-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for secure upgrade #11862
Conversation
@yxieca could you please help to review or suggest a reviewer? |
rules/config
Outdated
# SECURE_UPGRADE_MODE - enum value for secure upgrade mode, valid options are "dev", "prod" and "no_sign" | ||
#SECURE_UPGRADE_DEV_SIGNING_KEY = | ||
#SECURE_UPGRADE_DEV_SIGNING_CERT = | ||
SECURE_UPGRADE_MODE = "no_sign" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we only give two options: sign, no_sign? The dev or prod is depended on what kinds of certificates users used, and we can provide a script to generate all dev certificates.
We may be not necessary to provide some options only for DEV.
#SECURE_UPGRADE_DEV_SIGNING_KEY =
#SECURE_UPGRADE_DEV_SIGNING_CERT =
Suggest change as below:
#SECURE_UPGRADE_SIGNING_KEY =
#SECURE_UPGRADE_SIGNING_CERT =
Do we need to distinguish the UPGRADE/NONE-UPGRADE certificate? The signed image can be used for both fresh installation or upgrade, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This mechanism is part of the feature architecture, as described in its HLD. Doing as your suggestion will change our architecture and we prefer not to do so in this stage. There is a serious demand from our costumers, to allow production signing with their own signing mechanisms. If someone wants to use the current flags they can take the DEV_SIGNING flags and assign it to a different variable or flag.
For your last question - signed image can be used for both fresh installation (from ONIE) or upgrade (from SONIC). In case of ONIE installation - ONIE master is currently not verifying the image - it can be implemented in the future if required and approved
@ycoheNvidia can you please handle conflicts? |
#### What I did Added support for secure upgrade #### How I did it It includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities). HLD can be found in the following PR: sonic-net/SONiC#1024 #### How to verify it Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it. In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios. #### Feature dependencies In order for this feature to work smoothly, need to have secure boot feature implemented as well. The Secure boot feature will be merged in the near future. sonic-buildimage PR: sonic-net/sonic-buildimage#11862
/azp run Azure.sonic-buildimage |
Azure Pipelines successfully started running 1 pipeline(s). |
@qiluo-msft , @xumia, would appreciate your review |
@ycoheNvidia please handle conflict. |
7d7b567
to
f43f02d
Compare
@ycoheNvidia not in this PR, but I'm trying to understand the behavior when we have this feature. In the HLD, it says that it read the enable from BIOS, if read failure, it fall into non secure case to continue the install/boot, or failed to install or boot? |
@StormLiangMS If Secure Boot is not supported on the devices BIOS it will be installed and boot without any validation on the signature. |
- What I did Added support for secure upgrade. - How I did it During sonic_installer install, added secure upgrade image verification. HLD can be found in the following PR: sonic-net/SONiC#1024 - Why I did it Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it. - How I did it Feature includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities). - How to verify it In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios. - Feature dependencies In order for this feature to work smoothly, need to have secure boot feature implemented as well. The Secure boot feature will be merged in the near future.
Cherry-pick PR to 202211: #15690 |
- What I did Added support for secure upgrade. - How I did it During sonic_installer install, added secure upgrade image verification. HLD can be found in the following PR: sonic-net/SONiC#1024 - Why I did it Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it. - How I did it Feature includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities). - How to verify it In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios. - Feature dependencies In order for this feature to work smoothly, need to have secure boot feature implemented as well. The Secure boot feature will be merged in the near future.
Cherry-pick PR to 202305: #15691 |
- What I did Added support for secure upgrade. - How I did it During sonic_installer install, added secure upgrade image verification. HLD can be found in the following PR: sonic-net/SONiC#1024 - Why I did it Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it. - How I did it Feature includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities). - How to verify it In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios. - Feature dependencies In order for this feature to work smoothly, need to have secure boot feature implemented as well. The Secure boot feature will be merged in the near future.
- What I did Added support for secure upgrade. - How I did it During sonic_installer install, added secure upgrade image verification. HLD can be found in the following PR: sonic-net/SONiC#1024 - Why I did it Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it. - How I did it Feature includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities). - How to verify it In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios. - Feature dependencies In order for this feature to work smoothly, need to have secure boot feature implemented as well. The Secure boot feature will be merged in the near future. Co-authored-by: ycoheNvidia <99744138+ycoheNvidia@users.noreply.github.com>
#### What I did Added support for secure upgrade #### How I did it It includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities). HLD can be found in the following PR: sonic-net/SONiC#1024 #### How to verify it Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it. In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios. #### Feature dependencies In order for this feature to work smoothly, need to have secure boot feature implemented as well. The Secure boot feature will be merged in the near future. sonic-buildimage PR: sonic-net/sonic-buildimage#11862
- What I did Added support for secure upgrade. - How I did it During sonic_installer install, added secure upgrade image verification. HLD can be found in the following PR: sonic-net/SONiC#1024 - Why I did it Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it. - How I did it Feature includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities). - How to verify it In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios. - Feature dependencies In order for this feature to work smoothly, need to have secure boot feature implemented as well. The Secure boot feature will be merged in the near future.
Highlight change, the DHCP config removed from master branch. files/image_config/resolv-config/resolv.conf Related work items: sonic-net#49, sonic-net#2598, sonic-net#11862, sonic-net#12530, sonic-net#14000, sonic-net#14549, sonic-net#14814, sonic-net#15077, sonic-net#15252, sonic-net#15253, sonic-net#15357, sonic-net#15384, sonic-net#15394, sonic-net#15399, sonic-net#15405, sonic-net#15566, sonic-net#15591, sonic-net#15592, sonic-net#15593, sonic-net#15602, sonic-net#15604, sonic-net#15611, sonic-net#15621, sonic-net#15625, sonic-net#15634, sonic-net#15635
Merge code from master to internal Related work items: sonic-net#32, sonic-net#49, sonic-net#376, sonic-net#2598, sonic-net#11862, sonic-net#12530, sonic-net#14000, sonic-net#14547, sonic-net#14549, sonic-net#14814, sonic-net#15077, sonic-net#15239, sonic-net#15252, sonic-net#15253, sonic-net#15298, sonic-net#15357, sonic-net#15384, sonic-net#15394, sonic-net#15399, sonic-net#15405, sonic-net#15511, sonic-net#15566, sonic-net#15583, sonic-net#15591, sonic-net#15592, sonic-net#15593, sonic-net#15602, sonic-net#15604, sonic-net#15611, sonic-net#15621, sonic-net#15625, sonic-net#15634, sonic-net#15635, sonic-net#15645, sonic-net#15646, sonic-net#15647, sonic-net#15657, sonic-net#15658, sonic-net#15697, sonic-net#15699
What I did
Added support for secure upgrade.
How I did it
During sonic_installer install, added secure upgrade image verification.
HLD can be found in the following PR: sonic-net/SONiC#1024
Why I did it
Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it.
How I did it
Feature includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities).
How to verify it
In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios.
Feature dependencies
In order for this feature to work smoothly, need to have secure boot feature implemented as well.
The Secure boot feature will be merged in the near future.
In addition, image verification code, during image install, including tests are added as part of sonic-utilities repo PR - sonic-net/sonic-utilities#2698