Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure boot #5282

Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

Secure boot #5282

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
ce6d0c2
Adding kernel secure boot signing variables
kellyyeh Aug 10, 2020
bcff541
Update build_debian.sh
kelly-yeh-ms Aug 11, 2020
715c016
updated SONiC to boot with shimx64.efi
kelly-yeh-ms Aug 24, 2020
ae80561
Add secure boot signing tool
kelly-yeh-ms Aug 28, 2020
17d4c83
Add utility to manipulate machine owner key
kelly-yeh-ms Aug 28, 2020
1aa8d86
Signed shim and grub binary
kelly-yeh-ms Aug 31, 2020
7349997
Update build_debian.sh
kelly-yeh-ms Aug 31, 2020
59aa56c
Secure boot: embed grub.cfg to grubx64.efi
kelly-yeh-ms Sep 3, 2020
849ec7e
Update install.sh
kelly-yeh-ms Sep 4, 2020
d0c5d23
Mount Efi partition on /boot/efi
kelly-yeh-ms Sep 4, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
10 changes: 10 additions & 0 deletions build_debian.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,12 @@ sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y in
if [[ $CONFIGURED_ARCH == amd64 ]]; then
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install dmidecode hdparm
fi
sudo apt-get -y install efitools
sudo openssl req -new -x509 -newkey rsa:2048 -subj "/CN=db/" -keyout kernel_db.key -out kernel_db.crt -days 365 -nodes -sha256
sudo openssl x509 -in kernel_db.crt -outform der -out kernel_db.der
sudo sbsign --key kernel_db.key --cert kernel_db.crt --output fsroot/boot/vmlinuz-4.19.0-9-2-amd64 fsroot/boot/vmlinuz-4.19.0-9-2-amd64
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

use LINUX_KERNEL_VERSION


sudo apt-get -y install mokutil

## Update initramfs for booting with squashfs+overlay
cat files/initramfs-tools/modules | sudo tee -a $FILESYSTEM_ROOT/etc/initramfs-tools/modules > /dev/null
Expand Down Expand Up @@ -314,6 +320,10 @@ sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y in
cron \
haveged

## Secure boot signed shim and grub
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install \
grub-efi-amd64-signed \
shim-signed

if [[ $CONFIGURED_ARCH == amd64 ]]; then
## Pre-install the fundamental packages for amd64 (x86)
Expand Down
2 changes: 1 addition & 1 deletion installer/x86_64/install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -412,7 +412,7 @@ demo_install_uefi_grub()
efibootmgr --quiet --create \
--label "$demo_volume_label" \
--disk $blk_dev --part $uefi_part \
--loader "/EFI/$demo_volume_label/grubx64.efi" || {
--loader "/EFI/$demo_volume_label/shimx64.efi" || {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does this affect non secure boot?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, but not if we add shimx64.efi to the EFI partition. Still working on this.

echo "ERROR: efibootmgr failed to create new boot variable on: $blk_dev"
exit 1
}
Expand Down
4 changes: 3 additions & 1 deletion sonic-slave-buster/Dockerfile.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -310,7 +310,9 @@ RUN apt-get update && apt-get install -y \
# For SWI Tools
python-m2crypto \
# For build dtb
device-tree-compiler
device-tree-compiler \
# For secure boot signing
efitools

## Config dpkg
## install the configuration file if it’s currently missing
Expand Down