-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Why I did it Add Secure Boot support to SONiC OS. Secure Boot (SB) is a verification mechanism for ensuring that code launched by a computer's UEFI firmware is trusted. It is designed to protect a system against malicious code being loaded and executed early in the boot process before the operating system has been loaded. - How I did it Added a signing process to sign the following components: shim, grub, Linux kernel, and kernel modules when doing the build, and when feature is enabled in build time according to the HLD explanations (the feature is disabled by default). - How to verify it There are self-verifications of each boot component when building the image, in addition, there is an existing end-to-end test in sonic-mgmt repo that checks that the boot succeeds when loading a secure system (details below). How to build a sonic image with secure boot feature: (more description in HLD) Required to use the following build flags from rules/config: SECURE_UPGRADE_MODE="dev" SECURE_UPGRADE_DEV_SIGNING_KEY="/path/to/private/key.pem" SECURE_UPGRADE_DEV_SIGNING_CERT="/path/to/cert/key.pem" After setting those flags should build the sonic-buildimage. Before installing the image, should prepared the setup (switch device) with the follow: check that the device support UEFI stored pub keys in UEFI DB enabled Secure Boot flag in UEFI How to run a test that verify the Secure Boot flow: The existing test "test_upgrade_path" under "sonic-mgmt/tests/upgrade_path/test_upgrade_path", is enough to validate proper boot You need to specify the following arguments: Base_image_list your_secure_image Taget_image_list your_second_secure_image Upgrade_type cold And run the test, basically the test will install the base image given in the parameter and then upgrade to target image by doing cold reboot and validates all the services are up and working correctly
- Loading branch information
1 parent
1cd6744
commit 8098bc4
Showing
11 changed files
with
618 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
#!/bin/sh | ||
|
||
set -e | ||
|
||
# | ||
# Sign efi file with secret key and certificate | ||
# - shim | ||
# - grub | ||
# - vmlinuz | ||
# | ||
print_usage() { | ||
cat <<EOF | ||
$0: Usage | ||
$0 -p <PRIVATE_KEY_PEM> -c <CERT_PEM> -e <EFI_FILE> -s <EFI_FILE_SIGNED> | ||
Usage example: efi-sign.sh -p priv-key.pem -c pub-key.pem -e shimx64.efi -s shimx64-signed.efi | ||
EOF | ||
} | ||
|
||
while getopts 'p:c:e:s:hv' flag; do | ||
case "${flag}" in | ||
p) PRIVATE_KEY_PEM="${OPTARG}" ;; | ||
c) CERT_PEM="${OPTARG}" ;; | ||
e) EFI_FILE="${OPTARG}" ;; | ||
s) EFI_FILE_SIGNED="${OPTARG}" ;; | ||
v) VERBOSE='true' ;; | ||
h) print_usage | ||
exit 1 ;; | ||
esac | ||
done | ||
if [ $OPTIND -eq 1 ]; then echo "no options were pass"; print_usage; exit 1 ;fi | ||
|
||
[ -f "$PRIVATE_KEY_PEM" ] || { | ||
echo "Error: PRIVATE_KEY_PEM file does not exist: $PRIVATE_KEY_PEM" | ||
print_usage | ||
exit 1 | ||
} | ||
|
||
[ -f "$CERT_PEM" ] || { | ||
echo "Error: CERT_PEM file does not exist: $CERT_PEM" | ||
print_usage | ||
exit 1 | ||
} | ||
|
||
[ -f "$EFI_FILE" ] || { | ||
echo "Error: File for signing does not exist: $EFI_FILE" | ||
print_usage | ||
exit 1 | ||
} | ||
|
||
if [ -z ${EFI_FILE_SIGNED} ]; then | ||
echo "ERROR: no arg named <EFI_FILE_SIGNED> supplied" | ||
print_usage | ||
exit 1 | ||
fi | ||
|
||
echo "$0 signing $EFI_FILE with ${PRIVATE_KEY_PEM}, ${CERT_PEM} to create $EFI_FILE_SIGNED" | ||
sbsign --key ${PRIVATE_KEY_PEM} --cert ${CERT_PEM} \ | ||
--output ${EFI_FILE_SIGNED} ${EFI_FILE} || { | ||
echo "EFI sign error" | ||
exit 1 | ||
} |
Oops, something went wrong.