From f299ec13c6118195e1fdecf18515904a7de83ad7 Mon Sep 17 00:00:00 2001
From: Sachin Naik <sachnaik@cisco.com>
Date: Wed, 6 Apr 2022 23:03:34 -0700
Subject: [PATCH 1/4] secureboot: Enable signing SONiC kernel

   Build hook to enable signing SONiC Linux kernel using
   standard sbsign tool

   How to enable signing hook?
   make configure PLATFORM=<platform> SECURE_BOOT=yes SBSIGN_KEY=<SOniC image sign key dir path>

   SOniC image sign key dir path: Should contain two files
   1. <Image signing private key>.key
   2. <Public cert>.cert

Signed-off-by: Sachin Naik <sachnaik@cisco.com>
---
 Makefile.work                      | 17 +++++++++++++++++
 build_debian.sh                    | 26 ++++++++++++++++++++++++++
 slave.mk                           |  3 +++
 sonic-slave-bullseye/Dockerfile.j2 |  1 +
 sonic-slave-buster/Dockerfile.j2   |  1 +
 sonic-slave-jessie/Dockerfile.j2   |  1 +
 sonic-slave-stretch/Dockerfile.j2  |  1 +
 7 files changed, 50 insertions(+)

diff --git a/Makefile.work b/Makefile.work
index 8042de7d198b..cf77324903a3 100644
--- a/Makefile.work
+++ b/Makefile.work
@@ -97,6 +97,17 @@ ifeq ($(PLATFORM_ARCH),)
 	override PLATFORM_ARCH = $(CONFIGURED_ARCH)
 endif
 
+ifeq ($(SECURE_BOOT),)
+    override SECURE_BOOT = no
+endif
+
+SBSIGN_CONF := $(shell [ -f .sbsign.conf ] && cat .sbsign.conf || echo $(SBSIGN_CONF))
+ifneq ($(SBSIGN_CONF),)
+SONIC_SECURE_BOOT = yes
+SONIC_SBSIGN_DIR = $(SBSIGN_CONF)
+SONIC_SBSIGN_MOUNT=$(shell echo $(SONIC_SBSIGN_DIR):$(SONIC_SBSIGN_DIR):ro)
+endif
+
 ifeq ($(BLDENV), bullseye)
 SLAVE_DIR = sonic-slave-bullseye
 else ifeq ($(BLDENV), buster)
@@ -188,6 +199,10 @@ ifneq ($(SONIC_DPKG_CACHE_SOURCE),)
 	DOCKER_RUN += -v "$(SONIC_DPKG_CACHE_SOURCE):/dpkg_cache:rw"
 endif
 
+ifneq ($(SONIC_SBSIGN_MOUNT),)
+	DOCKER_RUN += -v "$(SONIC_SBSIGN_MOUNT)"
+endif
+
 ifeq ($(SONIC_CONFIG_USE_NATIVE_DOCKERD_FOR_BUILD), y)
 ifneq ($(MULTIARCH_QEMU_ENVIRON), y)
     DOCKER_RUN += -v /var/run/docker.sock:/var/run/docker.sock
@@ -263,6 +278,8 @@ SONIC_BUILD_INSTRUCTION :=  make \
                            BUILD_NUMBER=$(BUILD_NUMBER) \
                            BUILD_TIMESTAMP=$(BUILD_TIMESTAMP) \
                            SONIC_IMAGE_VERSION=$(SONIC_IMAGE_VERSION) \
+                           SONIC_SECURE_BOOT=$(SONIC_SECURE_BOOT) \
+                           SONIC_SBSIGN_DIR=$(SONIC_SBSIGN_DIR) \
                            ENABLE_DHCP_GRAPH_SERVICE=$(ENABLE_DHCP_GRAPH_SERVICE) \
                            ENABLE_ZTP=$(ENABLE_ZTP) \
                            INCLUDE_PDE=$(INCLUDE_PDE) \
diff --git a/build_debian.sh b/build_debian.sh
index 6dbbaa8cf770..3acb475da332 100755
--- a/build_debian.sh
+++ b/build_debian.sh
@@ -37,6 +37,7 @@ LINUX_KERNEL_VERSION=5.10.0-8-2
 ## Working directory to prepare the file system
 FILESYSTEM_ROOT=./fsroot
 PLATFORM_DIR=platform
+PLATFORM_SECURITY_CONF=./.sbsign.conf
 ## Hostname for the linux image
 HOSTNAME=sonic
 DEFAULT_USERINFO="Default admin user,,,"
@@ -143,6 +144,31 @@ if [[ $CONFIGURED_ARCH == amd64 ]]; then
     sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install dmidecode hdparm
 fi
 
+## Sign the kernel
+if [ -f $PLATFORM_SECURITY_CONF ]; then
+    sbsign_key_dir=`cat $PLATFORM_SECURITY_CONF`
+
+    if [ -d $sbsign_key_dir ]; then
+        secure_boot_key=`find $sbsign_key_dir -name "*.key"`
+        secure_boot_cert=`find $sbsign_key_dir -name "*.cert"`
+        if [[ ! -f $secure_boot_key ]]; then
+            echo "Error: SONiC linux kernel signing key missing"
+            exit 1
+        fi
+        if [[ ! -f $secure_boot_cert ]]; then
+            echo "Error: SONiC linux kernel signing cert missing"
+            exit 1
+        fi
+
+        echo '[INFO] Signing SONiC linux kernel image'
+        K=$FILESYSTEM_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-amd64
+        sbsign --key $secure_boot_key --cert $secure_boot_cert --output /tmp/${K##*/} ${K}
+        sudo cp -f /tmp/${K##*/} ${K}
+    else
+        echo '[INFO] Skipping signing SONiC Linux kernel image'
+    fi
+fi
+
 ## Update initramfs for booting with squashfs+overlay
 cat files/initramfs-tools/modules | sudo tee -a $FILESYSTEM_ROOT/etc/initramfs-tools/modules > /dev/null
 
diff --git a/slave.mk b/slave.mk
index 185574e61808..03bb19eba786 100644
--- a/slave.mk
+++ b/slave.mk
@@ -108,10 +108,12 @@ configure :
 	@mkdir -p $(DPKG_ADMINDIR_PATH)
 	@echo $(PLATFORM) > .platform
 	@echo $(PLATFORM_ARCH) > .arch
+	@echo $(SONIC_SBSIGN_DIR) > .sbsign.conf
 
 distclean : .platform clean
 	@rm -f .platform
 	@rm -f .arch
+	@rm -f .sbsign.conf
 
 list :
 	@$(foreach target,$(SONIC_TARGET_LIST),echo $(target);)
@@ -289,6 +291,7 @@ $(info "SONIC_CONFIG_MAKE_JOBS"          : "$(SONIC_CONFIG_MAKE_JOBS)")
 $(info "SONIC_USE_DOCKER_BUILDKIT"       : "$(SONIC_USE_DOCKER_BUILDKIT)")
 $(info "USERNAME"                        : "$(USERNAME)")
 $(info "PASSWORD"                        : "$(PASSWORD)")
+$(info "SONIC_SECURE_BOOT"               : "$(SONIC_SECURE_BOOT)")
 $(info "ENABLE_DHCP_GRAPH_SERVICE"       : "$(ENABLE_DHCP_GRAPH_SERVICE)")
 $(info "SHUTDOWN_BGP_ON_START"           : "$(SHUTDOWN_BGP_ON_START)")
 $(info "ENABLE_PFCWD_ON_START"           : "$(ENABLE_PFCWD_ON_START)")
diff --git a/sonic-slave-bullseye/Dockerfile.j2 b/sonic-slave-bullseye/Dockerfile.j2
index 741f708de269..493c417e4b3d 100644
--- a/sonic-slave-bullseye/Dockerfile.j2
+++ b/sonic-slave-bullseye/Dockerfile.j2
@@ -117,6 +117,7 @@ RUN apt-get update && apt-get install -y \
         devscripts \
         quilt \
         stgit \
+        sbsigntool \
 # For platform-modules build
         module-assistant \
 # For thrift build\
diff --git a/sonic-slave-buster/Dockerfile.j2 b/sonic-slave-buster/Dockerfile.j2
index fa8ac44f1b9e..8fd5ac6d85b8 100644
--- a/sonic-slave-buster/Dockerfile.j2
+++ b/sonic-slave-buster/Dockerfile.j2
@@ -125,6 +125,7 @@ RUN apt-get update && apt-get install -y \
         devscripts \
         quilt \
         stgit \
+        sbsigntool \
 # For platform-modules build
         module-assistant \
 # For thrift build\
diff --git a/sonic-slave-jessie/Dockerfile.j2 b/sonic-slave-jessie/Dockerfile.j2
index 1d98e6d9b6c5..5e62835797ba 100644
--- a/sonic-slave-jessie/Dockerfile.j2
+++ b/sonic-slave-jessie/Dockerfile.j2
@@ -101,6 +101,7 @@ RUN apt-get update && apt-get install -y \
         devscripts \
         quilt \
         stgit \
+        sbsigntool \
 # For platform-modules build
         module-assistant \
 # For thrift build\
diff --git a/sonic-slave-stretch/Dockerfile.j2 b/sonic-slave-stretch/Dockerfile.j2
index ad13ed0c124a..c8706eb33bb7 100644
--- a/sonic-slave-stretch/Dockerfile.j2
+++ b/sonic-slave-stretch/Dockerfile.j2
@@ -117,6 +117,7 @@ RUN apt-get update && apt-get install -y \
         devscripts \
         quilt \
         stgit \
+        sbsigntool \
 # For platform-modules build
         module-assistant \
 # For thrift build\

From 32debfe786a7d77f96899a1c2875e202bc2b37ae Mon Sep 17 00:00:00 2001
From: Sachin Naik <sachnaik@cisco.com>
Date: Thu, 14 Apr 2022 21:40:50 -0700
Subject: [PATCH 2/4] Review comment fixes

Signed-off-by: Sachin Naik <sachnaik@cisco.com>
---
 Makefile.work                     | 25 +++++++++------------
 build_debian.sh                   | 37 ++++++++++++-------------------
 rules/config                      |  7 ++++++
 slave.mk                          |  6 ++---
 sonic-slave-jessie/Dockerfile.j2  |  1 -
 sonic-slave-stretch/Dockerfile.j2 |  1 -
 6 files changed, 35 insertions(+), 42 deletions(-)

diff --git a/Makefile.work b/Makefile.work
index cf77324903a3..5b7236cea81d 100644
--- a/Makefile.work
+++ b/Makefile.work
@@ -97,17 +97,6 @@ ifeq ($(PLATFORM_ARCH),)
 	override PLATFORM_ARCH = $(CONFIGURED_ARCH)
 endif
 
-ifeq ($(SECURE_BOOT),)
-    override SECURE_BOOT = no
-endif
-
-SBSIGN_CONF := $(shell [ -f .sbsign.conf ] && cat .sbsign.conf || echo $(SBSIGN_CONF))
-ifneq ($(SBSIGN_CONF),)
-SONIC_SECURE_BOOT = yes
-SONIC_SBSIGN_DIR = $(SBSIGN_CONF)
-SONIC_SBSIGN_MOUNT=$(shell echo $(SONIC_SBSIGN_DIR):$(SONIC_SBSIGN_DIR):ro)
-endif
-
 ifeq ($(BLDENV), bullseye)
 SLAVE_DIR = sonic-slave-bullseye
 else ifeq ($(BLDENV), buster)
@@ -199,9 +188,17 @@ ifneq ($(SONIC_DPKG_CACHE_SOURCE),)
 	DOCKER_RUN += -v "$(SONIC_DPKG_CACHE_SOURCE):/dpkg_cache:rw"
 endif
 
-ifneq ($(SONIC_SBSIGN_MOUNT),)
-	DOCKER_RUN += -v "$(SONIC_SBSIGN_MOUNT)"
+ifeq ($(SONIC_ENABLE_SECUREBOOT_SIGNATURE), y)
+ifneq ($(SIGNING_KEY),)
+	DOCKER_SIGNING_SOURCE := $(shell dirname $(SIGNING_KEY))
+	DOCKER_RUN += -v "$(DOCKER_SIGNING_SOURCE):$(DOCKER_SIGNING_SOURCE):ro"
 endif
+ifneq ($(SIGNING_CERT),)
+	DOCKER_SIGNING_SOURCE := $(shell dirname $(SIGNING_CERT))
+	DOCKER_RUN += -v "$(DOCKER_SIGNING_SOURCE):$(DOCKER_SIGNING_SOURCE):ro"
+endif
+endif
+
 
 ifeq ($(SONIC_CONFIG_USE_NATIVE_DOCKERD_FOR_BUILD), y)
 ifneq ($(MULTIARCH_QEMU_ENVIRON), y)
@@ -279,7 +276,6 @@ SONIC_BUILD_INSTRUCTION :=  make \
                            BUILD_TIMESTAMP=$(BUILD_TIMESTAMP) \
                            SONIC_IMAGE_VERSION=$(SONIC_IMAGE_VERSION) \
                            SONIC_SECURE_BOOT=$(SONIC_SECURE_BOOT) \
-                           SONIC_SBSIGN_DIR=$(SONIC_SBSIGN_DIR) \
                            ENABLE_DHCP_GRAPH_SERVICE=$(ENABLE_DHCP_GRAPH_SERVICE) \
                            ENABLE_ZTP=$(ENABLE_ZTP) \
                            INCLUDE_PDE=$(INCLUDE_PDE) \
@@ -312,6 +308,7 @@ SONIC_BUILD_INSTRUCTION :=  make \
                            EXTRA_DOCKER_TARGETS=$(EXTRA_DOCKER_TARGETS) \
                            BUILD_LOG_TIMESTAMP=$(BUILD_LOG_TIMESTAMP) \
                            SONIC_ENABLE_IMAGE_SIGNATURE=$(ENABLE_IMAGE_SIGNATURE) \
+                           SONIC_ENABLE_SECUREBOOT_SIGNATURE=$(SONIC_ENABLE_SECUREBOOT_SIGNATURE) \
                            SONIC_DEFAULT_CONTAINER_REGISTRY=$(DEFAULT_CONTAINER_REGISTRY) \
                            ENABLE_HOST_SERVICE_ON_START=$(ENABLE_HOST_SERVICE_ON_START) \
                            SLAVE_DIR=$(SLAVE_DIR) \
diff --git a/build_debian.sh b/build_debian.sh
index 3acb475da332..f2f7db2b97f2 100755
--- a/build_debian.sh
+++ b/build_debian.sh
@@ -37,7 +37,6 @@ LINUX_KERNEL_VERSION=5.10.0-8-2
 ## Working directory to prepare the file system
 FILESYSTEM_ROOT=./fsroot
 PLATFORM_DIR=platform
-PLATFORM_SECURITY_CONF=./.sbsign.conf
 ## Hostname for the linux image
 HOSTNAME=sonic
 DEFAULT_USERINFO="Default admin user,,,"
@@ -144,29 +143,21 @@ if [[ $CONFIGURED_ARCH == amd64 ]]; then
     sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install dmidecode hdparm
 fi
 
-## Sign the kernel
-if [ -f $PLATFORM_SECURITY_CONF ]; then
-    sbsign_key_dir=`cat $PLATFORM_SECURITY_CONF`
-
-    if [ -d $sbsign_key_dir ]; then
-        secure_boot_key=`find $sbsign_key_dir -name "*.key"`
-        secure_boot_cert=`find $sbsign_key_dir -name "*.cert"`
-        if [[ ! -f $secure_boot_key ]]; then
-            echo "Error: SONiC linux kernel signing key missing"
-            exit 1
-        fi
-        if [[ ! -f $secure_boot_cert ]]; then
-            echo "Error: SONiC linux kernel signing cert missing"
-            exit 1
-        fi
-
-        echo '[INFO] Signing SONiC linux kernel image'
-        K=$FILESYSTEM_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-amd64
-        sbsign --key $secure_boot_key --cert $secure_boot_cert --output /tmp/${K##*/} ${K}
-        sudo cp -f /tmp/${K##*/} ${K}
-    else
-        echo '[INFO] Skipping signing SONiC Linux kernel image'
+## Sign the Linux kernel
+if [ "$SONIC_ENABLE_SECUREBOOT_SIGNATURE" = "y" ]; then
+    if [ ! -f $SIGNING_KEY ]; then
+       echo "Error: SONiC linux kernel signing key missing"
+       exit 1
     fi
+    if [ ! -f $SIGNING_CERT ]; then
+       echo "Error: SONiC linux kernel signing certificate missing"
+       exit 1
+    fi
+
+    echo '[INFO] Signing SONiC linux kernel image'
+    K=$FILESYSTEM_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-amd64
+    sbsign --key $SIGNING_KEY --cert $SIGNING_CERT --output /tmp/${K##*/} ${K}
+    sudo cp -f /tmp/${K##*/} ${K}
 fi
 
 ## Update initramfs for booting with squashfs+overlay
diff --git a/rules/config b/rules/config
index fe5d7ac3e991..c51fcd84832c 100644
--- a/rules/config
+++ b/rules/config
@@ -180,6 +180,13 @@ K8s_GCR_IO_PAUSE_VERSION = 3.4.1
 # The relative path is build root folder.
 SONIC_ENABLE_IMAGE_SIGNATURE ?= n
 
+# SONIC_ENABLE_SECUREBOOT_SIGNATURE - enable SONiC kernel signing to support UEFI secureboot
+# To support UEFI secureboot chain of trust requires EFI kernel to be signed as a PE binary
+#     SIGNING_KEY =
+#     SIGNING_CERT =
+# The absolute path should be provided.
+SONIC_ENABLE_SECUREBOOT_SIGNATURE ?= n
+
 # PACKAGE_URL_PREFIX - the package url prefix
 PACKAGE_URL_PREFIX ?= https://packages.trafficmanager.net/public/packages
 
diff --git a/slave.mk b/slave.mk
index 03bb19eba786..17ee8d8ac8de 100644
--- a/slave.mk
+++ b/slave.mk
@@ -108,12 +108,10 @@ configure :
 	@mkdir -p $(DPKG_ADMINDIR_PATH)
 	@echo $(PLATFORM) > .platform
 	@echo $(PLATFORM_ARCH) > .arch
-	@echo $(SONIC_SBSIGN_DIR) > .sbsign.conf
 
 distclean : .platform clean
 	@rm -f .platform
 	@rm -f .arch
-	@rm -f .sbsign.conf
 
 list :
 	@$(foreach target,$(SONIC_TARGET_LIST),echo $(target);)
@@ -291,7 +289,6 @@ $(info "SONIC_CONFIG_MAKE_JOBS"          : "$(SONIC_CONFIG_MAKE_JOBS)")
 $(info "SONIC_USE_DOCKER_BUILDKIT"       : "$(SONIC_USE_DOCKER_BUILDKIT)")
 $(info "USERNAME"                        : "$(USERNAME)")
 $(info "PASSWORD"                        : "$(PASSWORD)")
-$(info "SONIC_SECURE_BOOT"               : "$(SONIC_SECURE_BOOT)")
 $(info "ENABLE_DHCP_GRAPH_SERVICE"       : "$(ENABLE_DHCP_GRAPH_SERVICE)")
 $(info "SHUTDOWN_BGP_ON_START"           : "$(SHUTDOWN_BGP_ON_START)")
 $(info "ENABLE_PFCWD_ON_START"           : "$(ENABLE_PFCWD_ON_START)")
@@ -1179,6 +1176,9 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
 		TARGET_PATH=$(TARGET_PATH) \
 		SONIC_ENFORCE_VERSIONS=$(SONIC_ENFORCE_VERSIONS) \
 		TRUSTED_GPG_URLS=$(TRUSTED_GPG_URLS) \
+		SONIC_ENABLE_SECUREBOOT_SIGNATURE="$(SONIC_ENABLE_SECUREBOOT_SIGNATURE)" \
+		SIGNING_KEY="$(SIGNING_KEY)" \
+		SIGNING_CERT="$(SIGNING_CERT)" \
 		PACKAGE_URL_PREFIX=$(PACKAGE_URL_PREFIX) \
 		MULTIARCH_QEMU_ENVIRON=$(MULTIARCH_QEMU_ENVIRON) \
 			./build_debian.sh $(LOG)
diff --git a/sonic-slave-jessie/Dockerfile.j2 b/sonic-slave-jessie/Dockerfile.j2
index 5e62835797ba..1d98e6d9b6c5 100644
--- a/sonic-slave-jessie/Dockerfile.j2
+++ b/sonic-slave-jessie/Dockerfile.j2
@@ -101,7 +101,6 @@ RUN apt-get update && apt-get install -y \
         devscripts \
         quilt \
         stgit \
-        sbsigntool \
 # For platform-modules build
         module-assistant \
 # For thrift build\
diff --git a/sonic-slave-stretch/Dockerfile.j2 b/sonic-slave-stretch/Dockerfile.j2
index c8706eb33bb7..ad13ed0c124a 100644
--- a/sonic-slave-stretch/Dockerfile.j2
+++ b/sonic-slave-stretch/Dockerfile.j2
@@ -117,7 +117,6 @@ RUN apt-get update && apt-get install -y \
         devscripts \
         quilt \
         stgit \
-        sbsigntool \
 # For platform-modules build
         module-assistant \
 # For thrift build\

From 8e6a9de60aa3189186fb58288785d2de96e269e3 Mon Sep 17 00:00:00 2001
From: Sachin Naik <sachnaik@cisco.com>
Date: Thu, 14 Apr 2022 21:56:08 -0700
Subject: [PATCH 3/4] Fix unused key

Signed-off-by: Sachin Naik <sachnaik@cisco.com>
---
 Makefile.work | 1 -
 1 file changed, 1 deletion(-)

diff --git a/Makefile.work b/Makefile.work
index 5b7236cea81d..24581db0d66e 100644
--- a/Makefile.work
+++ b/Makefile.work
@@ -275,7 +275,6 @@ SONIC_BUILD_INSTRUCTION :=  make \
                            BUILD_NUMBER=$(BUILD_NUMBER) \
                            BUILD_TIMESTAMP=$(BUILD_TIMESTAMP) \
                            SONIC_IMAGE_VERSION=$(SONIC_IMAGE_VERSION) \
-                           SONIC_SECURE_BOOT=$(SONIC_SECURE_BOOT) \
                            ENABLE_DHCP_GRAPH_SERVICE=$(ENABLE_DHCP_GRAPH_SERVICE) \
                            ENABLE_ZTP=$(ENABLE_ZTP) \
                            INCLUDE_PDE=$(INCLUDE_PDE) \

From 06aadf3d61ce69218d4f72d3859c288562190e17 Mon Sep 17 00:00:00 2001
From: Sachin Naik <sachnaik@cisco.com>
Date: Thu, 14 Apr 2022 21:57:42 -0700
Subject: [PATCH 4/4] Fix extra space

Signed-off-by: Sachin Naik <sachnaik@cisco.com>
---
 Makefile.work | 1 -
 1 file changed, 1 deletion(-)

diff --git a/Makefile.work b/Makefile.work
index 24581db0d66e..a5ecab1ab58b 100644
--- a/Makefile.work
+++ b/Makefile.work
@@ -199,7 +199,6 @@ ifneq ($(SIGNING_CERT),)
 endif
 endif
 
-
 ifeq ($(SONIC_CONFIG_USE_NATIVE_DOCKERD_FOR_BUILD), y)
 ifneq ($(MULTIARCH_QEMU_ENVIRON), y)
     DOCKER_RUN += -v /var/run/docker.sock:/var/run/docker.sock