Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bookworm] [Secure Boot] Fix the updated path for extract-cert binary #17015

Merged
merged 1 commit into from
Oct 30, 2023
Merged

[Bookworm] [Secure Boot] Fix the updated path for extract-cert binary #17015

merged 1 commit into from
Oct 30, 2023

Conversation

vivekrnv
Copy link
Contributor

@vivekrnv vivekrnv commented Oct 26, 2023
edited
Loading

Why I did it

ERROR: LOCAL_EXTRACT_CERT=/usr/lib/linux-kbuild-6.1/scripts/extract-cert file does not exist
./scripts/signing_kernel_modules.sh: # Display Help
./scripts/signing_kernel_modules.sh -l <LINUX_KERNEL_VERSION> -c <PEM_CERT> -p <PEM_PRIVATE_KEY> -s <LOCAL_SIGN_FILE> -e <LOCAL_EXTRACT_CERT> -k <KERNEL_MODULES_DIR>
Sign kernel modules in <KERNEL_MODULES_DIR> using private & public keys.
Parameters description:
LINUX_KERNEL_VERSION
PEM_CERT                             public key (pem format)
PEM_PRIVATE_KEY                      private key (pem format)
LOCAL_SIGN_FILE                      path of the sign-file tool for signing Kernel Modules, if the value is empty it will used the sign-file installed in /usr/lib/linux-kbuild-<version>/scripts
LOCAL_EXTRACT_CERT                   path of the extract-cert tool for Extract X.509 certificate, if the value is empty it will used the extract-cert installed in /usr/lib/linux-kbuild-<version>/scripts
KERNEL_MODULES_DIR                   ******** directory of all the kernel modules to be sign by the script, if the value empty it will use the call script location as ********.
Runs examples:
1. ./scripts/signing_kernel_modules.sh -l 5.10.0-8-2 -c cert.pem -p priv-key.pem
2. ./scripts/signing_kernel_modules.sh -l 5.10.0-8-2 -c cert.pem -p priv-key.pem -k fs********-mellanox -e /usr/lib/linux-kbuild-5.10/scripts/extract-cert -s /usr/lib/linux-kbuild-5.10/scripts/sign-file
+ sudo LANG=C ch******** ./fs********-mellanox umount /proc
+ true
[  FAIL LOG END  ] [ target/sonic-mellanox.bin ]
make: *** [slave.mk:1377: target/sonic-mellanox.bin] Error 1
Makefile.work:612: recipe for target 'target/sonic-mellanox.bin' failed
make[1]: *** [target/sonic-mellanox.bin] Error 2
make[1]: Leaving directory '/builds2/sw-r2d2-bot/workspace/sonic_main/sonic'
Makefile:44: recipe for target 'target/sonic-mellanox.bin' failed
make: *** [target/sonic-mellanox.bin] Error 2
Work item tracking
  • Microsoft ADO (number only):

How I did it

Updated the path according to the kernel version. extract-certs was moved from scripts/ to certs/ from kernel 5.17 gregkh/linux@340a025

How to verify it

Which release branch to backport (provide reason below if selected)

  • 201811
  • 201911
  • 202006
  • 202012
  • 202106
  • 202111
  • 202205
  • 202211
  • 202305

Tested branch (Please provide the tested image version)

Description for the changelog

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

@vivekrnv
[Bookworm] [Secure Boot] Fix the updated path for extract-cert binary
d632f40 
extract-certs was moved from scripts/ to certs/ from kernel 5.17 gregkh/linux@340a025

Signed-off-by: Vivek Reddy <vkarri@nvidia.com>
@saiarcot895
Copy link
Contributor

/azpw run Azure.sonic-buildimage

@saiarcot895
Copy link
Contributor

/azp run Azure.sonic-buildimage

@azure-pipelines
Copy link

Commenter does not have sufficient privileges for PR 17015 in repo sonic-net/sonic-buildimage

@vivekrnv
Copy link
Contributor Author

/azpw run Azure.sonic-buildimage

@mssonicbld
Copy link
Collaborator

/AzurePipelines run Azure.sonic-buildimage

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@dgsudharsan
Copy link
Collaborator

@saiarcot895 Can we merge this?

@yxieca yxieca merged commit 91eda55 into sonic-net:bookworm Oct 30, 2023
16 checks passed
saiarcot895 pushed a commit to saiarcot895/sonic-buildimage that referenced this pull request Nov 7, 2023
@vivekrnv @saiarcot895
[Bookworm] [Secure Boot] Fix the updated path for extract-cert binary (
5ca53be 
…sonic-net#17015)

extract-certs was moved from scripts/ to certs/ from kernel 5.17 gregkh/linux@340a025

Signed-off-by: Vivek Reddy <vkarri@nvidia.com>
saiarcot895 pushed a commit to saiarcot895/sonic-buildimage that referenced this pull request Nov 21, 2023
@vivekrnv @saiarcot895
[Bookworm] [Secure Boot] Fix the updated path for extract-cert binary (
a2a8944 
…sonic-net#17015)

extract-certs was moved from scripts/ to certs/ from kernel 5.17 gregkh/linux@340a025

Signed-off-by: Vivek Reddy <vkarri@nvidia.com>
yxieca pushed a commit that referenced this pull request Nov 22, 2023
@vivekrnv @yxieca
[Bookworm] [Secure Boot] Fix the updated path for extract-cert binary (
c688020 
…#17015)

extract-certs was moved from scripts/ to certs/ from kernel 5.17 gregkh/linux@340a025

Signed-off-by: Vivek Reddy <vkarri@nvidia.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dgsudharsan dgsudharsan dgsudharsan approved these changes

@saiarcot895 saiarcot895 saiarcot895 approved these changes

@qiluo-msft qiluo-msft Awaiting requested review from qiluo-msft qiluo-msft is a code owner

@xumia xumia Awaiting requested review from xumia xumia is a code owner

@lguohan lguohan Awaiting requested review from lguohan lguohan is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@vivekrnv @saiarcot895 @mssonicbld @dgsudharsan @yxieca