Skip to content

Commit

Permalink
[secure boot]Add support of secure warm-boot by forcing kexec to veri…
Browse files Browse the repository at this point in the history 
…fy kernel when loading new one.
  • Loading branch information
@davidpil2002
davidpil2002 committed Nov 29, 2022
1 parent addae73 commit 2d72533
Showing 1 changed file with 6 additions and 1 deletion.
7 changes: 6 additions & 1 deletion scripts/fast-reboot
View file
Original file line number Diff line number Diff line change
Expand Up @@ -444,7 +444,7 @@ function load_aboot_secureboot_kernel() {
function load_kernel() {
# Load kernel into the memory
/sbin/kexec -l "$KERNEL_IMAGE" --initrd="$INITRD" --append="$BOOT_OPTIONS"
/sbin/kexec -l "$KERNEL_IMAGE" --initrd="$INITRD" --append="$BOOT_OPTIONS" $1
}
function unload_kernel()
Expand Down Expand Up @@ -597,9 +597,14 @@ if [[ "$sonic_asic_type" == "mellanox" ]]; then
fi
fi
# check if secure boot is enable in UEFI
SECURE_UPGRADE_ENABLED=$(bootctl status 2>/dev/null | grep -c "Secure Boot: enabled")
if is_secureboot && grep -q aboot_machine= /host/machine.conf; then
load_aboot_secureboot_kernel
elif [ ${SECURE_UPGRADE_ENABLED} -eq 1 ]; then
# -s flag is for enforcing the new load kernel(vmlinuz) to be signed and verify.
load_kernel "-s"
else
load_kernel
fi
Expand Down

0 comments on commit 2d72533

Please sign in to comment.