the test will install the base image given in the parameter and then upgrade to target image by doing cold reboot and validates all the services are up and working correctly
296 lines
12 KiB
Plaintext
296 lines
12 KiB
Plaintext
###############################################################################
|
|
## Configuration parameters for SONiC build system
|
|
###############################################################################
|
|
|
|
# SONIC_CONFIG_PRINT_DEPENDENCIES - show dependencies for each invoked target.
|
|
# Before executing rule for each target its dependencies are printed to console.
|
|
# Uncomment next line to enable:
|
|
# SONIC_CONFIG_PRINT_DEPENDENCIES = y
|
|
|
|
# SONIC_CONFIG_BUILD_JOBS - set number of jobs for parallel build.
|
|
# Corresponding -j argument will be passed to make command inside docker
|
|
# container.
|
|
SONIC_CONFIG_BUILD_JOBS = 1
|
|
|
|
# SONIC_CONFIG_MAKE_JOBS - set number of parallel make jobs per package.
|
|
# Corresponding -j argument will be passed to make/dpkg commands that build separate packages
|
|
SONIC_CONFIG_MAKE_JOBS = $(shell nproc)
|
|
|
|
# DEFAULT_BUILD_LOG_TIMESTAMP - add timestamp in build log
|
|
# Supported format: simple, none
|
|
DEFAULT_BUILD_LOG_TIMESTAMP = none
|
|
|
|
# SONIC_USE_DOCKER_BUILDKIT - use docker buildkit for build.
|
|
# If set to y SONiC build system will set environment variable DOCKER_BUILDKIT=1
|
|
# to enable docker buildkit.
|
|
# This options will speed up docker image build time.
|
|
# NOTE: SONIC_USE_DOCKER_BUILDKIT will produce larger installable SONiC image
|
|
# because of a docker bug (more details: https://github.com/moby/moby/issues/38903)
|
|
# SONIC_USE_DOCKER_BUILDKIT = y
|
|
|
|
# SONIC_CONFIG_USE_NATIVE_DOCKERD_FOR_BUILD - use native dockerd for build.
|
|
# If set to y SONiC build container will use native dockerd instead of dind for faster build.
|
|
# Special handling of the docker image file names is needed to avoid conflicts with
|
|
# other SONiC build jobs on the same server. This requires changes to the Dockerfile.j2 FROM statement
|
|
# in the dockers/ and platform/ subdirs to use a variable reference instead of an explicit image name.
|
|
# SONIC_CONFIG_USE_NATIVE_DOCKERD_FOR_BUILD = y
|
|
|
|
# SONIC_CONFIG_ENABLE_COLORS - enable colored output in build system.
|
|
# Comment next line to disable:
|
|
# SONIC_CONFIG_ENABLE_COLORS = y
|
|
|
|
# CHANGE_DEFAULT_PASSWORD - enforce default user/users to change password on 1st login
|
|
CHANGE_DEFAULT_PASSWORD ?= n
|
|
|
|
# DEFAULT_USERNAME - default username for installer build
|
|
DEFAULT_USERNAME = admin
|
|
|
|
# DEFAULT_PASSWORD - default password for installer build
|
|
DEFAULT_PASSWORD = YourPaSsWoRd
|
|
|
|
# ENABLE_DHCP_GRAPH_SERVICE - specify the source of minigraph to generate configuration file.
|
|
# If set to y SONiC will get the minigraph from graph service. Graph service URL need to be
|
|
# passed through DHCP option 225.
|
|
# If not set (default behavior) the default minigraph built into the image will be used.
|
|
# ENABLE_DHCP_GRAPH_SERVICE = y
|
|
|
|
# ENABLE_ZTP - installs Zero Touch Provisioning support.
|
|
# ENABLE_ZTP = y
|
|
|
|
# INCLUDE_PDE - Enable platform development enviroment
|
|
# INCLUDE_PDE = y
|
|
# SHUTDOWN_BGP_ON_START - if set to y all bgp sessions will be in admin down state when
|
|
# bgp service starts.
|
|
# SHUTDOWN_BGP_ON_START = y
|
|
|
|
# ENABLE_PFCWD_ON_START - if set to y PFC Watchdog (PFCWD) will be enabled all server-facing ports
|
|
# by default for TOR switch
|
|
# ENABLE_PFCWD_ON_START = y
|
|
|
|
# INSTALL_DEBUG_TOOLS - installs debugging tools in baseline docker
|
|
# Uncomment next line to enable:
|
|
# INSTALL_DEBUG_TOOLS = y
|
|
|
|
# SONIC_USE_PDDF_FRAMEWORK - Use PDDF generic drivers and plugins
|
|
# Uncomment next line to enable:
|
|
SONIC_USE_PDDF_FRAMEWORK = y
|
|
|
|
# SONIC_ROUTING_STACK - specify the routing-stack being elected to drive SONiC's control-plane.
|
|
# Supported routing stacks on SONiC are:
|
|
# routing-stacks: frr.
|
|
SONIC_ROUTING_STACK = frr
|
|
|
|
# ENABLE_SYNCD_RPC - build docker-syncd with rpc packages for testing purposes.
|
|
# Uncomment to enable:
|
|
# ENABLE_SYNCD_RPC = y
|
|
|
|
# Enable Origanization Extensions - Specific to the deployment scenarios of the Organization
|
|
ENABLE_ORGANIZATION_EXTENSIONS = y
|
|
|
|
# Debugging option allows sonic debian packages to get built including symbols
|
|
# information. Profiling option, disables compiler optimizations (-O0) as well
|
|
# as includes symbols information. Given that 'profiling' option is a superset
|
|
# of 'debugging' one, user should only enable either one option or the other --
|
|
# if both options are enabled, the 'profiling' one will prevail.
|
|
#SONIC_DEBUGGING_ON = y
|
|
#SONIC_PROFILING_ON = y
|
|
|
|
# DEFAULT_KERNEL_PROCURE_METHOD - default method for obtaining kernel
|
|
# build: build kernel from source
|
|
# download: download pre-built kernel from Azure storage.
|
|
DEFAULT_KERNEL_PROCURE_METHOD = build
|
|
|
|
# FRR user and group id values. These only take effect when SONIC_ROUTING_STACK is frr.
|
|
# Note: these values match the admin uid/gid of the host's admin account. If these values
|
|
# change and user doesn't want the frr uid/gid to potentially match a random user on the
|
|
# host, then either the appropriate account and group will need to be created on the host
|
|
# manually or changes need to be made when the image is built to create the account and
|
|
# group during installation.
|
|
FRR_USER_UID = 300
|
|
FRR_USER_GID = 300
|
|
|
|
# DPKG cache allows the .deb files to be stored in the cache path. This allows the submodules
|
|
# package to be cached and restored back if its commit hash is not modified and its dependencies are not modified.
|
|
# SONIC_DPKG_CACHE_METHOD - Default method of deb package caching
|
|
# none : no caching
|
|
# rwcache : Use cache if exists else build the source and update the cache
|
|
# wcache : Dont use the cache and just build the source and update the cache
|
|
# rcache : Use cache if exists, but dont update the cache
|
|
# cache : Same as rwcache
|
|
# SONIC_DPKG_CACHE_SOURCE - Stores the cache location details
|
|
SONIC_DPKG_CACHE_METHOD ?= none
|
|
SONIC_DPKG_CACHE_SOURCE ?= /var/cache/sonic/artifacts
|
|
|
|
# Default VS build memory preparation
|
|
DEFAULT_VS_PREPARE_MEM = yes
|
|
|
|
|
|
# INCLUDE_SYSTEM_TELEMETRY - build docker-sonic-telemetry for system telemetry support
|
|
INCLUDE_SYSTEM_TELEMETRY = y
|
|
|
|
# INCLUDE_ICCPD - build docker-iccpd for mclag support
|
|
INCLUDE_ICCPD = n
|
|
|
|
# INCLUDE_SFLOW - build docker-sflow for sFlow support
|
|
INCLUDE_SFLOW = y
|
|
|
|
# ENABLE_SFLOW_DROPMON - support of drop packets monitoring feature for sFlow deamon
|
|
ENABLE_SFLOW_DROPMON = n
|
|
|
|
# INCLUDE_MGMT_FRAMEWORK - build docker-sonic-mgmt-framework for CLI and REST server support
|
|
INCLUDE_MGMT_FRAMEWORK = y
|
|
|
|
# ENABLE_HOST_SERVICE_ON_START - enable sonic-host-server for mgmt-framework and/or
|
|
# telemetry containers to access host functionality by default
|
|
ENABLE_HOST_SERVICE_ON_START = y
|
|
|
|
# INCLUDE_RESTAPI - build docker-sonic-restapi for configuring the switch using REST APIs
|
|
INCLUDE_RESTAPI = n
|
|
|
|
# INCLUDE_NAT - build docker-nat for nat support
|
|
INCLUDE_NAT = y
|
|
|
|
# INCLUDE_DHCP_RELAY - build and install dhcp-relay package
|
|
INCLUDE_DHCP_RELAY = y
|
|
|
|
# INCLUDE_P4RT - build docker-p4rt for P4RT support
|
|
INCLUDE_P4RT = y
|
|
|
|
# ENABLE_AUTO_TECH_SUPPORT - Enable the configuration for event-driven techsupport & coredump mgmt feature
|
|
ENABLE_AUTO_TECH_SUPPORT = y
|
|
|
|
# ENABLE_TRANSLIB_WRITE - Enable translib write/config operations via the gNMI interface.
|
|
# Uncomment to enable:
|
|
# ENABLE_TRANSLIB_WRITE = y
|
|
|
|
# ENABLE_NATIVE_WRITE - Enable native write/config operations via the gNMI interface.
|
|
# Uncomment to enable:
|
|
# ENABLE_NATIVE_WRITE = y
|
|
|
|
# INCLUDE_MACSEC - build docker-macsec for macsec support
|
|
INCLUDE_MACSEC = y
|
|
|
|
# INCLUDE_TEAMD - build docker-teamd for LAG protocol support
|
|
INCLUDE_TEAMD ?= y
|
|
|
|
# INCLUDE_ROUTER_ADVERTISER - build docker-router-advertiser for router advertisements support
|
|
INCLUDE_ROUTER_ADVERTISER ?= y
|
|
|
|
# INCLUDE_KUBERNETES - if set to y kubernetes packages are installed to be able to
|
|
# run as worker node in kubernetes cluster.
|
|
INCLUDE_KUBERNETES ?= n
|
|
|
|
KUBE_DOCKER_PROXY = http://172.16.1.1:3128/
|
|
|
|
# KUBERNETES_VERSION - Set to the required version.
|
|
# K8s_GCR_IO_PAUSE_VERSION - Version of k8s universal pause container image
|
|
# These are Used *only* when INCLUDE_KUBERNETES=y
|
|
# NOTE: As a worker node it has to run version compatible to kubernetes master.
|
|
#
|
|
KUBERNETES_VERSION = 1.22.2-00
|
|
K8s_GCR_IO_PAUSE_VERSION = 3.5
|
|
|
|
# INCLUDE_KUBERNETES_MASTER - if set to y kubernetes packages are installed o be able
|
|
# to run as master node in kubernetes cluster
|
|
INCLUDE_KUBERNETES_MASTER ?= n
|
|
|
|
# MASTER_KUBERNETES_VERSION - version of k8s components
|
|
# MASTER_PAUSE_VERSION - version of pause container image
|
|
# MASTER_COREDNS_VERSION - version of coredns container image
|
|
# MASTER_ETCD_VERSION = version of etcd container image
|
|
MASTER_KUBERNETES_VERSION = 1.22.2-00
|
|
MASTER_KUBERNETES_CONTAINER_IMAGE_VERSION = v1.22.2
|
|
MASTER_PAUSE_VERSION = 3.5
|
|
MASTER_COREDNS_VERSION = v1.8.4
|
|
MASTER_ETCD_VERSION = 3.5.0-0
|
|
MASTER_CRI_DOCKERD = 0.2.5
|
|
|
|
# SONIC_ENABLE_IMAGE_SIGNATURE - enable image signature
|
|
# To not use the auto-generated self-signed certificate, the required files to sign the image as below:
|
|
# SIGNING_KEY =
|
|
# SIGNING_CERT =
|
|
# CA_CERT =
|
|
# The relative path is build root folder.
|
|
SONIC_ENABLE_IMAGE_SIGNATURE ?= n
|
|
|
|
# SONIC_ENABLE_SECUREBOOT_SIGNATURE - enable SONiC kernel signing to support UEFI secureboot
|
|
# To support UEFI secureboot chain of trust requires EFI kernel to be signed as a PE binary
|
|
# SIGNING_KEY =
|
|
# SIGNING_CERT =
|
|
# The absolute path should be provided.
|
|
SONIC_ENABLE_SECUREBOOT_SIGNATURE ?= n
|
|
|
|
# Full Secure Boot feature flags.
|
|
# SECURE_UPGRADE_DEV_SIGNING_KEY - path to development signing key, used for image signing during build
|
|
# SECURE_UPGRADE_DEV_SIGNING_CERT - path to development signing certificate, used for image signing during build
|
|
# SECURE_UPGRADE_MODE - enum value for secure upgrade mode, valid options are "dev", "prod" and "no_sign"
|
|
# SECURE_UPGRADE_PROD_SIGNING_TOOL - path to a vendor signing tool for production flow.
|
|
SECURE_UPGRADE_DEV_SIGNING_KEY = /sonic/your/private/key/path/private_key.pem
|
|
SECURE_UPGRADE_DEV_SIGNING_CERT = /sonic/your/certificate/path/cert.pem
|
|
SECURE_UPGRADE_MODE = "no_sign"
|
|
SECURE_UPGRADE_PROD_SIGNING_TOOL ?=
|
|
# PACKAGE_URL_PREFIX - the package url prefix
|
|
PACKAGE_URL_PREFIX ?= https://packages.trafficmanager.net/public/packages
|
|
|
|
# TRUSTED_GPG_URLS - the trusted gpgs, separated by comma
|
|
TRUSTED_GPG_URLS = https://packages.trafficmanager.net/debian/public_key.gpg,https://packages.microsoft.com/keys/microsoft.asc
|
|
|
|
# SONIC_VERSION_CONTROL_COMPONENTS - Valid values: none|all|components..., the components consist of one or multiple: deb,py2,py3,web,git,docker, seperated by comma
|
|
# none : disable the version control
|
|
# all : enable the version control for all components
|
|
# deb : debian packages
|
|
# py2 : python2 packages
|
|
# py3 : python3 pakcages
|
|
# web : web packages, downloaded by wget, curl
|
|
# git : git repositories, donloaded by git clone
|
|
# docker: docker base images
|
|
SONIC_VERSION_CONTROL_COMPONENTS ?= none
|
|
|
|
# MIRROR_SNAPSHOT - support mirror snapshot flag
|
|
MIRROR_SNAPSHOT ?= n
|
|
|
|
# SONIC_VERSION_CACHE allows the .deb,.py, wget, git, docker and go files to be stored in the cache path. This allows the submodules to
|
|
# cache standard installation package and restored back to avoid the package download every time.
|
|
# SONIC_VERSION_CACHE - Method of deb package caching
|
|
# none : no caching
|
|
# cache : Use cache if exists else build the source and update the cache
|
|
# SONIC_VERSION_CACHE_SOURCE - Defines the version cache location details
|
|
SONIC_VERSION_CACHE_METHOD ?= none
|
|
SONIC_VERSION_CACHE_SOURCE ?= $(SONIC_DPKG_CACHE_SOURCE)/vcache
|
|
|
|
# SONiC docker registry
|
|
#
|
|
# Set the env variable ENABLE_DOCKER_BASE_PULL = y to enable pulling sonic-slave docker from registry
|
|
REGISTRY_PORT ?= 443
|
|
REGISTRY_SERVER ?= sonicdev-microsoft.azurecr.io
|
|
|
|
# BUILD_MULTIASIC_KVM - if set to y multi-asic KVM images will be generated.
|
|
BUILD_MULTIASIC_KVM = n
|
|
|
|
# INCLUDE_MUX - build docker-mux for dual ToR (Gemini)
|
|
INCLUDE_MUX = y
|
|
|
|
# ENABLE_ASAN - enable address sanitizer
|
|
ENABLE_ASAN ?= n
|
|
|
|
# reset default container registry from dockerhub to other
|
|
DEFAULT_CONTAINER_REGISTRY ?=
|
|
|
|
# INCLUDE_BOOTCHART - install systemd-bootchart
|
|
INCLUDE_BOOTCHART = y
|
|
|
|
# ENABLE_BOOTCHART - whether to enable systemd-bootchart on boot
|
|
ENABLE_BOOTCHART = n
|
|
|
|
# ENABLE_FIPS_FEATURE - support FIPS feature, only for amd64 or arm64, armhf not supported yet
|
|
# ENABLE_FIPS - support FIPS flag, if enabled, no additional config requred for the image to support FIPS
|
|
ENABLE_FIPS_FEATURE ?= y
|
|
ENABLE_FIPS ?= n
|
|
|
|
# SONIC_SLAVE_DOCKER_DRIVER - set the sonic slave docker storage driver
|
|
SONIC_SLAVE_DOCKER_DRIVER ?= vfs
|
|
|
|
# GZ_COMPRESS_PROGRAM - select pigz (a parallel implementation of gzip) to reduce a build time
|
|
# and speed up a decompression of docker images on target system
|
|
GZ_COMPRESS_PROGRAM ?= gzip
|