Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Ci]: Support to sign image for cisco-8000 uefi secure boot #10616

Merged
merged 3 commits into from
Apr 21, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions .azure-pipelines/azure-pipelines-download-certificate.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
parameters:
- name: connectionName
type: string
default: sonic-dev-connection
- name: kevaultName
type: string
default: sonic-kv
- name: certificateName
type: string
default: sonic-secure-boot

steps:
- task: AzureKeyVault@2
inputs:
connectedServiceName: ${{ parameters.connectionName }}
keyVaultName: ${{ parameters.kevaultName }}
secretsFilter: ${{ parameters.certificateName }}

- script: |
set -e
TMP_FILE=$(mktemp)
echo "$CERTIFICATE" | base64 -d > $TMP_FILE
sudo mkdir -p /etc/certificates
mkdir -p $(Build.StagingDirectory)/target
# Save the public key
openssl pkcs12 -in $TMP_FILE -clcerts --nokeys -nodes -passin pass: | sed -z -e "s/.*\(-----BEGIN CERTIFICATE\)/\1/" > $(SIGNING_CERT)
# Save the private key
openssl pkcs12 -in $TMP_FILE -nocerts -nodes -passin pass: | sed -z -e "s/.*\(-----BEGIN PRIVATE KEY\)/\1/" | sudo tee $(SIGNING_KEY) 1>/dev/null
ls -lt $(SIGNING_CERT) $(SIGNING_KEY)
rm $TMP_FILE
env:
CERTIFICATE: $(${{ parameters.certificateName }})
displayName: "Save certificate"
13 changes: 13 additions & 0 deletions .azure-pipelines/official-build-cisco-8000.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,17 @@ resources:
name: Cisco-8000-sonic/platform-cisco-8000
endpoint: cisco-connection


variables:
- group: SONIC-AKV-STROAGE-1
- name: StorageSASKey
value: $(sonicstorage-SasToken)
- name: SONIC_ENABLE_SECUREBOOT_SIGNATURE
value: y
- name: SIGNING_KEY
value: /etc/certificates/sonic-secure-boot-private.pem
- name: SIGNING_CERT
value: $(Build.StagingDirectory)/target/sonic-secure-boot-public.pem

stages:
- stage: Build
Expand All @@ -41,6 +48,7 @@ stages:
parameters:
buildOptions: 'USERNAME=admin SONIC_BUILD_JOBS=$(nproc) ${{ variables.VERSION_CONTROL_OPTIONS }}'
preSteps:
- template: azure-pipelines-download-certificate.yml
- checkout: self
submodules: recursive
path: s
Expand Down Expand Up @@ -90,5 +98,10 @@ stages:
StorageSASKey: $(StorageSASKey)
condition: ne(variables['Build.Reason'], 'PullRequest')
displayName: "Override cisco sai packages"
- script: |
echo "SONIC_ENABLE_SECUREBOOT_SIGNATURE := y" >> rules/config.user
echo "SIGNING_KEY := $(SIGNING_KEY)" >> rules/config.user
echo "SIGNING_CERT := $(SIGNING_CERT)" >> rules/config.user
displayName: "Enable secure boot signature"
jobGroups:
- name: cisco-8000