Skip to content

Commit

Permalink
Revert "secureboot: Enable signing SONiC kernel (sonic-net#10557)"
Browse files Browse the repository at this point in the history
This reverts commit 598ab99.

Signed-off-by: Abhishek Dosi <[email protected]>
  • Loading branch information
abdosi committed Jun 4, 2024
1 parent 9cbaf42 commit 7bb020f
Show file tree
Hide file tree
Showing 6 changed files with 1 addition and 49 deletions.
12 changes: 0 additions & 12 deletions Makefile.work
Original file line number Diff line number Diff line change
Expand Up @@ -339,17 +339,6 @@ ifneq ($(SONIC_VERSION_CACHE_SOURCE),)
DOCKER_RUN += -v "$(SONIC_VERSION_CACHE_SOURCE):/vcache:rw"
endif

ifeq ($(SONIC_ENABLE_SECUREBOOT_SIGNATURE), y)
ifneq ($(SIGNING_KEY),)
DOCKER_SIGNING_SOURCE := $(shell dirname $(SIGNING_KEY))
DOCKER_RUN += -v "$(DOCKER_SIGNING_SOURCE):$(DOCKER_SIGNING_SOURCE):ro"
endif
ifneq ($(SIGNING_CERT),)
DOCKER_SIGNING_SOURCE := $(shell dirname $(SIGNING_CERT))
DOCKER_RUN += -v "$(DOCKER_SIGNING_SOURCE):$(DOCKER_SIGNING_SOURCE):ro"
endif
endif

# User name and tag for "docker-*" images created by native dockerd mode.
ifeq ($(strip $(SONIC_CONFIG_USE_NATIVE_DOCKERD_FOR_BUILD)),y)
DOCKER_USERNAME = $(USER_LC)
Expand Down Expand Up @@ -551,7 +540,6 @@ SONIC_BUILD_INSTRUCTION := $(MAKE) \
EXTRA_DOCKER_TARGETS=$(EXTRA_DOCKER_TARGETS) \
BUILD_LOG_TIMESTAMP=$(BUILD_LOG_TIMESTAMP) \
SONIC_ENABLE_IMAGE_SIGNATURE=$(ENABLE_IMAGE_SIGNATURE) \
SONIC_ENABLE_SECUREBOOT_SIGNATURE=$(SONIC_ENABLE_SECUREBOOT_SIGNATURE) \
SECURE_UPGRADE_MODE=$(SECURE_UPGRADE_MODE) \
SECURE_UPGRADE_DEV_SIGNING_KEY=$(SECURE_UPGRADE_DEV_SIGNING_KEY) \
SECURE_UPGRADE_SIGNING_CERT=$(SECURE_UPGRADE_SIGNING_CERT) \
Expand Down
23 changes: 1 addition & 22 deletions build_debian.sh
Original file line number Diff line number Diff line change
Expand Up @@ -172,24 +172,6 @@ if [[ $CONFIGURED_ARCH == amd64 ]]; then
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install dmidecode hdparm
fi

## Sign the Linux kernel
# note: when flag SONIC_ENABLE_SECUREBOOT_SIGNATURE is enabled the Secure Upgrade flags should be disabled (no_sign) to avoid conflict between the features.
if [ "$SONIC_ENABLE_SECUREBOOT_SIGNATURE" = "y" ] && [ "$SECURE_UPGRADE_MODE" != 'dev' ] && [ "$SECURE_UPGRADE_MODE" != "prod" ]; then
if [ ! -f $SIGNING_KEY ]; then
echo "Error: SONiC linux kernel signing key missing"
exit 1
fi
if [ ! -f $SIGNING_CERT ]; then
echo "Error: SONiC linux kernel signing certificate missing"
exit 1
fi

echo '[INFO] Signing SONiC linux kernel image'
K=$FILESYSTEM_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-${CONFIGURED_ARCH}
sbsign --key $SIGNING_KEY --cert $SIGNING_CERT --output /tmp/${K##*/} ${K}
sudo cp -f /tmp/${K##*/} ${K}
fi

## Update initramfs for booting with squashfs+overlay
cat files/initramfs-tools/modules | sudo tee -a $FILESYSTEM_ROOT/etc/initramfs-tools/modules > /dev/null

Expand Down Expand Up @@ -696,10 +678,7 @@ sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c "echo 0 > /etc/fips/fips_enable
# #################
# secure boot
# #################
if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" && $SONIC_ENABLE_SECUREBOOT_SIGNATURE != 'y' ]]; then
# note: SONIC_ENABLE_SECUREBOOT_SIGNATURE is a feature that signing just kernel,
# SECURE_UPGRADE_MODE is signing all the boot component including kernel.
# its required to do not enable both features together to avoid conflicts.
if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" ]]; then
echo "Secure Boot support build stage: Starting .."

# debian secure boot dependecies
Expand Down
7 changes: 0 additions & 7 deletions rules/config
Original file line number Diff line number Diff line change
Expand Up @@ -227,13 +227,6 @@ MASTER_FLUENTD_VERSION = mariner_20230517.1
# The relative path is build root folder.
SONIC_ENABLE_IMAGE_SIGNATURE ?= n

# SONIC_ENABLE_SECUREBOOT_SIGNATURE - enable SONiC kernel signing to support UEFI secureboot
# To support UEFI secureboot chain of trust requires EFI kernel to be signed as a PE binary
# SIGNING_KEY =
# SIGNING_CERT =
# The absolute path should be provided.
SONIC_ENABLE_SECUREBOOT_SIGNATURE ?= n

# Full Secure Boot feature flags.
# SECURE_UPGRADE_DEV_SIGNING_KEY - path to development signing key, used for image signing during build
# SECURE_UPGRADE_SIGNING_CERT - path to development signing certificate, used for image signing during build
Expand Down
6 changes: 0 additions & 6 deletions slave.mk
Original file line number Diff line number Diff line change
Expand Up @@ -1327,9 +1327,6 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_RFS_TARGETS)) : $(TARGET_PATH)/% : \
IMAGE_TYPE=$($(installer)_IMAGE_TYPE) \
TARGET_PATH=$(TARGET_PATH) \
TRUSTED_GPG_URLS=$(TRUSTED_GPG_URLS) \
SONIC_ENABLE_SECUREBOOT_SIGNATURE="$(SONIC_ENABLE_SECUREBOOT_SIGNATURE)" \
SIGNING_KEY="$(SIGNING_KEY)" \
SIGNING_CERT="$(SIGNING_CERT)" \
PACKAGE_URL_PREFIX=$(PACKAGE_URL_PREFIX) \
DBGOPT='$(DBGOPT)' \
SONIC_VERSION_CACHE=$(SONIC_VERSION_CACHE) \
Expand Down Expand Up @@ -1581,9 +1578,6 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
ONIE_IMAGE_PART_SIZE=$(ONIE_IMAGE_PART_SIZE) \
SONIC_ENFORCE_VERSIONS=$(SONIC_ENFORCE_VERSIONS) \
TRUSTED_GPG_URLS=$(TRUSTED_GPG_URLS) \
SONIC_ENABLE_SECUREBOOT_SIGNATURE="$(SONIC_ENABLE_SECUREBOOT_SIGNATURE)" \
SIGNING_KEY="$(SIGNING_KEY)" \
SIGNING_CERT="$(SIGNING_CERT)" \
PACKAGE_URL_PREFIX=$(PACKAGE_URL_PREFIX) \
DBGOPT='$(DBGOPT)' \
SONIC_VERSION_CACHE=$(SONIC_VERSION_CACHE) \
Expand Down
1 change: 0 additions & 1 deletion sonic-slave-bullseye/Dockerfile.j2
Original file line number Diff line number Diff line change
Expand Up @@ -174,7 +174,6 @@ RUN apt-get update && apt-get install -y eatmydata && eatmydata apt-get install
devscripts \
quilt \
stgit \
sbsigntool \
# For platform-modules build
module-assistant \
# For thrift build\
Expand Down
1 change: 0 additions & 1 deletion sonic-slave-buster/Dockerfile.j2
Original file line number Diff line number Diff line change
Expand Up @@ -170,7 +170,6 @@ RUN apt-get update && apt-get install -y eatmydata && eatmydata apt-get install
devscripts \
quilt \
stgit \
sbsigntool \
# For platform-modules build
module-assistant \
# For thrift build\
Expand Down

0 comments on commit 7bb020f

Please sign in to comment.