-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[secure boot]Fix mokutil check issue with ONIE version older than 202… #14589
[secure boot]Fix mokutil check issue with ONIE version older than 202… #14589
Conversation
…1.11 by using efivar tool instead
a7d9dd2
to
29cdac1
Compare
installer/default_platform.conf
Outdated
echo secure_boot_state=$secure_boot_state | ||
if [ "$secure_boot_state" = "SecureBoot enabled" ]; then | ||
echo "UEFI Secure Boot is enabled" | ||
if [ "$secure_boot_state" -eq 1 ]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure what this 1 means here. can we use macro?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PR ready
installer/default_platform.conf
Outdated
echo secure_boot_state=$secure_boot_state | ||
if [ "$secure_boot_state" = "SecureBoot enabled" ]; then | ||
echo "UEFI Secure Boot is enabled" | ||
if [ "$secure_boot_state" -eq 1 ]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
you are WC to test this fix in your environment as well. |
Hllo @davidpil2002 , |
Hi @luigitalboy , I don't think that Azure build image build in PR can be access to download the binary image, |
the most recent broadcom build from this pr can be accessed at https://dev.azure.com/mssonic/build/_build/results?buildId=252268&view=artifacts&pathAsName=false&type=publishedArtifacts or more directly https://artprodcus3.artifacts.visualstudio.com/Af91412a5-a906-4990-9d7c-f697b81fc04d/be1b070f-be15-4154-aade-b1d3bfb17054/_apis/artifact/cGlwZWxpbmVhcnRpZmFjdDovL21zc29uaWMvcHJvamVjdElkL2JlMWIwNzBmLWJlMTUtNDE1NC1hYWRlLWIxZDNiZmIxNzA1NC9idWlsZElkLzI1MjI2OC9hcnRpZmFjdE5hbWUvc29uaWMtYnVpbGRpbWFnZS5icm9hZGNvbQ2/content?format=zip (this is a large 16gb download of all the build artifacts, inside is the broadcom bin) |
Thanks @ITJamie! I downloaded the zip and I'm installing the sonic bin inside. Let's cross the fingers! |
@ITJamie Unfortunately the installation failed again: ONIE:/ # onie-nos-install tftp://192.168.1.21/sonic-broadcom.bin Allocating group tables: done Installing SONiC to /tmp/tmp.0g3hQb/image-master-14589.252268-5ac59dc89 |
I will continue the debug on sunday probably, but pls can you type in your onie shell |
@davidpil2002 Same here: No visible error message - just "Failure: Unable to install..." . Can I do anything to track this down? Here is my efivar -l : ONIE:/ # efivar -l |
the command is working as expected, your uefi is not supporting secure boot feature, but even though the installation should not failed, so some issue exist. if you can, basically, you can open you binary file with and add in the next line the follow: ps: the binary file is big, so probably will take some time to open it and seach. |
vi seemed to tamper with the binary part, anyway I got it with a binary editor. ONIE: Executing installer: tftp://10.58.60.155/sonic-broadcom.bin
Allocating group tables: done Installing SONiC to /tmp/tmp.H4sRv3/image-master-14589.252268-5ac59dc89
|
Thanks for the info, I will get access to some setup on Sunday and do a deep debug. In addition, if it's possible and you can add a debug print by modifying the binary, |
The silverstone DP that I have is a broadcom machine. Does that error message mean that, although the chipset might be supported, the individual type of machine is not supported? Compatibility list says Sonic is compatible with cel silverstone, but there are at least two types of silverstone.
I sed-ed the set -x into the /tmp/.../install.sh script:
|
thanks for the logs, I found the root cause, when |
The last commit fixed the last issue, it's doing the same logic as before, but with a code safer from bash errors. |
/azpw run Azure.sonic-buildimage |
/AzurePipelines run Azure.sonic-buildimage |
Azure Pipelines successfully started running 1 pipeline(s). |
Do you have an image for me? I don't have a build env yet. |
/azpw run Azure.sonic-buildimage |
/AzurePipelines run Azure.sonic-buildimage |
Azure Pipelines successfully started running 1 pipeline(s). |
/azpw run Azure.sonic-buildimage |
/AzurePipelines run Azure.sonic-buildimage |
Azure Pipelines successfully started running 1 pipeline(s). |
/azpw run Azure.sonic-buildimage |
/AzurePipelines run Azure.sonic-buildimage |
Azure Pipelines successfully started running 1 pipeline(s). |
/azpw run Azure.sonic-buildimage |
/AzurePipelines run Azure.sonic-buildimage |
Azure Pipelines successfully started running 1 pipeline(s). |
This PR ‘appears’ failure because there’s a test job management upgradation, Ack: the PR test passed |
Hi @yejianquan , |
Hi @qiluo-msft , We are blocked with this merge due to a build issue, details are in the last comment (one before this one). |
@dprital can you add request to 202211 to this PR? |
sonic-net#14589) …1.11 by using efivar tool instead #### Why I did it solution to BUG below/ sonic-net#14316 bug report also in this issue: backport: secureboot support sonic-net#14246 #### How I did it When installing an image secure boot is checking if the UEFI have the secure boot flag enabled or disabled using a tool name `mokutil` this tool its not exist in ONIE version older than 2021.11 so its crasshing the install. To fix that we add a coded that checking secure boot enabled/disabled by using efivar tool that should exist in any UEFI system #### How to verify it Install the image in a device with ONIE version older than 2021.11 and check that the installation and boot succeed (all docker up).
Can we pls backport this PR to 202211 ? |
@qiluo-msft, I see the request to backport to 202211 is already there. Can you pls help merge to 202211 ? |
…1.11 by using efivar tool instead
Why I did it
solution to BUG below/
#14316
bug report also in this issue:
backport: secureboot support #14246
How I did it
When installing an image secure boot is checking if the UEFI have the secure boot flag enabled or disabled using a tool name
mokutil
this tool its not exist in ONIE version older than 2021.11 so its crasshing the install.To fix that we add a coded that checking secure boot enabled/disabled by using efivar tool that should exist in any UEFI system
How to verify it
Install the image in a device with ONIE version older than 2021.11 and check that the installation and boot succeed (all docker up).
Which release branch to backport (provide reason below if selected)
Description for the changelog
Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.
Link to config_db schema for YANG module changes
A picture of a cute animal (not mandatory but encouraged)