Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

backport: secureboot support #14246

Closed
wants to merge 5 commits into from

Conversation

sacnaik
Copy link
Contributor

@sacnaik sacnaik commented Mar 15, 2023

Backporting PR#12692 to the 202205 branch.

The diffs of PR#12692 do not cleanly get applied to the 202205 branch. Hence patch #12692 was slightly modified for the 202205 branch.

Why I did it

To support UEFI secure boot on the 202205 branch

How I did it

The feature is supported at the master branch see #12692.
Backported #12692 from master to 202205 branch

How to verify it

Booted on UEFI secure boot-enabled hardware.

Which release branch to backport (provide reason below if selected)

  • 201811
  • 201911
  • 202006
  • 202012
  • 202106
  • 202111
  • 202205
  • 202211

Description for the changelog

Refer HLD: sonic-net/SONiC#1028

Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

   Backporting sonic-net#12692 PR on 202205 branch.

   The diffs of sonic-net#12692 does not cleanly gets apply.

   on 202205 branch. Hence the patch sonic-net#12692 slightly

   modified so that it can get applied on 202205 branch

   without functional break.

Signed-off-by: Sachin Naik <sachnaik@cisco.com>
@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Mar 15, 2023

CLA Signed

The committers listed above are authorized under a signed CLA.

@rlhui
Copy link
Contributor

rlhui commented Mar 15, 2023

@davidpil2002 , would you please review this one for 202205? thanks

@davidpil2002
Copy link
Contributor

davidpil2002 commented Mar 27, 2023

@sacnaik In general look good to me.
I beleive you didnt manage to cherry pick beause there is some modification in the instaltion structucre.
few comments:
1.take in consideration that theoretical my PR should support ARM (still not fully tested)
And your PR not, because the structure its different, in your installation modification only in X64 directory.
2. you forget to rm this file scripts/signing_secure_boot_prod.sh
3.
Pls also add the fix about mokutil that I pushed lastly to support device with old ONIE versions

The older ONIE version does not support mokutil command.  This backport changes will address the issue.
@sacnaik
Copy link
Contributor Author

sacnaik commented Apr 5, 2023

@davidpil2002

  1. ARM support is not needed at this time on 202205 branches and once you fully test I can cherry-pick that or move to newer branch
  2. scripts/signing_secure_boot_prod.sh - I removed it
  3. Added Secure boot fix instalation with devices that used ONIE version older than 2021.11 #14429 to the changes

@davidpil2002
Copy link
Contributor

davidpil2002 commented Apr 9, 2023

looks good to me,
there is a small PR that will be publish soon with some additional small fixes, I think the best it's to merge this PR with the fixes by the day 1.
I approved this PR, but pls add the PR with the fixes.
@DavidZagury pls can you write in the comment the PR with your fixes so all the branches will be aligned?

@davidpil2002
Copy link
Contributor

davidpil2002 commented Apr 10, 2023

@davidpil2002

  1. ARM support is not needed at this time on 202205 branches and once you fully test I can cherry-pick that or move to newer branch
  2. scripts/signing_secure_boot_prod.sh - I removed it
  3. Added Secure boot fix instalation with devices that used ONIE version older than 2021.11 #14429 to the changes

hi @sacnaik ,
sorry for the inconvinence, but we decided to remove the mokutil dependency by using efivar tool.
any chances you can cherry pick this new fix, instead the previous one.
new fix:
#14589

You are welcome to review it as well

@sacnaik
Copy link
Contributor Author

sacnaik commented Apr 18, 2023

Backported #14589 as well

Copy link
Contributor

@yxieca yxieca left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change is not an approved feature for 202205 branch. Please request back porting to 202211 branch instead.

@rlhui rlhui added the Chassis for 202205 branch PRs needed for 202205 branch in msft repo label May 5, 2023
qiluo-msft pushed a commit that referenced this pull request May 31, 2023
#14589)

…1.11 by using efivar tool instead

#### Why I did it
solution to BUG below/
#14316
bug report also in this issue:
backport: secureboot support #14246
#### How I did it
When installing an image secure boot is checking if the UEFI have the secure boot flag enabled or disabled using a tool name `mokutil` this tool its not exist in ONIE version older than 2021.11 so its crasshing the install.
To fix that we add a coded that checking secure boot enabled/disabled by using efivar tool that should exist in any UEFI system
#### How to verify it
Install the image in a device with ONIE version older than 2021.11 and check that the installation and boot succeed (all docker up).
@abdosi
Copy link
Contributor

abdosi commented Jul 12, 2023

Already Backport msft repo 202205 branch.

@abdosi abdosi closed this Jul 12, 2023
sonic-otn pushed a commit to sonic-otn/sonic-buildimage that referenced this pull request Sep 20, 2023
sonic-net#14589)

…1.11 by using efivar tool instead

#### Why I did it
solution to BUG below/
sonic-net#14316
bug report also in this issue:
backport: secureboot support sonic-net#14246
#### How I did it
When installing an image secure boot is checking if the UEFI have the secure boot flag enabled or disabled using a tool name `mokutil` this tool its not exist in ONIE version older than 2021.11 so its crasshing the install.
To fix that we add a coded that checking secure boot enabled/disabled by using efivar tool that should exist in any UEFI system
#### How to verify it
Install the image in a device with ONIE version older than 2021.11 and check that the installation and boot succeed (all docker up).
@gechiang gechiang added the Included in Chassis for 202205 Branch Indicate PR is already in MSFT repo 202205 branch label Sep 30, 2023
@gechiang
Copy link
Collaborator

Added the label "Icluded in Chassis for 202205 branch" label to keep the consistency where this PR was already backported by Abhishek separately even though this PR got closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Chassis for 202205 branch PRs needed for 202205 branch in msft repo Included in Chassis for 202205 Branch Indicate PR is already in MSFT repo 202205 branch
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

8 participants