Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for secure upgrade #11862

Merged
merged 24 commits into from
Jun 26, 2023
Merged

Conversation

ycoheNvidia
Copy link
Contributor

@ycoheNvidia ycoheNvidia commented Aug 28, 2022

What I did

Added support for secure upgrade.

How I did it

During sonic_installer install, added secure upgrade image verification.
HLD can be found in the following PR: sonic-net/SONiC#1024

Why I did it

Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it.

How I did it

Feature includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities).

How to verify it

In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios.

Feature dependencies

In order for this feature to work smoothly, need to have secure boot feature implemented as well.
The Secure boot feature will be merged in the near future.

In addition, image verification code, during image install, including tests are added as part of sonic-utilities repo PR - sonic-net/sonic-utilities#2698

@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Aug 28, 2022

CLA Signed

The committers listed above are authorized under a signed CLA.

@liat-grozovik
Copy link
Collaborator

@yxieca could you please help to review or suggest a reviewer?

rules/config Outdated
Comment on lines 214 to 217
# SECURE_UPGRADE_MODE - enum value for secure upgrade mode, valid options are "dev", "prod" and "no_sign"
#SECURE_UPGRADE_DEV_SIGNING_KEY =
#SECURE_UPGRADE_DEV_SIGNING_CERT =
SECURE_UPGRADE_MODE = "no_sign"
Copy link
Collaborator

@xumia xumia Nov 14, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we only give two options: sign, no_sign? The dev or prod is depended on what kinds of certificates users used, and we can provide a script to generate all dev certificates.

We may be not necessary to provide some options only for DEV.

#SECURE_UPGRADE_DEV_SIGNING_KEY = 
#SECURE_UPGRADE_DEV_SIGNING_CERT =  

Suggest change as below:

#SECURE_UPGRADE_SIGNING_KEY = 
#SECURE_UPGRADE_SIGNING_CERT =  

Do we need to distinguish the UPGRADE/NONE-UPGRADE certificate? The signed image can be used for both fresh installation or upgrade, right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This mechanism is part of the feature architecture, as described in its HLD. Doing as your suggestion will change our architecture and we prefer not to do so in this stage. There is a serious demand from our costumers, to allow production signing with their own signing mechanisms. If someone wants to use the current flags they can take the DEV_SIGNING flags and assign it to a different variable or flag.
For your last question - signed image can be used for both fresh installation (from ONIE) or upgrade (from SONIC). In case of ONIE installation - ONIE master is currently not verifying the image - it can be implemented in the future if required and approved

@liat-grozovik
Copy link
Collaborator

@ycoheNvidia can you please handle conflicts?
@qiluo-msft , @xumia appreciate your feedback to have this PR approved.

qiluo-msft pushed a commit to sonic-net/sonic-utilities that referenced this pull request Jan 30, 2023
#### What I did
Added support for secure upgrade

#### How I did it
It includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities).
HLD can be found in the following PR: sonic-net/SONiC#1024
#### How to verify it
Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it.
In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios.

#### Feature dependencies
In order for this feature to work smoothly, need to have secure boot feature implemented as well.
The Secure boot feature will be merged in the near future.

sonic-buildimage PR: sonic-net/sonic-buildimage#11862
@liat-grozovik liat-grozovik changed the title Secure upgrade Add support for secure upgrade Feb 6, 2023
@liat-grozovik
Copy link
Collaborator

/azp run Azure.sonic-buildimage

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@ycoheNvidia
Copy link
Contributor Author

ycoheNvidia commented Feb 21, 2023

@qiluo-msft , @xumia, would appreciate your review

@liat-grozovik
Copy link
Collaborator

@ycoheNvidia please handle conflict.
@xumia the conflict will be handled soon, can you please approve the PR?

DavidZagury added a commit to DavidZagury/sonic-buildimage that referenced this pull request May 31, 2023
@liat-grozovik liat-grozovik merged commit ccf1cd5 into sonic-net:master Jun 26, 2023
@StormLiangMS
Copy link
Contributor

@ycoheNvidia not in this PR, but I'm trying to understand the behavior when we have this feature. In the HLD, it says that it read the enable from BIOS, if read failure, it fall into non secure case to continue the install/boot, or failed to install or boot?

@DavidZagury
Copy link
Contributor

@ycoheNvidia not in this PR, but I'm trying to understand the behavior when we have this feature. In the HLD, it says that it read the enable from BIOS, if read failure, it fall into non secure case to continue the install/boot, or failed to install or boot?

@StormLiangMS If Secure Boot is not supported on the devices BIOS it will be installed and boot without any validation on the signature.
This is done this way to be able to install the same image also on devices that don't support the Secure Boot feature.

mssonicbld pushed a commit to mssonicbld/sonic-buildimage that referenced this pull request Jun 30, 2023
- What I did
Added support for secure upgrade.

- How I did it
During sonic_installer install, added secure upgrade image verification.
HLD can be found in the following PR: sonic-net/SONiC#1024

- Why I did it
Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it.

- How I did it
Feature includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities).

- How to verify it
In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios.

- Feature dependencies
In order for this feature to work smoothly, need to have secure boot feature implemented as well.
The Secure boot feature will be merged in the near future.
@mssonicbld
Copy link
Collaborator

Cherry-pick PR to 202211: #15690

mssonicbld pushed a commit to mssonicbld/sonic-buildimage that referenced this pull request Jun 30, 2023
- What I did
Added support for secure upgrade.

- How I did it
During sonic_installer install, added secure upgrade image verification.
HLD can be found in the following PR: sonic-net/SONiC#1024

- Why I did it
Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it.

- How I did it
Feature includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities).

- How to verify it
In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios.

- Feature dependencies
In order for this feature to work smoothly, need to have secure boot feature implemented as well.
The Secure boot feature will be merged in the near future.
@mssonicbld
Copy link
Collaborator

Cherry-pick PR to 202305: #15691

mssonicbld pushed a commit that referenced this pull request Jul 12, 2023
- What I did
Added support for secure upgrade.

- How I did it
During sonic_installer install, added secure upgrade image verification.
HLD can be found in the following PR: sonic-net/SONiC#1024

- Why I did it
Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it.

- How I did it
Feature includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities).

- How to verify it
In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios.

- Feature dependencies
In order for this feature to work smoothly, need to have secure boot feature implemented as well.
The Secure boot feature will be merged in the near future.
StormLiangMS pushed a commit that referenced this pull request Jul 19, 2023
- What I did
Added support for secure upgrade.

- How I did it
During sonic_installer install, added secure upgrade image verification.
HLD can be found in the following PR: sonic-net/SONiC#1024

- Why I did it
Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it.

- How I did it
Feature includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities).

- How to verify it
In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios.

- Feature dependencies
In order for this feature to work smoothly, need to have secure boot feature implemented as well.
The Secure boot feature will be merged in the near future.

Co-authored-by: ycoheNvidia <99744138+ycoheNvidia@users.noreply.github.com>
malletvapid23 added a commit to malletvapid23/Sonic-Utility that referenced this pull request Aug 3, 2023
#### What I did
Added support for secure upgrade

#### How I did it
It includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities).
HLD can be found in the following PR: sonic-net/SONiC#1024
#### How to verify it
Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it.
In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios.

#### Feature dependencies
In order for this feature to work smoothly, need to have secure boot feature implemented as well.
The Secure boot feature will be merged in the near future.

sonic-buildimage PR: sonic-net/sonic-buildimage#11862
sonic-otn pushed a commit to sonic-otn/sonic-buildimage that referenced this pull request Sep 20, 2023
- What I did
Added support for secure upgrade.

- How I did it
During sonic_installer install, added secure upgrade image verification.
HLD can be found in the following PR: sonic-net/SONiC#1024

- Why I did it
Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it.

- How I did it
Feature includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities).

- How to verify it
In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios.

- Feature dependencies
In order for this feature to work smoothly, need to have secure boot feature implemented as well.
The Secure boot feature will be merged in the near future.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants