From b8dd8d27acfd1a570029ff89fba168799d5f5d9e Mon Sep 17 00:00:00 2001 From: David Pilnik Date: Tue, 29 Nov 2022 16:18:38 +0200 Subject: [PATCH 1/3] [secure boot]Add support of secure warm-boot by forcing kexec to verify kernel when loading new one. --- scripts/fast-reboot | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/scripts/fast-reboot b/scripts/fast-reboot index bfdc191b78..6ffeb9330c 100755 --- a/scripts/fast-reboot +++ b/scripts/fast-reboot @@ -447,6 +447,13 @@ function load_kernel() { /sbin/kexec -a -l "$KERNEL_IMAGE" --initrd="$INITRD" --append="$BOOT_OPTIONS" } +function load_kernel_secure() { + # Load kernel into the memory secure + # -s flag is for enforcing the new load kernel(vmlinuz) to be signed and verify. + # not using -a flag, this flag can fallback to an old kexec load that do not support Secure Boot verification + /sbin/kexec -l "$KERNEL_IMAGE" --initrd="$INITRD" --append="$BOOT_OPTIONS" -s +} + function unload_kernel() { # Unload the previously loaded kernel if any loaded @@ -597,9 +604,13 @@ if [[ "$sonic_asic_type" == "mellanox" ]]; then fi fi +# check if secure boot is enable in UEFI +SECURE_UPGRADE_ENABLED=$(bootctl status 2>/dev/null | grep -c "Secure Boot: enabled") if is_secureboot && grep -q aboot_machine= /host/machine.conf; then load_aboot_secureboot_kernel +elif [ ${SECURE_UPGRADE_ENABLED} -eq 1 ]; then + load_kernel_secure else load_kernel fi From 0ef86770241a2a298cb49ae021cb913a756c0289 Mon Sep 17 00:00:00 2001 From: David Pilnik Date: Wed, 8 Feb 2023 12:02:38 +0200 Subject: [PATCH 2/3] [secure boot]Add invoke kernel function to avoid duplication of kexec and flags for secure and regular use cases --- scripts/fast-reboot | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/scripts/fast-reboot b/scripts/fast-reboot index 6ffeb9330c..74c7e75223 100755 --- a/scripts/fast-reboot +++ b/scripts/fast-reboot @@ -442,16 +442,20 @@ function load_aboot_secureboot_kernel() { swipath=$next_image kexec=true loadonly=true ENV_EXTRA_CMDLINE="$BOOT_OPTIONS" bash - } +function invoke_kexec() { + /sbin/kexec -l "$KERNEL_IMAGE" --initrd="$INITRD" --append="$BOOT_OPTIONS" $@ +} + function load_kernel() { # Load kernel into the memory - /sbin/kexec -a -l "$KERNEL_IMAGE" --initrd="$INITRD" --append="$BOOT_OPTIONS" + invoke_kexec -a } function load_kernel_secure() { # Load kernel into the memory secure # -s flag is for enforcing the new load kernel(vmlinuz) to be signed and verify. # not using -a flag, this flag can fallback to an old kexec load that do not support Secure Boot verification - /sbin/kexec -l "$KERNEL_IMAGE" --initrd="$INITRD" --append="$BOOT_OPTIONS" -s + invoke_kexec -s } function unload_kernel() From 4cd2598cacecac6f75088b07cb30caabf6709ac0 Mon Sep 17 00:00:00 2001 From: David Pilnik Date: Wed, 8 Feb 2023 12:42:19 +0200 Subject: [PATCH 3/3] [secure boot]move bootctl call check inside else condtion to avoid aboot to do this call as well --- scripts/fast-reboot | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/scripts/fast-reboot b/scripts/fast-reboot index 74c7e75223..604fddf9ec 100755 --- a/scripts/fast-reboot +++ b/scripts/fast-reboot @@ -608,15 +608,17 @@ if [[ "$sonic_asic_type" == "mellanox" ]]; then fi fi -# check if secure boot is enable in UEFI -SECURE_UPGRADE_ENABLED=$(bootctl status 2>/dev/null | grep -c "Secure Boot: enabled") if is_secureboot && grep -q aboot_machine= /host/machine.conf; then load_aboot_secureboot_kernel -elif [ ${SECURE_UPGRADE_ENABLED} -eq 1 ]; then - load_kernel_secure else - load_kernel + # check if secure boot is enable in UEFI + SECURE_UPGRADE_ENABLED=$(bootctl status 2>/dev/null | grep -c "Secure Boot: enabled") + if [ ${SECURE_UPGRADE_ENABLED} -eq 1 ]; then + load_kernel_secure + else + load_kernel + fi fi init_warm_reboot_states