Skip to content

Commit

Permalink
Add support for secure upgrade (#11862)
Browse files Browse the repository at this point in the history
- What I did
Added support for secure upgrade.

- How I did it
During sonic_installer install, added secure upgrade image verification.
HLD can be found in the following PR: sonic-net/SONiC#1024

- Why I did it
Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it.

- How I did it
Feature includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities).

- How to verify it
In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios.

- Feature dependencies
In order for this feature to work smoothly, need to have secure boot feature implemented as well.
The Secure boot feature will be merged in the near future.
  • Loading branch information
ycoheNvidia authored and mssonicbld committed Jul 12, 2023
1 parent 1efaedb commit a45a71f
Show file tree
Hide file tree
Showing 4 changed files with 65 additions and 4 deletions.
2 changes: 1 addition & 1 deletion build_image.sh
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@ generate_onie_installer_image()
## Note: Don't leave blank between lines. It is single line command.
./onie-mk-demo.sh $CONFIGURED_ARCH $TARGET_MACHINE $TARGET_PLATFORM-$TARGET_MACHINE-$ONIEIMAGE_VERSION \
installer platform/$TARGET_MACHINE/platform.conf $output_file OS $IMAGE_VERSION $ONIE_IMAGE_PART_SIZE \
$ONIE_INSTALLER_PAYLOAD
$ONIE_INSTALLER_PAYLOAD $SECURE_UPGRADE_SIGNING_CERT $SECURE_UPGRADE_DEV_SIGNING_KEY
}

# Generate asic-specific device list
Expand Down
8 changes: 6 additions & 2 deletions installer/sharch_body.sh
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,9 @@
##

echo -n "Verifying image checksum ..."
sha1=$(sed -e '1,/^exit_marker$/d' "$0" | sha1sum | awk '{ print $1 }')
payload_image_size=%%PAYLOAD_IMAGE_SIZE%%

sha1=$(sed -e '1,/^exit_marker$/d' "$0" | head -c $payload_image_size | sha1sum | awk '{ print $1 }')

payload_sha1=%%IMAGE_SHA1%%

Expand Down Expand Up @@ -45,7 +47,9 @@ if [ "$(id -u)" = "0" ] ; then
fi
cd $tmp_dir
echo -n "Preparing image archive ..."
sed -e '1,/^exit_marker$/d' $archive_path | tar xf - || exit 1

sed -e '1,/^exit_marker$/d' $archive_path | head -c $payload_image_size | tar xf - || exit 1

echo " OK."
cd $cur_wd
if [ -n "$extract" ] ; then
Expand Down
48 changes: 47 additions & 1 deletion onie-mk-demo.sh
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,9 @@ output_file=$6
demo_type=$7
image_version=$8
onie_image_part_size=$9
onie_installer_payload=${10}
cert_file=${11}
key_file=${12}

shift 9

Expand Down Expand Up @@ -100,7 +103,7 @@ sed -i -e "s/%%DEMO_TYPE%%/$demo_type/g" \
-e "s@%%OUTPUT_RAW_IMAGE%%@$output_raw_image@" \
$tmp_installdir/install.sh || clean_up 1
echo -n "."
cp -r $* $tmp_installdir || clean_up 1
cp -r $onie_installer_payload $tmp_installdir || clean_up 1
echo -n "."
[ -r "$platform_conf" ] && {
cp $platform_conf $tmp_installdir || clean_up 1
Expand Down Expand Up @@ -130,7 +133,50 @@ cp $installer_dir/sharch_body.sh $output_file || {
# Replace variables in the sharch template
sed -i -e "s/%%IMAGE_SHA1%%/$sha1/" $output_file
echo -n "."
tar_size="$(wc -c < "${sharch}")"
sed -i -e "s|%%PAYLOAD_IMAGE_SIZE%%|${tar_size}|" ${output_file}
cat $sharch >> $output_file
echo "secure upgrade flags: SECURE_UPGRADE_MODE = $SECURE_UPGRADE_MODE, \
SECURE_UPGRADE_DEV_SIGNING_KEY = $SECURE_UPGRADE_DEV_SIGNING_KEY, SECURE_UPGRADE_SIGNING_CERT = $SECURE_UPGRADE_SIGNING_CERT"

if [ "$SECURE_UPGRADE_MODE" = "dev" -o "$SECURE_UPGRADE_MODE" = "prod" ]; then
CMS_SIG="${tmp_dir}/signature.sig"
DIR="$(dirname "$0")"
scripts_dir="${DIR}/scripts"
echo "$0 $SECURE_UPGRADE_MODE signing - creating CMS signature for ${output_file}. Output file ${CMS_SIG}"

if [ "$SECURE_UPGRADE_MODE" = "dev" ]; then
echo "$0 dev keyfile location: ${key_file}."
[ -f ${scripts_dir}/sign_image_dev.sh ] || {
echo "dev sign script ${scripts_dir}/sign_image_dev.sh not found"
rm -rf ${output_file}
}
(${scripts_dir}/sign_image_dev.sh ${cert_file} ${key_file} ${output_file} ${CMS_SIG}) || {
echo "CMS sign error $?"
rm -rf ${CMS_SIG} ${output_file}
}
else # "$SECURE_UPGRADE_MODE" has to be equal to "prod"
[ -f ${scripts_dir}/sign_image_${machine}.sh ] || {
echo "prod sign script ${scripts_dir}/sign_image_${machine}.sh not found"
rm -rf ${output_file}
}
(${scripts_dir}/sign_image_${machine}.sh ${output_file} ${CMS_SIG} ${SECURE_UPGRADE_MODE}) || {
echo "CMS sign error $?"
rm -rf ${CMS_SIG} ${output_file}
}
fi

[ -f "$CMS_SIG" ] || {
echo "Error: CMS signature not created - exiting without signing"
clean_up 1
}
# append signature to binary
cat ${CMS_SIG} >> ${output_file}
sudo rm -rf ${CMS_SIG}
elif [ "$SECURE_UPGRADE_MODE" -ne "no_sign" ]; then
echo "SECURE_UPGRADE_MODE not defined or defined as $SECURE_UPGRADE_MODE - build without signing"
fi

rm -rf $tmp_dir
echo " Done."

Expand Down
11 changes: 11 additions & 0 deletions scripts/sign_image_dev.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
cert_file=$1
key_file=$2
image_to_sign=$3
cms_sig_out=$4
openssl cms -sign -nosmimecap -signer ${cert_file} -inkey ${key_file} -binary -in $image_to_sign -outform pem -out ${cms_sig_out} || {
echo "$?: CMS sign error"
sudo rm -rf ${cms_sig_out}
exit 1
}
echo "CMS sign OK"
exit 0

0 comments on commit a45a71f

Please sign in to comment.