From aa01630841bd0179dab1951ac2fab87f15480727 Mon Sep 17 00:00:00 2001
From: abdosi <58047199+abdosi@users.noreply.github.com>
Date: Tue, 29 Aug 2023 13:41:01 -0700
Subject: [PATCH] [build]: Added flag in sonic_version.yml to see if image is
 secured or non-secured (#16191)

What I did:

Added flag in sonic_version.yml to see if compiled image is secured or non-secured. This is done using build/compile time environmental variable SECURE_UPGRADE_MODE as define in HLD: https://github.com/sonic-net/SONiC/blob/master/doc/secure_boot/hld_secure_boot.md

This flag does not provide the runtime status of whether the image has booted securely or not. It's possible that compile time signed image (secured image) can boot on non secure platform.

Why I did:
Flag can be used for manual check or by the test case.

ADO: 24319390

How I verify:
Manual Verification

---
build_version: 'master-16191.346262-cdc5e72a3'
debian_version: '11.7'
kernel_version: '5.10.0-18-2-amd64'
asic_type: broadcom
asic_subtype: 'broadcom'
commit_id: 'cdc5e72a3'
branch: 'master-16191'
release: 'none'
build_date: Fri Aug 25 03:15:45 UTC 2023
build_number: 346262
built_by: AzDevOps@vmss-soni001UR5
libswsscommon: 1.0.0
sonic_utilities: 1.2
sonic_os_version: 11
secure_boot_image: 'no'

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
---
 files/build_templates/sonic_version.yml.j2 | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/files/build_templates/sonic_version.yml.j2 b/files/build_templates/sonic_version.yml.j2
index 8b829feeed00..510b3d3c6044 100644
--- a/files/build_templates/sonic_version.yml.j2
+++ b/files/build_templates/sonic_version.yml.j2
@@ -30,3 +30,8 @@ built_by: {{ built_by }}
 asan: 'yes'
 {% endif -%}
 sonic_os_version: {{ sonic_os_version }}
+{% if SECURE_UPGRADE_MODE == "dev" or SECURE_UPGRADE_MODE == "prod" -%}
+secure_boot_image: 'yes'
+{% else -%}
+secure_boot_image: 'no'
+{% endif -%}