Secure boot

build_debian.sh

@@ -94,6 +94,8 @@ sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c "echo '127.0.0.1       localhos
 ## Config basic fstab
 sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c 'echo "proc /proc proc defaults 0 0" >> /etc/fstab'
 sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c 'echo "sysfs /sys sysfs defaults 0 0" >> /etc/fstab'
+sudo mkdir -p $FILESYSTEM_ROOT/boot/efi
+sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c 'echo "/dev/vda1 /boot/efi       vfat    defaults,rw,errors=remount-ro   0     2" >> /etc/fstab'
 
 ## Setup proxy
 [ -n "$http_proxy" ] && sudo /bin/bash -c "echo 'Acquire::http::Proxy \"$http_proxy\";' > $FILESYSTEM_ROOT/etc/apt/apt.conf.d/01proxy"
@@ -142,6 +144,12 @@ sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y in
 if [[ $CONFIGURED_ARCH == amd64 ]]; then
     sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install dmidecode hdparm
 fi
+sudo apt-get -y install efitools
+sudo openssl req -new -x509 -newkey rsa:2048 -subj "/CN=db/" -keyout kernel_db.key -out kernel_db.crt -days 365 -nodes -sha256
+sudo openssl x509 -in kernel_db.crt -outform der -out kernel_db.der
+sudo sbsign --key kernel_db.key --cert kernel_db.crt --output fsroot/boot/vmlinuz-${LINUX_KERNEL_VERSION}-amd64 fsroot/boot/vmlinuz-${LINUX_KERNEL_VERSION}-amd64
+
+sudo apt-get -y install mokutil
 
 ## Update initramfs for booting with squashfs+overlay
 cat files/initramfs-tools/modules | sudo tee -a $FILESYSTEM_ROOT/etc/initramfs-tools/modules > /dev/null
@@ -314,6 +322,10 @@ sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y in
     cron                    \
     haveged
 
+## Secure boot signed shim and grub
+sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install      \
+    grub-efi-amd64-signed           \
+    shim-signed
 
 if [[ $CONFIGURED_ARCH == amd64 ]]; then
 ## Pre-install the fundamental packages for amd64 (x86)

installer/x86_64/install.sh

@@ -361,6 +361,7 @@ demo_install_grub()
 
         # restore immutable flag on the core.img file as discussed
         # above.
+
         [ -f "$core_img" ] && chattr +i $core_img
 
     fi
@@ -412,7 +413,7 @@ demo_install_uefi_grub()
     efibootmgr --quiet --create \
         --label "$demo_volume_label" \
         --disk $blk_dev --part $uefi_part \
-        --loader "/EFI/$demo_volume_label/grubx64.efi" || {
+        --loader "/EFI/$demo_volume_label/shimx64.efi" || {
         echo "ERROR: efibootmgr failed to create new boot variable on: $blk_dev"
         exit 1
     }
@@ -637,6 +638,78 @@ else
     cp $grub_cfg $onie_initrd_tmp/$demo_mnt/grub/grub.cfg
 fi
 
+ tmp_config=$(mktemp)
+cat << EOF >> $tmp_config
+configfile $prefix/grub.cfg
+EOF
+
+GRUB_MODULES="
+    all_video
+    boot
+    btrfs
+    cat
+    chain
+    configfile
+    echo
+    efifwsetup
+    efinet
+    ext2
+    fat
+    font
+    gettext
+    gfxmenu
+    gfxterm
+    gfxterm_background
+    gzio
+    halt
+    hfsplus
+    iso9660
+    jpeg
+    keystatus
+    loadenv
+    loopback
+    linux
+    linuxefi
+    lsefi
+    lsefimmap
+    lsefisystab
+    lssal
+    lvm
+    mdraid09
+    mdraid1x
+    memdisk
+    minicmd
+    normal
+    part_apple
+    part_msdos
+    part_gpt
+    password_pbkdf2
+    png
+    raid5rec
+    raid6rec
+    reboot
+    search
+    search_fs_uuid
+    search_fs_file
+    search_label
+    serial
+    sleep
+    squash4
+    terminal
+    terminfo
+    test
+    true
+    video
+    zfs
+    zfscrypt
+    zfsinfo
+"
+/usr/bin/grub-mkimage --format="x86_64-efi" --directory="/usr/lib/grub/x86_64-efi" \
+    --prefix="(hd0,gpt3)/grub" --config="$tmp_config" --output="/boot/efi/EFI/SONiC-OS/grubx64.efi" \
+       $GRUB_MODULES
+
+rm -f $tmp_config
+
 cd /
 
 echo "Installed SONiC base image $demo_volume_label successfully"

sonic-slave-buster/Dockerfile.j2

@@ -310,7 +310,9 @@ RUN apt-get update && apt-get install -y \
 # For SWI Tools
         python-m2crypto \
 # For build dtb
-	device-tree-compiler
+	device-tree-compiler \
+# For secure boot signing
+	efitools
 
 ## Config dpkg
 ## install the configuration file if it’s currently missing