Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

secureboot: Enable signing SONiC kernel #10557

Merged
merged 4 commits into from
Apr 19, 2022
Merged

secureboot: Enable signing SONiC kernel #10557

merged 4 commits into from
Apr 19, 2022

Conversation

sacnaik
Copy link
Contributor

@sacnaik sacnaik commented Apr 12, 2022

Build hook to enable signing SONiC Linux kernel using standard third party sbsign tool

How to enable signing hook?
Pass following parameter to rules/config.user
Ex:
SONIC_ENABLE_SECUREBOOT_SIGNATURE := y
SIGNING_KEY := /path/to/key/private.key
SIGNING_CERT := /path/to/public/public.cert

Signed-off-by: Sachin Naik sachnaik@cisco.com

Why I did it

To sign SONiC kernel image and allow secure boot based system to verify SONiC image before loading into the system.

How I did it

Pass following parameter to rules/config.user
Ex:
SONIC_ENABLE_SECUREBOOT_SIGNATURE := y
SIGNING_KEY := /path/to/key/private.key
SIGNING_CERT := /path/to/public/public.cert

How to verify it

Secure boot enabled system enrolled with right public key of the, image in the platform UEFI database will able to verify image before load.

Alternatively one can verify with offline sbsign tool as below.

export SBSIGN_KEY=/abc/bcd/xyz/
sbverify --cert $SBSIGN_KEY/public_cert.cert fsroot-platform-XYZ/boot/vmlinuz-5.10.0-8-2-amd64 mage

O/P:
Signature verification OK

Which release branch to backport (provide reason below if selected)

202012 branch need to be backported so that it can produce signed SONiC image to boot on secure boot enabled hardware.

  • 201811
  • 201911
  • 202006
  • 202012
  • 202106
  • 202111

Description for the changelog

Generic build hook to sign SONiC kernel image. It provides mechanism to configure SONiC build system to sign the image. The user can enable signing via make configure and provide a location to signing keys. It uses standard sbsign infra to sign Linux kernel.

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

   Build hook to enable signing SONiC Linux kernel using
   standard sbsign tool

   How to enable signing hook?
   make configure PLATFORM=<platform> SECURE_BOOT=yes SBSIGN_KEY=<SOniC image sign key dir path>

   SOniC image sign key dir path: Should contain two files
   1. <Image signing private key>.key
   2. <Public cert>.cert

Signed-off-by: Sachin Naik <sachnaik@cisco.com>
@ghost
Copy link

ghost commented Apr 12, 2022

CLA assistant check
All CLA requirements met.

build_debian.sh Outdated Show resolved Hide resolved
slave.mk Outdated Show resolved Hide resolved
sacnaik added 3 commits April 14, 2022 21:40
Signed-off-by: Sachin Naik <sachnaik@cisco.com>
Signed-off-by: Sachin Naik <sachnaik@cisco.com>
Signed-off-by: Sachin Naik <sachnaik@cisco.com>
@xumia
Copy link
Collaborator

xumia commented Apr 19, 2022

@sacnaik , could you please send another PR for 202012/202106 branch? There some code conflict needs to resolve.

xumia pushed a commit to xumia/sonic-buildimage-1 that referenced this pull request Apr 19, 2022
Why I did it
To sign SONiC kernel image and allow secure boot based system to verify SONiC image before loading into the system.

How I did it
Pass following parameter to rules/config.user
Ex:
SONIC_ENABLE_SECUREBOOT_SIGNATURE := y
SIGNING_KEY := /path/to/key/private.key
SIGNING_CERT := /path/to/public/public.cert

How to verify it
Secure boot enabled system enrolled with right public key of the, image in the platform UEFI database will able to verify image before load.

Alternatively one can verify with offline sbsign tool as below.

export SBSIGN_KEY=/abc/bcd/xyz/
sbverify --cert $SBSIGN_KEY/public_cert.cert fsroot-platform-XYZ/boot/vmlinuz-5.10.0-8-2-amd64 mage

O/P:
Signature verification OK
xumia pushed a commit to xumia/sonic-buildimage-1 that referenced this pull request Apr 20, 2022
Why I did it
To sign SONiC kernel image and allow secure boot based system to verify SONiC image before loading into the system.

How I did it
Pass following parameter to rules/config.user
Ex:
SONIC_ENABLE_SECUREBOOT_SIGNATURE := y
SIGNING_KEY := /path/to/key/private.key
SIGNING_CERT := /path/to/public/public.cert

How to verify it
Secure boot enabled system enrolled with right public key of the, image in the platform UEFI database will able to verify image before load.

Alternatively one can verify with offline sbsign tool as below.

export SBSIGN_KEY=/abc/bcd/xyz/
sbverify --cert $SBSIGN_KEY/public_cert.cert fsroot-platform-XYZ/boot/vmlinuz-5.10.0-8-2-amd64 mage

O/P:
Signature verification OK
judyjoseph pushed a commit that referenced this pull request Apr 25, 2022
Why I did it
To sign SONiC kernel image and allow secure boot based system to verify SONiC image before loading into the system.

How I did it
Pass following parameter to rules/config.user
Ex:
SONIC_ENABLE_SECUREBOOT_SIGNATURE := y
SIGNING_KEY := /path/to/key/private.key
SIGNING_CERT := /path/to/public/public.cert

How to verify it
Secure boot enabled system enrolled with right public key of the, image in the platform UEFI database will able to verify image before load.

Alternatively one can verify with offline sbsign tool as below.

export SBSIGN_KEY=/abc/bcd/xyz/
sbverify --cert $SBSIGN_KEY/public_cert.cert fsroot-platform-XYZ/boot/vmlinuz-5.10.0-8-2-amd64 mage

O/P:
Signature verification OK
liushilongbuaa pushed a commit to liushilongbuaa/sonic-buildimage that referenced this pull request Jun 20, 2022
Related work items: #49, #58, #107, sonic-net#247, sonic-net#249, sonic-net#277, sonic-net#593, sonic-net#597, sonic-net#1035, sonic-net#2130, sonic-net#2150, sonic-net#2165, sonic-net#2169, sonic-net#2178, sonic-net#2179, sonic-net#2187, sonic-net#2188, sonic-net#2191, sonic-net#2195, sonic-net#2197, sonic-net#2198, sonic-net#2200, sonic-net#2202, sonic-net#2206, sonic-net#2209, sonic-net#2211, sonic-net#2216, sonic-net#7909, sonic-net#8927, sonic-net#9681, sonic-net#9733, sonic-net#9746, sonic-net#9850, sonic-net#9967, sonic-net#10104, sonic-net#10152, sonic-net#10168, sonic-net#10228, sonic-net#10266, sonic-net#10288, sonic-net#10294, sonic-net#10313, sonic-net#10394, sonic-net#10403, sonic-net#10404, sonic-net#10421, sonic-net#10431, sonic-net#10437, sonic-net#10445, sonic-net#10457, sonic-net#10458, sonic-net#10465, sonic-net#10467, sonic-net#10469, sonic-net#10470, sonic-net#10474, sonic-net#10477, sonic-net#10478, sonic-net#10482, sonic-net#10485, sonic-net#10488, sonic-net#10489, sonic-net#10492, sonic-net#10494, sonic-net#10498, sonic-net#10501, sonic-net#10509, sonic-net#10512, sonic-net#10514, sonic-net#10516, sonic-net#10517, sonic-net#10523, sonic-net#10525, sonic-net#10531, sonic-net#10532, sonic-net#10538, sonic-net#10555, sonic-net#10557, sonic-net#10559, sonic-net#10561, sonic-net#10565, sonic-net#10572, sonic-net#10574, sonic-net#10576, sonic-net#10578, sonic-net#10581, sonic-net#10585, sonic-net#10587, sonic-net#10599, sonic-net#10607, sonic-net#10611, sonic-net#10616, sonic-net#10618, sonic-net#10619, sonic-net#10623, sonic-net#10624, sonic-net#10633, sonic-net#10646, sonic-net#10655, sonic-net#10660, sonic-net#10664, sonic-net#10680, sonic-net#10683
abdosi added a commit to abdosi/sonic-buildimage that referenced this pull request Jun 4, 2024
This reverts commit 598ab99.

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
lguohan pushed a commit that referenced this pull request Jun 5, 2024
)

What I did:

Before this feature sonic-net/SONiC#1028 got merged their was intermediate change done to just support Kernel Signing via: #10557. However once this feature is merged : sonic-net/SONiC#1028 (Which support sign of all boot components not just Kernel) we do not need the Kernel only signing changes as it define new rules macro which just create confusion.

So as part of this PR i am reverting the Kernel -only sign PR #10557

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
arun1355492 pushed a commit to arun1355492/sonic-buildimage that referenced this pull request Jul 26, 2024
…ic-net#19199)

What I did:

Before this feature sonic-net/SONiC#1028 got merged their was intermediate change done to just support Kernel Signing via: sonic-net#10557. However once this feature is merged : sonic-net/SONiC#1028 (Which support sign of all boot components not just Kernel) we do not need the Kernel only signing changes as it define new rules macro which just create confusion.

So as part of this PR i am reverting the Kernel -only sign PR sonic-net#10557

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants