sonic-utilities
sonic-utilities copied to clipboard
sonic-net
Secure upgrade
What I did
Added support for secure upgrade
How I did it
It includes image signing during build (in sonic buildimage repo) and verification during image install (in sonic-utilities). HLD can be found in the following PR: https://github.com/sonic-net/SONiC/pull/1024
How to verify it
Feature is used to allow image was not modified since built from vendor. During installation, image can be verified with a signature attached to it. In order for image verification - image must be signed - need to provide signing key and certificate (paths in SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT in rules/config) during build , and during image install, need to enable secure boot flag in bios, and signing_certificate should be available in bios.
Feature dependencies
In order for this feature to work smoothly, need to have secure boot feature implemented as well. The Secure boot feature will be merged in the near future.
sonic-buildimage PR: https://github.com/sonic-net/sonic-buildimage/pull/11862
This pull request introduces 1 alert and fixes 2 when merging 22d197c72af57f800098da9d7ff36d57ca6b5380 into f82835ed9607aec4c94526188122d165b1d45f3d - view on LGTM.com
new alerts:
- 1 for Syntax error
fixed alerts:
- 2 for Unused local variable
![lgtm-com[bot] avatar](https://avatars.githubusercontent.com/in/17324?v=4 "Published by a pub.dev verified publisher"){kind=small}
The committers listed above are authorized under a signed CLA.
- :white_check_mark: login: ycoheNvidia (b972cde9528e14083f7763a626af28708cdd1bcd, 6504dd89b7fb754c138fc9e8bff3cc8a5c085f53, 3efcc950a9b763c4a96555bc581f5c9db46b63d7, 22d197c72af57f800098da9d7ff36d57ca6b5380, 311b70224ed14f9d1592508af70b1e3be16a7e0f, baa6918d5e4275e248885e61e5cc4f92c95a2ccc, 3cf593500b48470690c033771ea7bd090ea020ff)
![linux-foundation-easycla[bot] avatar](https://avatars.githubusercontent.com/in/17893?v=4 "Published by a pub.dev verified publisher"){kind=small}
@yxieca @liat-grozovik I reviewed the scan of bendit. There are 70 high severity issues that are not related to my code, but from the original master. Regarding my code, there are only few medium issues, and don't think they are required to be resolved. How do you want to proceed?
as of today bandit is not required. it is still under work. once the pr is approved by @xumia we will be able to merge.
as of today bandit is not required. it is still under work. once the pr is approved by @xumia we will be able to merge.
@xumia Is there any update on this PR?
This change will break sonic-installer install for all Aboot and Uboot platforms.
It implements verify_image_sign solely for Grub not even declaring it in its base class while still using it in common code.
Any reason why this code is not using the existing verify_secureboot_image like it's done here? https://github.com/sonic-net/sonic-utilities/blob/c57c3fadc493d219027c91ff7c26e3d810ef3693/sonic_installer/bootloader/aboot.py#L199
@xumia @qiluo-msft this change needs to be reverted or fixed ASAP before it makes its way into sonic-buildimage.
Could you also add me as a notifiee everytime someone changes sonic-utilities/sonic_installer/bootloader/ ?
@Staphylo , thanks for your comment. @ycoheNvidia, @liat-grozovik , could you please help fix it ASAP? It has impact on the Aboot and Uboot platforms.
@Staphylo , thanks for your comment. @ycoheNvidia, @liat-grozovik , could you please help fix it ASAP? It has impact on the Aboot and Uboot platforms.
Will upload a patch today, thanks for the vigilance
@Staphylo , thanks for your comment. @ycoheNvidia, @liat-grozovik , could you please help fix it ASAP? It has impact on the Aboot and Uboot platforms.
added a fix in https://github.com/sonic-net/sonic-utilities/pull/2646
@liat-grozovik this PR caused aboot failure with 202205 and 202012 images, and block pipeline test, will revert first, pls re-submit when this issue get fixed.
@liat-grozovik this PR caused aboot failure with 202205 and 202012 images, and block pipeline test, will revert first, pls re-submit when this issue get fixed.
we have a fix in https://github.com/sonic-net/sonic-utilities/pull/2646