sonic-buildimage Add Secure Boot Support

Add Secure Boot Support

Open davidpil2002 opened this issue 2 years ago • 0 comments

Why I did it

Add Secure Boot support to SONiC OS. Secure Boot (SB) is a verification mechanism for ensuring that code launched by a computer's UEFI firmware is trusted. It is designed to protect a system against malicious code being loaded and executed early in the boot process before the operating system has been loaded.

How I did it

Add a signing process to sign the following components: shim, grub, Linux kernel, and kernel modules when doing the build.

How to verify it

There are self-verifications of each boot component when building the image, in addition, added an end-to-end test in sonic-mgmt repo that checks that the boot succeeds when loading a secure system.

Which release branch to backport (provide reason below if selected)

[X] master
[ ] 201811
[ ] 201911
[ ] 202006
[ ] 202012
[ ] 202106
[ ] 202111
[ ] 202205
[X] 202211

Description for the changelog

Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.

Link to config_db schema for YANG module changes

No REDIS DB used

A picture of a cute animal (not mandatory but encouraged)

Nov 13 '22 12:11 davidpil2002

sonic-buildimage sonic-buildimage copied to clipboard

Add Secure Boot Support

Why I did it

How I did it

How to verify it

Which release branch to backport (provide reason below if selected)

Description for the changelog

Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

sonic-buildimage
sonic-buildimage copied to clipboard