[secure boot]Add getopts to signing scripts

sonic-net · Nov 28, 2022 · b8ac9fc · b8ac9fc
1 parent 944ac0a
commit b8ac9fc
Show file tree

Hide file tree

Showing 8 changed files with 66 additions and 63 deletions.
diff --git a/build_debian.sh b/build_debian.sh
@@ -646,11 +646,11 @@ if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" && $SONIC_
             exit 1
         fi
 
-        sudo bash scripts/signing_secure_boot_dev.sh $CONFIGURED_ARCH \
-                                                     $FILESYSTEM_ROOT \
-                                                     $LINUX_KERNEL_VERSION \
-                                                     $SECURE_UPGRADE_DEV_SIGNING_CERT \
-                                                     $SECURE_UPGRADE_DEV_SIGNING_KEY
+        sudo bash scripts/signing_secure_boot_dev.sh -a $CONFIGURED_ARCH \
+                                                     -r $FILESYSTEM_ROOT \
+                                                     -l $LINUX_KERNEL_VERSION \
+                                                     -c $SECURE_UPGRADE_DEV_SIGNING_CERT \
+                                                     -p $SECURE_UPGRADE_DEV_SIGNING_KEY
     elif [[ $SECURE_UPGRADE_MODE == "prod" ]]; then
         #  Here Vendor signing should be implemented
         OUTPUT_SEC_BOOT_DIR=$FILESYSTEM_ROOT/boot

diff --git a/installer/default_platform.conf b/installer/default_platform.conf
@@ -475,8 +475,7 @@ bootloader_menu_config()
     fi
 
     DEFAULT_GRUB_SERIAL_COMMAND="serial --port=${CONSOLE_PORT} --speed=${CONSOLE_SPEED} --word=8 --parity=no --stop=1"
-    # DEFAULT_GRUB_CMDLINE_LINUX="console=tty0 console=ttyS${CONSOLE_DEV},${CONSOLE_SPEED}n8 quiet $CSTATES"
-    DEFAULT_GRUB_CMDLINE_LINUX="console=tty0 console=ttyS${CONSOLE_DEV},${CONSOLE_SPEED}n8 loglevel=7 systemd.log_level=debug $CSTATES"
+    DEFAULT_GRUB_CMDLINE_LINUX="console=tty0 console=ttyS${CONSOLE_DEV},${CONSOLE_SPEED}n8 quiet $CSTATES"
     GRUB_SERIAL_COMMAND=${GRUB_SERIAL_COMMAND:-"$DEFAULT_GRUB_SERIAL_COMMAND"}
     GRUB_CMDLINE_LINUX=${GRUB_CMDLINE_LINUX:-"$DEFAULT_GRUB_CMDLINE_LINUX"}
     export GRUB_SERIAL_COMMAND

diff --git a/rules/config b/rules/config
@@ -212,8 +212,8 @@ SONIC_ENABLE_SECUREBOOT_SIGNATURE ?= n
 # SECURE_UPGRADE_DEV_SIGNING_KEY - path to development signing key, used for image signing during build
 # SECURE_UPGRADE_DEV_SIGNING_CERT - path to development signing certificate, used for image signing during build
 # SECURE_UPGRADE_MODE - enum value for secure upgrade mode, valid options are "dev", "prod" and "no_sign"
-SECURE_UPGRADE_DEV_SIGNING_KEY = /sonic/files/nv_onyx_key.pem
-SECURE_UPGRADE_DEV_SIGNING_CERT =  /sonic/files/nv_onyx_key_certificate.pem
+SECURE_UPGRADE_DEV_SIGNING_KEY = /sonic/your/private/key/path/private_key.pem
+SECURE_UPGRADE_DEV_SIGNING_CERT =  /sonic/your/certificate/path/cert.pem
 SECURE_UPGRADE_MODE = "no_sign"
 
 # PACKAGE_URL_PREFIX - the package url prefix

diff --git a/scripts/efi-sign.sh b/scripts/efi-sign.sh
@@ -8,25 +8,28 @@ set -e
 # - grub
 # - vmlinuz
 #
-usage() {
+print_usage() {
     cat <<EOF
 
 $0: Usage
-$0 <PRIVATE_KEY_PEM> <CERT_PEM> <EFI_FILE> <EFI_FILE_SIGNED>
+$0 -p <PRIVATE_KEY_PEM> -c <CERT_PEM> -e <EFI_FILE> -s <EFI_FILE_SIGNED>
 Usage example: efi-sign.sh priv-key.pem pub-key.pem shimx64.efi shimx64-signed.efi
 
 EOF
 }
 
-if [ "$1" = "-h" -o "$1" = "--help" ]; then 
-    usage
-fi
-
-PRIVATE_KEY_PEM="$1"
-CERT_PEM="$2"
-EFI_FILE="$3"
-EFI_FILE_SIGNED="$4"
-
+while getopts 'p:c:e:s:hv' flag; do
+  case "${flag}" in
+    p) PRIVATE_KEY_PEM="${OPTARG}" ;;
+    c) CERT_PEM="${OPTARG}" ;;
+    e) EFI_FILE="${OPTARG}" ;;
+    s) EFI_FILE_SIGNED="${OPTARG}" ;;
+    v) VERBOSE='true' ;;
+    h) print_usage
+       exit 1 ;;
+  esac
+done
+if [ $OPTIND -eq 1 ]; then echo "no options were pass"; print_usage; exit 1 ;fi
 
 [ -f "$PRIVATE_KEY_PEM" ] || {
     echo "Error: PRIVATE_KEY_PEM file does not exist: $PRIVATE_KEY_PEM"

diff --git a/scripts/secure_boot_signature_verification.sh b/scripts/secure_boot_signature_verification.sh
@@ -8,7 +8,7 @@ KERNEL_MODULES_DIR=''
 CERT_PEM=''
 VERBOSE='false'
 
-usage() {
+print_usage() {
     cat <<EOF
 
 $0: Usage

diff --git a/scripts/signing_kernel_modules.sh b/scripts/signing_kernel_modules.sh
@@ -4,7 +4,7 @@
 usage() {
     cat <<EOF
 $0: # Display Help
-$0 <LINUX_KERNEL_VERSION> <PEM_CERT> <PEM_PRIVATE_KEY> <LOCAL_SIGN_FILE> <LOCAL_EXTRACT_CERT> <KERNEL_MODULES_DIR>
+$0 -l <LINUX_KERNEL_VERSION> -c <PEM_CERT> -p <PEM_PRIVATE_KEY> -s <LOCAL_SIGN_FILE> -e <LOCAL_EXTRACT_CERT> -k <KERNEL_MODULES_DIR>
 Sign kernel modules in <KERNEL_MODULES_DIR> using private & public keys.
 
 Parameters description:
@@ -21,16 +21,20 @@ Runs examples:
 EOF
 }
 
-if [ "$1" = "-h" -o "$1" = "--help" ]; then 
-    usage
-fi
-
-LINUX_KERNEL_VERSION="$1"
-PEM_CERT="$2"
-PEM_PRIVATE_KEY="$3"
-KERNEL_MODULES_DIR="$4"
-LOCAL_SIGN_FILE="$5"
-LOCAL_EXTRACT_CERT="$6"
+while getopts 'l:c:p:k:s:e:hv' flag; do
+  case "${flag}" in
+    l) LINUX_KERNEL_VERSION="${OPTARG}" ;;
+    c) PEM_CERT="${OPTARG}" ;;
+    p) PEM_PRIVATE_KEY="${OPTARG}" ;;
+    k) KERNEL_MODULES_DIR="${OPTARG}" ;;
+    s) LOCAL_SIGN_FILE="${OPTARG}" ;;
+    e) LOCAL_EXTRACT_CERT="${OPTARG}" ;;
+    v) VERBOSE='true' ;;
+    h) print_usage
+       exit 1 ;;
+  esac
+done
+if [ $OPTIND -eq 1 ]; then echo "no options were pass"; print_usage; exit 1 ;fi
 
 if [ -z ${LINUX_KERNEL_VERSION} ]; then
     echo "ERROR: LINUX_KERNEL_VERSION arg1 is empty"

diff --git a/scripts/signing_secure_boot_dev.sh b/scripts/signing_secure_boot_dev.sh
@@ -4,32 +4,38 @@
 ## Enable debug output for script & exit code when failing occurs 
 set -x -e
 
-usage() {
+print_usage() {
     cat <<EOF
 
 $0: Usage
-$0 <CONFIGURED_ARCH> <FS_ROOT> <LINUX_KERNEL_VERSION> <PEM_CERT> <PEM_PRIV_KEY>
-Usage example: efi-sign.sh priv-key.pem pub-key.pem shimx64.efi shimx64-signed.efi
+$0 -a <CONFIGURED_ARCH> -r <FS_ROOT> -l <LINUX_KERNEL_VERSION> -c <PEM_CERT> -p <PEM_PRIV_KEY>
 
 EOF
 }
 
 clean_file() {
     if [ -f $1 ]; then
         echo "clean old file named: $1"
-        echo "sudo rm $1"
-        sudo rm $1
-        echo "$?"
-        exit 1
+        echo "sudo rm -f $1"
+        sudo sudo rm -f $1
     fi
 }
 
+while getopts 'a:r:l:c:p:hv' flag; do
+  case "${flag}" in
+    a) CONFIGURED_ARCH="${OPTARG}" ;;
+    r) FS_ROOT="${OPTARG}" ;;
+    l) LINUX_KERNEL_VERSION="${OPTARG}" ;;
+    c) PEM_CERT="${OPTARG}" ;;
+    p) PEM_PRIV_KEY="${OPTARG}" ;;
+    v) VERBOSE='true' ;;
+    h) print_usage
+       exit 1 ;;
+  esac
+done
+if [ $OPTIND -eq 1 ]; then echo "no options were pass"; print_usage; exit 1 ;fi
+
 echo "$0 signing & verifying EFI files and Kernel Modules start ..."
-CONFIGURED_ARCH="$1"
-FS_ROOT="$2"
-LINUX_KERNEL_VERSION="$3"
-PEM_CERT="$4"
-PEM_PRIV_KEY="$5"
 
 if [ -z ${CONFIGURED_ARCH} ]; then
     echo "ERROR: CONFIGURED_ARCH=${CONFIGURED_ARCH} is empty"
@@ -85,13 +91,9 @@ clean_file ${MMX_EFI_SRC}-signed
 clean_file $FS_ROOT/boot/shim${EFI_ARCH}.efi
 clean_file $FS_ROOT/boot/mm${EFI_ARCH}.efi
 
-# clean old shim & mmx files in the env
-sudo rm -f ${SHIMX_EFI_SRC}-signed ${MMX_EFI_SRC}-signed \
-           $FS_ROOT/boot/shim${EFI_ARCH}.efi $FS_ROOT/boot/mm${EFI_ARCH}.efi
-
 echo "signing shim${EFI_ARCH}.efi & mm${EFI_ARCH}.efi from location: ${SHIM_DIR_SRC} .."
-sudo ${EFI_SIGNING} $PEM_PRIV_KEY $PEM_CERT ${SHIMX_EFI_SRC} ${SHIMX_EFI_SRC}-signed
-sudo ${EFI_SIGNING} $PEM_PRIV_KEY $PEM_CERT ${MMX_EFI_SRC} ${MMX_EFI_SRC}-signed
+sudo ${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${SHIMX_EFI_SRC} -s ${SHIMX_EFI_SRC}-signed
+sudo ${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${MMX_EFI_SRC} -s ${MMX_EFI_SRC}-signed
 
 # cp shim & mmx signed files to boot directory in the fs.
 sudo cp ${SHIMX_EFI_SRC}-signed $FS_ROOT/boot/shim${EFI_ARCH}.efi
@@ -105,18 +107,15 @@ sudo bash scripts/secure_boot_signature_verification.sh -c $PEM_CERT -e $FS_ROOT
 ## grub signing
 ######################
 
-# clean old files
-clean_file ${GRUB_EFI_SRC}-signed
-clean_file $FS_ROOT/boot/grub${EFI_ARCH}.efi
-
 GRUB_DIR_SRC=$FS_ROOT/usr/lib/grub/x86_64-efi/monolithic/
 GRUB_EFI_SRC=$GRUB_DIR_SRC/grub${EFI_ARCH}.efi
 
-# clean old grub files in the env
-sudo rm -f ${GRUB_EFI_SRC}-signed $FS_ROOT/boot/grub${EFI_ARCH}.efi
+# clean old files
+clean_file ${GRUB_EFI_SRC}-signed
+clean_file $FS_ROOT/boot/grub${EFI_ARCH}.efi
 
 echo "signing grub${EFI_ARCH}.efi from location: ${GRUB_EFI_SRC} .."
-sudo ${EFI_SIGNING} $PEM_PRIV_KEY $PEM_CERT ${GRUB_EFI_SRC} ${GRUB_EFI_SRC}-signed
+sudo ${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${GRUB_EFI_SRC} -s ${GRUB_EFI_SRC}-signed
 
 # cp signed grub to fs boot dir.
 sudo cp ${GRUB_EFI_SRC}-signed $FS_ROOT/boot/grub${EFI_ARCH}.efi
@@ -133,20 +132,17 @@ CURR_VMLINUZ=$FS_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-${CONFIGURED_ARCH}
 # clean old files
 clean_file ${CURR_VMLINUZ}-signed
 
-# clean old grub files in the env
-sudo rm -f ${CURR_VMLINUZ}-signed
-
 echo "signing ${CURR_VMLINUZ} .."
-sudo ${EFI_SIGNING} $PEM_PRIV_KEY $PEM_CERT ${CURR_VMLINUZ} ${CURR_VMLINUZ}-signed
+sudo ${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${CURR_VMLINUZ} -s ${CURR_VMLINUZ}-signed
 
 # rename signed vmlinuz with the name vmlinuz without signed suffix
-sudo cp ${CURR_VMLINUZ}-signed ${CURR_VMLINUZ}
+sudo mv ${CURR_VMLINUZ}-signed ${CURR_VMLINUZ}
 
 sudo bash scripts/secure_boot_signature_verification.sh -c $PEM_CERT -e ${CURR_VMLINUZ}
 
 #########################
 # Kernel Modules signing
 #########################
-sudo bash scripts/signing_kernel_modules.sh $LINUX_KERNEL_VERSION ${PEM_CERT} ${PEM_PRIV_KEY}
+sudo bash scripts/signing_kernel_modules.sh -l $LINUX_KERNEL_VERSION -c ${PEM_CERT} -p ${PEM_PRIV_KEY} -k ${FS_ROOT}
 
 echo "$0 signing & verifying EFI files and Kernel Modules DONE"
diff --git a/scripts/signing_secure_boot_prod.sh b/scripts/signing_secure_boot_prod.sh
@@ -0,0 +1 @@
+#In this script Vendor should code  the logic to build a secure boot image by using vendor flows