secureboot: Enable signing SONiC kernel #10557
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Build hook to enable signing SONiC Linux kernel using standard sbsign tool How to enable signing hook? make configure PLATFORM=<platform> SECURE_BOOT=yes SBSIGN_KEY=<SOniC image sign key dir path> SOniC image sign key dir path: Should contain two files 1. <Image signing private key>.key 2. <Public cert>.cert Signed-off-by: Sachin Naik <sachnaik@cisco.com>
|
|
xumia
reviewed
Apr 12, 2022
xumia
reviewed
Apr 12, 2022
xumia
reviewed
Apr 12, 2022
sacnaik
commented
Apr 14, 2022
Signed-off-by: Sachin Naik <sachnaik@cisco.com>
Signed-off-by: Sachin Naik <sachnaik@cisco.com>
Signed-off-by: Sachin Naik <sachnaik@cisco.com>
xumia
approved these changes
Apr 15, 2022
xumia
added
Build
Request for 202012 Branch
Request for 202106 Branch
Request for 202111 Branch
|
@sacnaik , could you please send another PR for 202012/202106 branch? There some code conflict needs to resolve. |
xumia
pushed a commit
to xumia/sonic-buildimage-1
that referenced
this pull request
Apr 19, 2022
Why I did it To sign SONiC kernel image and allow secure boot based system to verify SONiC image before loading into the system. How I did it Pass following parameter to rules/config.user Ex: SONIC_ENABLE_SECUREBOOT_SIGNATURE := y SIGNING_KEY := /path/to/key/private.key SIGNING_CERT := /path/to/public/public.cert How to verify it Secure boot enabled system enrolled with right public key of the, image in the platform UEFI database will able to verify image before load. Alternatively one can verify with offline sbsign tool as below. export SBSIGN_KEY=/abc/bcd/xyz/ sbverify --cert $SBSIGN_KEY/public_cert.cert fsroot-platform-XYZ/boot/vmlinuz-5.10.0-8-2-amd64 mage O/P: Signature verification OK
xumia
pushed a commit
to xumia/sonic-buildimage-1
that referenced
this pull request
Apr 20, 2022
Why I did it To sign SONiC kernel image and allow secure boot based system to verify SONiC image before loading into the system. How I did it Pass following parameter to rules/config.user Ex: SONIC_ENABLE_SECUREBOOT_SIGNATURE := y SIGNING_KEY := /path/to/key/private.key SIGNING_CERT := /path/to/public/public.cert How to verify it Secure boot enabled system enrolled with right public key of the, image in the platform UEFI database will able to verify image before load. Alternatively one can verify with offline sbsign tool as below. export SBSIGN_KEY=/abc/bcd/xyz/ sbverify --cert $SBSIGN_KEY/public_cert.cert fsroot-platform-XYZ/boot/vmlinuz-5.10.0-8-2-amd64 mage O/P: Signature verification OK
judyjoseph
pushed a commit
that referenced
this pull request
Apr 25, 2022
Why I did it To sign SONiC kernel image and allow secure boot based system to verify SONiC image before loading into the system. How I did it Pass following parameter to rules/config.user Ex: SONIC_ENABLE_SECUREBOOT_SIGNATURE := y SIGNING_KEY := /path/to/key/private.key SIGNING_CERT := /path/to/public/public.cert How to verify it Secure boot enabled system enrolled with right public key of the, image in the platform UEFI database will able to verify image before load. Alternatively one can verify with offline sbsign tool as below. export SBSIGN_KEY=/abc/bcd/xyz/ sbverify --cert $SBSIGN_KEY/public_cert.cert fsroot-platform-XYZ/boot/vmlinuz-5.10.0-8-2-amd64 mage O/P: Signature verification OK
liushilongbuaa
pushed a commit
to liushilongbuaa/sonic-buildimage
that referenced
this pull request
Jun 20, 2022
Related work items: #49, #58, #107, sonic-net#247, sonic-net#249, sonic-net#277, sonic-net#593, sonic-net#597, sonic-net#1035, sonic-net#2130, sonic-net#2150, sonic-net#2165, sonic-net#2169, sonic-net#2178, sonic-net#2179, sonic-net#2187, sonic-net#2188, sonic-net#2191, sonic-net#2195, sonic-net#2197, sonic-net#2198, sonic-net#2200, sonic-net#2202, sonic-net#2206, sonic-net#2209, sonic-net#2211, sonic-net#2216, sonic-net#7909, sonic-net#8927, sonic-net#9681, sonic-net#9733, sonic-net#9746, sonic-net#9850, sonic-net#9967, sonic-net#10104, sonic-net#10152, sonic-net#10168, sonic-net#10228, sonic-net#10266, sonic-net#10288, sonic-net#10294, sonic-net#10313, sonic-net#10394, sonic-net#10403, sonic-net#10404, sonic-net#10421, sonic-net#10431, sonic-net#10437, sonic-net#10445, sonic-net#10457, sonic-net#10458, sonic-net#10465, sonic-net#10467, sonic-net#10469, sonic-net#10470, sonic-net#10474, sonic-net#10477, sonic-net#10478, sonic-net#10482, sonic-net#10485, sonic-net#10488, sonic-net#10489, sonic-net#10492, sonic-net#10494, sonic-net#10498, sonic-net#10501, sonic-net#10509, sonic-net#10512, sonic-net#10514, sonic-net#10516, sonic-net#10517, sonic-net#10523, sonic-net#10525, sonic-net#10531, sonic-net#10532, sonic-net#10538, sonic-net#10555, sonic-net#10557, sonic-net#10559, sonic-net#10561, sonic-net#10565, sonic-net#10572, sonic-net#10574, sonic-net#10576, sonic-net#10578, sonic-net#10581, sonic-net#10585, sonic-net#10587, sonic-net#10599, sonic-net#10607, sonic-net#10611, sonic-net#10616, sonic-net#10618, sonic-net#10619, sonic-net#10623, sonic-net#10624, sonic-net#10633, sonic-net#10646, sonic-net#10655, sonic-net#10660, sonic-net#10664, sonic-net#10680, sonic-net#10683
abdosi
added a commit
to abdosi/sonic-buildimage
that referenced
this pull request
Jun 4, 2024
This reverts commit 598ab99. Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
lguohan
pushed a commit
that referenced
this pull request
Jun 5, 2024
) What I did: Before this feature sonic-net/SONiC#1028 got merged their was intermediate change done to just support Kernel Signing via: #10557. However once this feature is merged : sonic-net/SONiC#1028 (Which support sign of all boot components not just Kernel) we do not need the Kernel only signing changes as it define new rules macro which just create confusion. So as part of this PR i am reverting the Kernel -only sign PR #10557 Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
arun1355492
pushed a commit
to arun1355492/sonic-buildimage
that referenced
this pull request
Jul 26, 2024
…ic-net#19199) What I did: Before this feature sonic-net/SONiC#1028 got merged their was intermediate change done to just support Kernel Signing via: sonic-net#10557. However once this feature is merged : sonic-net/SONiC#1028 (Which support sign of all boot components not just Kernel) we do not need the Kernel only signing changes as it define new rules macro which just create confusion. So as part of this PR i am reverting the Kernel -only sign PR sonic-net#10557 Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Build hook to enable signing SONiC Linux kernel using standard third party sbsign tool
How to enable signing hook?
Pass following parameter to rules/config.user
Ex:
SONIC_ENABLE_SECUREBOOT_SIGNATURE := y
SIGNING_KEY := /path/to/key/private.key
SIGNING_CERT := /path/to/public/public.cert
Signed-off-by: Sachin Naik sachnaik@cisco.com
Why I did it
To sign SONiC kernel image and allow secure boot based system to verify SONiC image before loading into the system.
How I did it
Pass following parameter to rules/config.user
Ex:
SONIC_ENABLE_SECUREBOOT_SIGNATURE := y
SIGNING_KEY := /path/to/key/private.key
SIGNING_CERT := /path/to/public/public.cert
How to verify it
Secure boot enabled system enrolled with right public key of the, image in the platform UEFI database will able to verify image before load.
Alternatively one can verify with offline sbsign tool as below.
export SBSIGN_KEY=/abc/bcd/xyz/
sbverify --cert $SBSIGN_KEY/public_cert.cert fsroot-platform-XYZ/boot/vmlinuz-5.10.0-8-2-amd64 mage
O/P:
Signature verification OK
Which release branch to backport (provide reason below if selected)
202012 branch need to be backported so that it can produce signed SONiC image to boot on secure boot enabled hardware.
Description for the changelog
Generic build hook to sign SONiC kernel image. It provides mechanism to configure SONiC build system to sign the image. The user can enable signing via make configure and provide a location to signing keys. It uses standard sbsign infra to sign Linux kernel.
Link to config_db schema for YANG module changes
A picture of a cute animal (not mandatory but encouraged)