Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Ci]: Support to sign image for cisco-8000 uefi secure boot #10616

Merged
merged 3 commits into from
Apr 21, 2022
Merged

[Ci]: Support to sign image for cisco-8000 uefi secure boot #10616

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c6ce7ef
[Ci]: Support to sign image for cisco-8000 uefi secure boot
xumia Apr 20, 2022
169a234
Change certificate path
xumia Apr 20, 2022
66b96b5
Enable secure boot signature
xumia Apr 20, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions .azure-pipelines/azure-pipelines-download-certificate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
parameters:
- name: connectionName
type: string
default: sonic-dev-connection
- name: kevaultName
type: string
default: sonic-kv
- name: certificateName
type: string
default: sonic-secure-boot

steps:
- task: AzureKeyVault@2
inputs:
connectedServiceName: ${{ parameters.connectionName }}
keyVaultName: ${{ parameters.kevaultName }}
secretsFilter: ${{ parameters.certificateName }}

- script: |
set -e
TMP_FILE=$(mktemp)
echo "$CERTIFICATE" | base64 -d > $TMP_FILE
sudo mkdir -p /etc/certificates
mkdir -p $(Build.StagingDirectory)/target
# Save the public key
openssl pkcs12 -in $TMP_FILE -clcerts --nokeys -nodes -passin pass: | sed -z -e "s/.*\(-----BEGIN CERTIFICATE\)/\1/" > $(SIGNING_CERT)
# Save the private key
openssl pkcs12 -in $TMP_FILE -nocerts -nodes -passin pass: | sed -z -e "s/.*\(-----BEGIN PRIVATE KEY\)/\1/" | sudo tee $(SIGNING_KEY) 1>/dev/null
ls -lt $(SIGNING_CERT) $(SIGNING_KEY)
rm $TMP_FILE
env:
CERTIFICATE: $(${{ parameters.certificateName }})
displayName: "Save certificate"
13 changes: 13 additions & 0 deletions .azure-pipelines/official-build-cisco-8000.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,17 @@ resources:
name: Cisco-8000-sonic/platform-cisco-8000
endpoint: cisco-connection


variables:
- group: SONIC-AKV-STROAGE-1
- name: StorageSASKey
value: $(sonicstorage-SasToken)
- name: SONIC_ENABLE_SECUREBOOT_SIGNATURE
value: y
- name: SIGNING_KEY
value: /etc/certificates/sonic-secure-boot-private.pem
- name: SIGNING_CERT
value: $(Build.StagingDirectory)/target/sonic-secure-boot-public.pem

stages:
- stage: Build
Expand All @@ -41,6 +48,7 @@ stages:
parameters:
buildOptions: 'USERNAME=admin SONIC_BUILD_JOBS=$(nproc) ${{ variables.VERSION_CONTROL_OPTIONS }}'
preSteps:
- template: azure-pipelines-download-certificate.yml
- checkout: self
submodules: recursive
path: s
Expand Down Expand Up @@ -90,5 +98,10 @@ stages:
StorageSASKey: $(StorageSASKey)
condition: ne(variables['Build.Reason'], 'PullRequest')
displayName: "Override cisco sai packages"
- script: |
echo "SONIC_ENABLE_SECUREBOOT_SIGNATURE := y" >> rules/config.user
echo "SIGNING_KEY := $(SIGNING_KEY)" >> rules/config.user
echo "SIGNING_CERT := $(SIGNING_CERT)" >> rules/config.user
displayName: "Enable secure boot signature"
jobGroups:
- name: cisco-8000