Support to verify reboot for secure boot #979
Conversation
qiluo-msft
requested review from
yxieca,
jleveque,
lguohan,
marian-pritsak and
zhenggen-xu
|
@Staphylo Could you please help review ? #Closed |
sonic_installer/main.py
Outdated
| @cli.command('verify_reboot') | ||
| def verify_reboot(): |
There was a problem hiding this comment.
Along with Qi's comment above, this command should also be named form clearly, e.g., verify-next-image.
sonic_installer/bootloader/aboot.py
Outdated
| if not super(AbootBootloader, self).verify_reboot(): | ||
| return False | ||
| image = self.get_next_image() | ||
| image_path = self.get_image_path(image) + '/sonic.swi' |
There was a problem hiding this comment.
sonic.swi [](start = 52, length = 9)
Magic string in aboot.py #Closed
scripts/fast-reboot
Outdated
| debug "Next image ${NEXT_SONIC_IMAGE} doesn't exist ..." | ||
| exit ${EXIT_NEXT_IMAGE_NOT_EXISTS} | ||
| # Verify reboot by sonic_installer | ||
| local message=$(sonic_installer verify-reboot) |
There was a problem hiding this comment.
message [](start = 10, length = 7)
Did you only capture stdout but stderr? #Closed
There was a problem hiding this comment.
Added the stderr message.
sonic_installer/bootloader/aboot.py
Outdated
| if not super(AbootBootloader, self).verify_reboot(): | ||
| return False | ||
| image = self.get_next_image() | ||
| image_path = self.get_image_path(image) + '/sonic.swi' |
|
This pull request introduces 2 alerts when merging b10af37 into 1b992b3 - view on LGTM.com new alerts:
|
|
This pull request introduces 1 alert when merging db0a9d2 into 1b992b3 - view on LGTM.com new alerts:
|
|
This pull request introduces 1 alert when merging 7914998 into 1b992b3 - view on LGTM.com new alerts:
|
|
retest default please |
scripts/fast-reboot
Outdated
| exit ${EXIT_NEXT_IMAGE_NOT_EXISTS} | ||
| # Verify the next image by sonic_installer | ||
| local message=$(sonic_installer verify_next_image 2>&1) | ||
| if [ $? -ne 0 ]; then |
There was a problem hiding this comment.
This part of the reboot script is executed under -e option, meaning that the failure will trigger script to exit. Please take examples in the script to catch error code.
There was a problem hiding this comment.
Thanks, the command can be simplified, fixed. #Closed
There was a problem hiding this comment.
If you simplified this way, the sonic_installer verify-next-image will only output Failed or Done, which has no context in fast-reboot output.
As Ying suggested: Please take examples in the script to catch error code.
Your original debug command is still useful.
In reply to: 453135626 [](ancestors = 453135626)
There was a problem hiding this comment.
Thanks @yxieca actually #Closed
#### Why I did it
To pick up fixes from submodule sonic-sairedis which include the following fixes:
```
commit 1027eef3a331e84560827c7584ee8009baf434d5 (HEAD -> 202012, origin/202012)
Author: gechiang <62408185+gechiang@users.noreply.github.com>
Date: Wed Dec 8 03:13:34 2021 -0800
[202012] Prevent other notification event storms to keep enqueue unchecked and drained all memory that leads to crashing the switch router (sonic-net#976)
commit 94455e50d3444dcd60093b7a39c7f427337a94d2
Author: VenkatCisco <77468614+VenkatCisco@users.noreply.github.com>
Date: Tue Jun 15 03:23:20 2021 -0700
Add cisco-8000 checks to syncd_init_common (sonic-net#839)
commit 2df539483ed68519c3c9c6df958d3ed2f31dd629
Author: Kamil Cudnik <kcudnik@gmail.com>
Date: Mon Dec 6 20:50:23 2021 +0100
[lgtm] Add gmock libs to lgtm (sonic-net#979)
```
…d (#995) Root group name was changed from `cli` to `sonic_installer` in sonic-net/sonic-utilities#983. However, `verify-next-image` subcommand was being added in an already-open PR sonic-net/sonic-utilities#979 at the time. It did not get updated before merge. This aligns it with the new group name.
- What I did
Add a command "sonic_installer verify_reboot" to verify the image before reboot.
The command will be called when reboot/fast-reboot/warm-reboot.
- How I did it
- How to verify it
- Previous command output (if the output of a command-line utility has changed)
- New command output (if the output of a command-line utility has changed)