Add support for secure upgrade #2698
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fixed return value from cms verification script used for secure upgrade. Also modified and added prints to be similar to ONIE verification
|
@qiluo-msft Can you please review and approve this PR? |
This reverts commit e98011f.
|
@qiluo-msft , @Yarden-Z @xumia please help to review this PR. this one must go into 202211 as well . |
Yarden-Z
approved these changes
Apr 17, 2023
|
moved to 202305 release |
|
@qiluo-msft kindly reminder to review and provide feedback |
DavidZagury
added a commit
to DavidZagury/sonic-utilities
that referenced
this pull request
May 23, 2023
qiluo-msft
reviewed
May 30, 2023
| @@ -75,6 +75,10 @@ def supports_package_migration(self, image): | |||
| """tells if the image supports package migration""" | |||
| return True | |||
|
|
|||
| def verify_image_sign(self, image_path): | |||
There was a problem hiding this comment.
We want to verify image signature only of secure boot flag is enabled. This flow was already merged in previous PR #2337 (that was reverted even though it had a fix ready in a day) and described and approved in the HLD as well (sonic-net/SONiC#1024)
There was a problem hiding this comment.
@qiluo-msft please add your comments/approval
There was a problem hiding this comment.
After checking HLD, my comment is still applicable.
I understand "We want to verify image signature only of secure boot flag is enabled." This is the base class implementation, if subclass does not override, it will confuse user that an unsecure normal image is considered "verify_image_sign"-ed.
There was a problem hiding this comment.
What do you suggest to do? @qiluo-msft Does the user read the python code? If we move the prints around verify_image_sign call in main.py inside grub bootloader will it be enough? I Can also add print inside base bootloader ("image verification not implemented, continue without verification"). Returning False here will make other vendor's CI fail, as the previous PR did, and I don't think implementing this method for each bootloader will be positive
There was a problem hiding this comment.
If you mean "image verification not implemented", you should either throw NotImplmented exception or return a reasonable value to indicate the error. Silently "continue without verification" does not make sense.
There was a problem hiding this comment.
Modified the code as suggested, please review @qiluo-msft
ycoheNvidia
force-pushed
the
secure_upgrade_v2
branch
from
7062ef1
to
64dab4a
Compare
qiluo-msft
previously approved these changes
Jun 21, 2023
ycoheNvidia
force-pushed
the
secure_upgrade_v2
branch
from
9b932e7
to
aeeeabe
Compare
ycoheNvidia
force-pushed
the
secure_upgrade_v2
branch
from
aeeeabe
to
7877b3a
Compare
|
/azp run Azure.sonic-buildimage |
|
Commenter does not have sufficient privileges for PR 2698 in repo sonic-net/sonic-utilities |
|
@qiluo-msft @liat-grozovik fixed minor print and issues - CI tests pass |
qiluo-msft
approved these changes
Jun 26, 2023
|
@DavidZagury still got some question.
|
|
This was referenced Jun 30, 2023
StormLiangMS
pushed a commit
that referenced
this pull request
Jun 30, 2023
- What I did Added support for secure upgrade - How I did it It includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities). HLD can be found in the following PR: sonic-net/SONiC#1024 - How to verify it Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it. In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios. - Feature dependencies In order for this feature to work smoothly, need to have secure boot feature implemented as well. The Secure boot feature will be merged in the near future.
StormLiangMS
pushed a commit
that referenced
this pull request
Jun 30, 2023
- What I did Added support for secure upgrade - How I did it It includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities). HLD can be found in the following PR: sonic-net/SONiC#1024 - How to verify it Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it. In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios. - Feature dependencies In order for this feature to work smoothly, need to have secure boot feature implemented as well. The Secure boot feature will be merged in the near future.
dgsudharsan
added a commit
to dgsudharsan/sonic-buildimage
that referenced
this pull request
Jul 11, 2023
Update sonic-utilities submodule pointer to include the following: * ff380e04 [hash]: Implement GH frontend ([sonic-net#2580](sonic-net/sonic-utilities#2580)) * 61bad064 [db_migrator] Set correct CURRENT_VERSION, extend UT ([sonic-net#2895](sonic-net/sonic-utilities#2895)) * 6b8ee47c [CLI][Show][BGP] Show BGP Change for no neighbor scenario ([sonic-net#2885](sonic-net/sonic-utilities#2885)) * 73d8d633 [doc] Update Command-Reference.md, change show bgp peer command to show bfd peer ([sonic-net#2750](sonic-net/sonic-utilities#2750)) * 7bc08c28 [db_migrator] Remove hardcoded config and migrate config from minigraph ([sonic-net#2887](sonic-net/sonic-utilities#2887)) * b1aa9426 [generate_dump]: Enhance show techsupport for Marvell platform ([sonic-net#2676](sonic-net/sonic-utilities#2676)) * 316b14c0 Add support for secure upgrade ([sonic-net#2698](sonic-net/sonic-utilities#2698)) * dc2945bc [dns] Implement config and show commands for static DNS. ([sonic-net#2737](sonic-net/sonic-utilities#2737)) * 8414a709 [chassis][multi asic] change acl_loader to use tcp socket for db communication ([sonic-net#2525](sonic-net/sonic-utilities#2525)) * 0b629ba1 Revert [chassis][voq] Clear fabric counters queue/port (2789) ([sonic-net#2882](sonic-net/sonic-utilities#2882)) * 3ba8241a [db_migtrator] Add migration of FLEX_COUNTER_DELAY_STATUS during 1911->master upgrade + fast-reboot. Add UT. ([sonic-net#2839](sonic-net/sonic-utilities#2839)) * fceef2ed [chassis][voq] Clear fabric counters queue/port ([sonic-net#2789](sonic-net/sonic-utilities#2789)) Signed-off-by: dgsudharsan <sudharsand@nvidia.com>
11 tasks
liat-grozovik
pushed a commit
to sonic-net/sonic-buildimage
that referenced
this pull request
Jul 11, 2023
Update sonic-utilities submodule pointer to include the following: * ff380e04 [hash]: Implement GH frontend ([#2580](sonic-net/sonic-utilities#2580)) * 61bad064 [db_migrator] Set correct CURRENT_VERSION, extend UT ([#2895](sonic-net/sonic-utilities#2895)) * 6b8ee47c [CLI][Show][BGP] Show BGP Change for no neighbor scenario ([#2885](sonic-net/sonic-utilities#2885)) * 73d8d633 [doc] Update Command-Reference.md, change show bgp peer command to show bfd peer ([#2750](sonic-net/sonic-utilities#2750)) * 7bc08c28 [db_migrator] Remove hardcoded config and migrate config from minigraph ([#2887](sonic-net/sonic-utilities#2887)) * b1aa9426 [generate_dump]: Enhance show techsupport for Marvell platform ([#2676](sonic-net/sonic-utilities#2676)) * 316b14c0 Add support for secure upgrade ([#2698](sonic-net/sonic-utilities#2698)) * dc2945bc [dns] Implement config and show commands for static DNS. ([#2737](sonic-net/sonic-utilities#2737)) * 8414a709 [chassis][multi asic] change acl_loader to use tcp socket for db communication ([#2525](sonic-net/sonic-utilities#2525)) * 0b629ba1 Revert [chassis][voq] Clear fabric counters queue/port (2789) ([#2882](sonic-net/sonic-utilities#2882)) * 3ba8241a [db_migtrator] Add migration of FLEX_COUNTER_DELAY_STATUS during 1911->master upgrade + fast-reboot. Add UT. ([#2839](sonic-net/sonic-utilities#2839)) * fceef2ed [chassis][voq] Clear fabric counters queue/port ([#2789](sonic-net/sonic-utilities#2789)) Signed-off-by: dgsudharsan <sudharsand@nvidia.com>
pdhruv-marvell
pushed a commit
to pdhruv-marvell/sonic-utilities
that referenced
this pull request
Aug 23, 2023
- What I did Added support for secure upgrade - How I did it It includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities). HLD can be found in the following PR: sonic-net/SONiC#1024 - How to verify it Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it. In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios. - Feature dependencies In order for this feature to work smoothly, need to have secure boot feature implemented as well. The Secure boot feature will be merged in the near future.
sonic-otn
pushed a commit
to sonic-otn/sonic-buildimage
that referenced
this pull request
Sep 20, 2023
Update sonic-utilities submodule pointer to include the following: * ff380e04 [hash]: Implement GH frontend ([sonic-net#2580](sonic-net/sonic-utilities#2580)) * 61bad064 [db_migrator] Set correct CURRENT_VERSION, extend UT ([sonic-net#2895](sonic-net/sonic-utilities#2895)) * 6b8ee47c [CLI][Show][BGP] Show BGP Change for no neighbor scenario ([sonic-net#2885](sonic-net/sonic-utilities#2885)) * 73d8d633 [doc] Update Command-Reference.md, change show bgp peer command to show bfd peer ([sonic-net#2750](sonic-net/sonic-utilities#2750)) * 7bc08c28 [db_migrator] Remove hardcoded config and migrate config from minigraph ([sonic-net#2887](sonic-net/sonic-utilities#2887)) * b1aa9426 [generate_dump]: Enhance show techsupport for Marvell platform ([sonic-net#2676](sonic-net/sonic-utilities#2676)) * 316b14c0 Add support for secure upgrade ([sonic-net#2698](sonic-net/sonic-utilities#2698)) * dc2945bc [dns] Implement config and show commands for static DNS. ([sonic-net#2737](sonic-net/sonic-utilities#2737)) * 8414a709 [chassis][multi asic] change acl_loader to use tcp socket for db communication ([sonic-net#2525](sonic-net/sonic-utilities#2525)) * 0b629ba1 Revert [chassis][voq] Clear fabric counters queue/port (2789) ([sonic-net#2882](sonic-net/sonic-utilities#2882)) * 3ba8241a [db_migtrator] Add migration of FLEX_COUNTER_DELAY_STATUS during 1911->master upgrade + fast-reboot. Add UT. ([sonic-net#2839](sonic-net/sonic-utilities#2839)) * fceef2ed [chassis][voq] Clear fabric counters queue/port ([sonic-net#2789](sonic-net/sonic-utilities#2789)) Signed-off-by: dgsudharsan <sudharsand@nvidia.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What I did
Added support for secure upgrade
How I did it
It includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities).
HLD can be found in the following PR: sonic-net/SONiC#1024
How to verify it
Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it.
In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios.
Feature dependencies
In order for this feature to work smoothly, need to have secure boot feature implemented as well.
The Secure boot feature will be merged in the near future.
sonic-buildimage PR: sonic-net/sonic-buildimage#11862