-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add secureboot support for Arista devices #4741
Conversation
b239023
to
5f9a412
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As comments
Could you please fix build error
|
f9b006e
to
50ecb13
Compare
retest broadcom please |
375d0db
to
94c4d56
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, please also wait for @xumia's review
I am also running some more regular boot tests to make sure there is no regression. |
94c4d56
to
d07a41c
Compare
My testing is looking good on other Arista devices. |
d07a41c
to
020c6de
Compare
Just rebased on master to fix a conflict on code I removed on union-mount.j2 |
It doesn't make much sense to do so since these files are already compressed. Also not compressing the squashfs has the advantage of making it mountable via a loop device.
020c6de
to
71aec59
Compare
@Staphylo Could you clarify the statement that "In secureboot, this change breaks some assumptions made by some SONiC tools" ? |
@qiluo-msft
I would expect the secureboot related failures to be mostly happening on |
This change adds secureboot support for Arista devices.
Some of the pieces can easily be reused by other bootloaders to achieve
the same purpose.
boot0
The default behavior of the boot0 is preserved and should not have any
impact on existing SKUs running in production. This is refered to as
regular boot process.
When secureboot is enabled, boot0 will follow a different code path.
In such cases only a few files get extracted as part of the installation process.
These are expected by SONiC and do not pose a security risk (
.imagehash
,firstime
).The secureboot mode sets
docker_inram
by default to force containers tobe extracted in RAM at boot time instead of extracted on the flash where
they could be tampered with.
This mode also adds
panic=60
which prevents the initramfs from runningan interactive shell when the boot fails and reboot after 60 seconds.
initrd + union-mount
A new cmdline parameter called
loopoffset=
is added to the debianinitramfs-tools package. It mostly rely on the existing loop device mount
patch that exists to mount the fs.squashfs file.
When
loopoffset=
is present, the fs.squashfs can be mounted directlyfrom a given file at a given offset by using
losetup
.In the case of Aboot, fs.squashfs is mounted directly from the SWI file
verified by secureboot in Aboot.
A small refactor was made for the logs in ram workaround.
It is now the
logs_inram
cmdline option that any vendor can use to storethe logs in RAM instead of using the flash.
build_debian.sh
The squashfs is no longer compressed when added to the zip file.
It was a bit pointless to compress an already compressed file.
It has the advantage of being a bit faster to add to the fs.zip and can now
be mounted directly from the SWI.
NOTES
This change is seemless for regular boot.
In secureboot, this change breaks some assumptions made by some SONiC tools.
These issues will be addressed separately, as they do not prevent this change from working.