diff --git a/Makefile.work b/Makefile.work index 8042de7d198b..a5ecab1ab58b 100644 --- a/Makefile.work +++ b/Makefile.work @@ -188,6 +188,17 @@ ifneq ($(SONIC_DPKG_CACHE_SOURCE),) DOCKER_RUN += -v "$(SONIC_DPKG_CACHE_SOURCE):/dpkg_cache:rw" endif +ifeq ($(SONIC_ENABLE_SECUREBOOT_SIGNATURE), y) +ifneq ($(SIGNING_KEY),) + DOCKER_SIGNING_SOURCE := $(shell dirname $(SIGNING_KEY)) + DOCKER_RUN += -v "$(DOCKER_SIGNING_SOURCE):$(DOCKER_SIGNING_SOURCE):ro" +endif +ifneq ($(SIGNING_CERT),) + DOCKER_SIGNING_SOURCE := $(shell dirname $(SIGNING_CERT)) + DOCKER_RUN += -v "$(DOCKER_SIGNING_SOURCE):$(DOCKER_SIGNING_SOURCE):ro" +endif +endif + ifeq ($(SONIC_CONFIG_USE_NATIVE_DOCKERD_FOR_BUILD), y) ifneq ($(MULTIARCH_QEMU_ENVIRON), y) DOCKER_RUN += -v /var/run/docker.sock:/var/run/docker.sock @@ -295,6 +306,7 @@ SONIC_BUILD_INSTRUCTION := make \ EXTRA_DOCKER_TARGETS=$(EXTRA_DOCKER_TARGETS) \ BUILD_LOG_TIMESTAMP=$(BUILD_LOG_TIMESTAMP) \ SONIC_ENABLE_IMAGE_SIGNATURE=$(ENABLE_IMAGE_SIGNATURE) \ + SONIC_ENABLE_SECUREBOOT_SIGNATURE=$(SONIC_ENABLE_SECUREBOOT_SIGNATURE) \ SONIC_DEFAULT_CONTAINER_REGISTRY=$(DEFAULT_CONTAINER_REGISTRY) \ ENABLE_HOST_SERVICE_ON_START=$(ENABLE_HOST_SERVICE_ON_START) \ SLAVE_DIR=$(SLAVE_DIR) \ diff --git a/build_debian.sh b/build_debian.sh index 6dbbaa8cf770..f2f7db2b97f2 100755 --- a/build_debian.sh +++ b/build_debian.sh @@ -143,6 +143,23 @@ if [[ $CONFIGURED_ARCH == amd64 ]]; then sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install dmidecode hdparm fi +## Sign the Linux kernel +if [ "$SONIC_ENABLE_SECUREBOOT_SIGNATURE" = "y" ]; then + if [ ! -f $SIGNING_KEY ]; then + echo "Error: SONiC linux kernel signing key missing" + exit 1 + fi + if [ ! -f $SIGNING_CERT ]; then + echo "Error: SONiC linux kernel signing certificate missing" + exit 1 + fi + + echo '[INFO] Signing SONiC linux kernel image' + K=$FILESYSTEM_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-amd64 + sbsign --key $SIGNING_KEY --cert $SIGNING_CERT --output /tmp/${K##*/} ${K} + sudo cp -f /tmp/${K##*/} ${K} +fi + ## Update initramfs for booting with squashfs+overlay cat files/initramfs-tools/modules | sudo tee -a $FILESYSTEM_ROOT/etc/initramfs-tools/modules > /dev/null diff --git a/rules/config b/rules/config index fe5d7ac3e991..c51fcd84832c 100644 --- a/rules/config +++ b/rules/config @@ -180,6 +180,13 @@ K8s_GCR_IO_PAUSE_VERSION = 3.4.1 # The relative path is build root folder. SONIC_ENABLE_IMAGE_SIGNATURE ?= n +# SONIC_ENABLE_SECUREBOOT_SIGNATURE - enable SONiC kernel signing to support UEFI secureboot +# To support UEFI secureboot chain of trust requires EFI kernel to be signed as a PE binary +# SIGNING_KEY = +# SIGNING_CERT = +# The absolute path should be provided. +SONIC_ENABLE_SECUREBOOT_SIGNATURE ?= n + # PACKAGE_URL_PREFIX - the package url prefix PACKAGE_URL_PREFIX ?= https://packages.trafficmanager.net/public/packages diff --git a/slave.mk b/slave.mk index 185574e61808..17ee8d8ac8de 100644 --- a/slave.mk +++ b/slave.mk @@ -1176,6 +1176,9 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \ TARGET_PATH=$(TARGET_PATH) \ SONIC_ENFORCE_VERSIONS=$(SONIC_ENFORCE_VERSIONS) \ TRUSTED_GPG_URLS=$(TRUSTED_GPG_URLS) \ + SONIC_ENABLE_SECUREBOOT_SIGNATURE="$(SONIC_ENABLE_SECUREBOOT_SIGNATURE)" \ + SIGNING_KEY="$(SIGNING_KEY)" \ + SIGNING_CERT="$(SIGNING_CERT)" \ PACKAGE_URL_PREFIX=$(PACKAGE_URL_PREFIX) \ MULTIARCH_QEMU_ENVIRON=$(MULTIARCH_QEMU_ENVIRON) \ ./build_debian.sh $(LOG) diff --git a/sonic-slave-bullseye/Dockerfile.j2 b/sonic-slave-bullseye/Dockerfile.j2 index 741f708de269..493c417e4b3d 100644 --- a/sonic-slave-bullseye/Dockerfile.j2 +++ b/sonic-slave-bullseye/Dockerfile.j2 @@ -117,6 +117,7 @@ RUN apt-get update && apt-get install -y \ devscripts \ quilt \ stgit \ + sbsigntool \ # For platform-modules build module-assistant \ # For thrift build\ diff --git a/sonic-slave-buster/Dockerfile.j2 b/sonic-slave-buster/Dockerfile.j2 index fa8ac44f1b9e..8fd5ac6d85b8 100644 --- a/sonic-slave-buster/Dockerfile.j2 +++ b/sonic-slave-buster/Dockerfile.j2 @@ -125,6 +125,7 @@ RUN apt-get update && apt-get install -y \ devscripts \ quilt \ stgit \ + sbsigntool \ # For platform-modules build module-assistant \ # For thrift build\