Add support for secure upgrade #11862
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ycoheNvidia
requested review from
qiluo-msft,
xumia and
lguohan
as code owners
This was referenced Aug 28, 2022
|
@yxieca could you please help to review or suggest a reviewer? |
xumia
reviewed
Nov 14, 2022
rules/config
Outdated
Comment on lines
214
to
217
| # SECURE_UPGRADE_MODE - enum value for secure upgrade mode, valid options are "dev", "prod" and "no_sign" | ||
| #SECURE_UPGRADE_DEV_SIGNING_KEY = | ||
| #SECURE_UPGRADE_DEV_SIGNING_CERT = | ||
| SECURE_UPGRADE_MODE = "no_sign" |
There was a problem hiding this comment.
Can we only give two options: sign, no_sign? The dev or prod is depended on what kinds of certificates users used, and we can provide a script to generate all dev certificates.
We may be not necessary to provide some options only for DEV.
#SECURE_UPGRADE_DEV_SIGNING_KEY =
#SECURE_UPGRADE_DEV_SIGNING_CERT =
Suggest change as below:
#SECURE_UPGRADE_SIGNING_KEY =
#SECURE_UPGRADE_SIGNING_CERT =
Do we need to distinguish the UPGRADE/NONE-UPGRADE certificate? The signed image can be used for both fresh installation or upgrade, right?
There was a problem hiding this comment.
This mechanism is part of the feature architecture, as described in its HLD. Doing as your suggestion will change our architecture and we prefer not to do so in this stage. There is a serious demand from our costumers, to allow production signing with their own signing mechanisms. If someone wants to use the current flags they can take the DEV_SIGNING flags and assign it to a different variable or flag.
For your last question - signed image can be used for both fresh installation (from ONIE) or upgrade (from SONIC). In case of ONIE installation - ONIE master is currently not verifying the image - it can be implemented in the future if required and approved
|
@ycoheNvidia can you please handle conflicts? |
qiluo-msft
pushed a commit
to sonic-net/sonic-utilities
that referenced
this pull request
Jan 30, 2023
#### What I did Added support for secure upgrade #### How I did it It includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities). HLD can be found in the following PR: sonic-net/SONiC#1024 #### How to verify it Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it. In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios. #### Feature dependencies In order for this feature to work smoothly, need to have secure boot feature implemented as well. The Secure boot feature will be merged in the near future. sonic-buildimage PR: sonic-net/sonic-buildimage#11862
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
@qiluo-msft , @xumia, would appreciate your review |
|
@ycoheNvidia please handle conflict. |
ycoheNvidia
force-pushed
the
secure_upgrade
branch
from
7d7b567
to
f43f02d
Compare
DavidZagury
added a commit
to DavidZagury/sonic-buildimage
that referenced
this pull request
May 31, 2023
qiluo-msft
approved these changes
Jun 5, 2023
|
@ycoheNvidia not in this PR, but I'm trying to understand the behavior when we have this feature. In the HLD, it says that it read the enable from BIOS, if read failure, it fall into non secure case to continue the install/boot, or failed to install or boot? |
@StormLiangMS If Secure Boot is not supported on the devices BIOS it will be installed and boot without any validation on the signature. |
mssonicbld
pushed a commit
to mssonicbld/sonic-buildimage
that referenced
this pull request
Jun 30, 2023
- What I did Added support for secure upgrade. - How I did it During sonic_installer install, added secure upgrade image verification. HLD can be found in the following PR: sonic-net/SONiC#1024 - Why I did it Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it. - How I did it Feature includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities). - How to verify it In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios. - Feature dependencies In order for this feature to work smoothly, need to have secure boot feature implemented as well. The Secure boot feature will be merged in the near future.
|
Cherry-pick PR to 202211: #15690 |
mssonicbld
pushed a commit
to mssonicbld/sonic-buildimage
that referenced
this pull request
Jun 30, 2023
- What I did Added support for secure upgrade. - How I did it During sonic_installer install, added secure upgrade image verification. HLD can be found in the following PR: sonic-net/SONiC#1024 - Why I did it Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it. - How I did it Feature includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities). - How to verify it In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios. - Feature dependencies In order for this feature to work smoothly, need to have secure boot feature implemented as well. The Secure boot feature will be merged in the near future.
|
Cherry-pick PR to 202305: #15691 |
mssonicbld
pushed a commit
that referenced
this pull request
Jul 12, 2023
- What I did Added support for secure upgrade. - How I did it During sonic_installer install, added secure upgrade image verification. HLD can be found in the following PR: sonic-net/SONiC#1024 - Why I did it Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it. - How I did it Feature includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities). - How to verify it In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios. - Feature dependencies In order for this feature to work smoothly, need to have secure boot feature implemented as well. The Secure boot feature will be merged in the near future.
mssonicbld
added
Included in 202211 Branch
and removed
Approved for 202211 Branch
Created PR to 202211 Branch
labels
StormLiangMS
pushed a commit
that referenced
this pull request
Jul 19, 2023
- What I did Added support for secure upgrade. - How I did it During sonic_installer install, added secure upgrade image verification. HLD can be found in the following PR: sonic-net/SONiC#1024 - Why I did it Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it. - How I did it Feature includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities). - How to verify it In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios. - Feature dependencies In order for this feature to work smoothly, need to have secure boot feature implemented as well. The Secure boot feature will be merged in the near future. Co-authored-by: ycoheNvidia <99744138+ycoheNvidia@users.noreply.github.com>
mssonicbld
added
Included in 202305 Branch
and removed
Created PR to 202305 Branch
labels
malletvapid23
added a commit
to malletvapid23/Sonic-Utility
that referenced
this pull request
Aug 3, 2023
#### What I did Added support for secure upgrade #### How I did it It includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities). HLD can be found in the following PR: sonic-net/SONiC#1024 #### How to verify it Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it. In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios. #### Feature dependencies In order for this feature to work smoothly, need to have secure boot feature implemented as well. The Secure boot feature will be merged in the near future. sonic-buildimage PR: sonic-net/sonic-buildimage#11862
sonic-otn
pushed a commit
to sonic-otn/sonic-buildimage
that referenced
this pull request
Sep 20, 2023
- What I did Added support for secure upgrade. - How I did it During sonic_installer install, added secure upgrade image verification. HLD can be found in the following PR: sonic-net/SONiC#1024 - Why I did it Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it. - How I did it Feature includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities). - How to verify it In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios. - Feature dependencies In order for this feature to work smoothly, need to have secure boot feature implemented as well. The Secure boot feature will be merged in the near future.
lixiaoyuner
pushed a commit
to lixiaoyuner/sonic-buildimage
that referenced
this pull request
Feb 6, 2024
Highlight change, the DHCP config removed from master branch. files/image_config/resolv-config/resolv.conf Related work items: sonic-net#49, sonic-net#2598, sonic-net#11862, sonic-net#12530, sonic-net#14000, sonic-net#14549, sonic-net#14814, sonic-net#15077, sonic-net#15252, sonic-net#15253, sonic-net#15357, sonic-net#15384, sonic-net#15394, sonic-net#15399, sonic-net#15405, sonic-net#15566, sonic-net#15591, sonic-net#15592, sonic-net#15593, sonic-net#15602, sonic-net#15604, sonic-net#15611, sonic-net#15621, sonic-net#15625, sonic-net#15634, sonic-net#15635
lixiaoyuner
pushed a commit
to lixiaoyuner/sonic-buildimage
that referenced
this pull request
Feb 6, 2024
Merge code from master to internal Related work items: sonic-net#32, sonic-net#49, sonic-net#376, sonic-net#2598, sonic-net#11862, sonic-net#12530, sonic-net#14000, sonic-net#14547, sonic-net#14549, sonic-net#14814, sonic-net#15077, sonic-net#15239, sonic-net#15252, sonic-net#15253, sonic-net#15298, sonic-net#15357, sonic-net#15384, sonic-net#15394, sonic-net#15399, sonic-net#15405, sonic-net#15511, sonic-net#15566, sonic-net#15583, sonic-net#15591, sonic-net#15592, sonic-net#15593, sonic-net#15602, sonic-net#15604, sonic-net#15611, sonic-net#15621, sonic-net#15625, sonic-net#15634, sonic-net#15635, sonic-net#15645, sonic-net#15646, sonic-net#15647, sonic-net#15657, sonic-net#15658, sonic-net#15697, sonic-net#15699
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What I did
Added support for secure upgrade.
How I did it
During sonic_installer install, added secure upgrade image verification.
HLD can be found in the following PR: sonic-net/SONiC#1024
Why I did it
Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it.
How I did it
Feature includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities).
How to verify it
In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios.
Feature dependencies
In order for this feature to work smoothly, need to have secure boot feature implemented as well.
The Secure boot feature will be merged in the near future.
In addition, image verification code, during image install, including tests are added as part of sonic-utilities repo PR - sonic-net/sonic-utilities#2698