Skip to content

Commit

Permalink
[Secure Boot] Add support of secure warm-boot (sonic-net#2532)
Browse files Browse the repository at this point in the history
- What I did
Add support of secure warm-boot to SONiC.
Basically, warm-boot is supporting to load a new kernel without doing full/cold boot.
That is by loading a new kernel and exec with kexec Linux command. As a result of that, even when the Secure Boot feature is enabled, still a user or a malicious user can load an unsigned kernel, so to avoid that we added the support of the secure warm boot.
More Description about this feature can be found in the Secure Boot HLD: sonic-net/SONiC#1028

- How I did it
In general, Linux support it, so I enabled this support by doing the follow steps:

I added some special flags in Linux Kernel when user build the sonic-buildimage with secure boot feature enabled.
I added a flag "-s" to the kexec command
Note: more details in the HLD above.

- How to verify it
* Good flow:
manually just install with sonic-installed a new secure image (a SONiC image that was build with Secure Boot flag enabled)
after the secure image is installed, do:
warm-reboot
Check now that the new kernel is really loaded and switched.
* Bad flow:
Do the same steps 1-2 as a good flow but with an insecure image (SONiC image that was built without setting Secure Boot enabled)
After the insecure image is installed, and triggered warm-boot you should get an error that the new unsigned kernel from the unsecured image was not loaded.
Automation test - TBD
  • Loading branch information
davidpil2002 authored and DavidZagury committed May 7, 2023
1 parent 86e3e00 commit d300e26
Showing 1 changed file with 20 additions and 3 deletions.
23 changes: 20 additions & 3 deletions scripts/fast-reboot
Original file line number Diff line number Diff line change
Expand Up @@ -182,7 +182,7 @@ function request_pre_shutdown()
{
if [ -x ${DEVPATH}/${PLATFORM}/${PLATFORM_REBOOT_PRE_CHECK} ]; then
debug "Requesting platform reboot pre-check ..."
${DEVPATH}/${PLATFORM}/${PLATFORM_REBOOT_PRE_CHECK} ${REBOOT_TYPE}
${DEVPATH}/${PLATFORM}/${PLATFORM_REBOOT_PRE_CHECK} ${REBOOT_TYPE}
fi
debug "Requesting pre-shutdown ..."
STATE=$(timeout 5s docker exec syncd /usr/bin/syncd_request_shutdown --pre &> /dev/null; if [[ $? == 124 ]]; then echo "timed out"; fi)
Expand Down Expand Up @@ -447,9 +447,20 @@ function load_aboot_secureboot_kernel() {
swipath=$next_image kexec=true loadonly=true ENV_EXTRA_CMDLINE="$BOOT_OPTIONS" bash -
}
function invoke_kexec() {
/sbin/kexec -l "$KERNEL_IMAGE" --initrd="$INITRD" --append="$BOOT_OPTIONS" $@
}
function load_kernel() {
# Load kernel into the memory
/sbin/kexec -l "$KERNEL_IMAGE" --initrd="$INITRD" --append="$BOOT_OPTIONS"
invoke_kexec -a
}
function load_kernel_secure() {
# Load kernel into the memory secure
# -s flag is for enforcing the new load kernel(vmlinuz) to be signed and verify.
# not using -a flag, this flag can fallback to an old kexec load that do not support Secure Boot verification
invoke_kexec -s
}
function unload_kernel()
Expand Down Expand Up @@ -607,7 +618,13 @@ fi
if is_secureboot && grep -q aboot_machine= /host/machine.conf; then
load_aboot_secureboot_kernel
else
load_kernel
# check if secure boot is enable in UEFI
SECURE_UPGRADE_ENABLED=$(bootctl status 2>/dev/null | grep -c "Secure Boot: enabled")
if [ ${SECURE_UPGRADE_ENABLED} -eq 1 ]; then
load_kernel_secure
else
load_kernel
fi
fi
init_warm_reboot_states
Expand Down

0 comments on commit d300e26

Please sign in to comment.