Secure boot add signed shim and grub, key signing an importing tools #5286
Conversation
sonic-slave-buster/Dockerfile.j2
Outdated
| device-tree-compiler \ | ||
| # For secure boot key signing and import | ||
| efitools \ | ||
| mokutil |
There was a problem hiding this comment.
mokutil [](start = 1, length = 7)
Do you need mokutil in runtime to import key? sonic-slave is only for build.
There was a problem hiding this comment.
It would be beneficial to have mokutil during runtime
There was a problem hiding this comment.
Your comment said "importing secure boot keys", and I guess it is for mokutil. It is confusing, because sonic-slave-buster is a build environment (docker container). And it is different from a running SONiC. Why you need it in build time and how do you use it?
In reply to: 480381168 [](ancestors = 480381168)
build_debian.sh
Outdated
|
|
||
| ## Secure boot signed shim grub |
There was a problem hiding this comment.
Secure boot signed shim grub [](start = 3, length = 29)
The comment is difficult to read. Could you check against description of installed packages and refine the statement? #Closed
sonic-slave-buster/Dockerfile.j2
Outdated
| @@ -310,7 +310,10 @@ RUN apt-get update && apt-get install -y \ | |||
| # For SWI Tools | |||
| python-m2crypto \ | |||
| # For build dtb | |||
| device-tree-compiler | |||
| device-tree-compiler \ | |||
| # For secure boot key signing and import | |||
There was a problem hiding this comment.
For secure boot key signing and import [](start = 2, length = 38)
Below 2 packages have nothing to do with signing. Please refine comment. #Closed
|
Suggest refine PR title to be descriptive, accurate and explicit. #Closed |
| ## Secure boot signed shim grub | ||
| sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install \ | ||
| grub-efi-amd64-signed \ | ||
| shim-signed |
There was a problem hiding this comment.
I am worried about the disk space of image. Are they needed in runtime? Is there anything we can do to reduce image sizes before installation, or occupied disk space after installation? #Closed
There was a problem hiding this comment.
We can sign grubx64.efi and shimx64.efi with our own keys, then we do not have to install these packages that contain debian signed shimx64.efi and grubx64.efi.
|
Please add more detail to the PR title |
kelly-yeh-ms
changed the title
|
I cannot understand PR title "key signing an importing tools" part. |
| @@ -637,6 +637,76 @@ else | |||
| cp $grub_cfg $onie_initrd_tmp/$demo_mnt/grub/grub.cfg | |||
| fi | |||
|
|
|||
| tmp_config=$(mktemp) | |||
There was a problem hiding this comment.
tmp_config [](start = 0, length = 10)
Add some comment to this block of code.
| zfscrypt | ||
| zfsinfo | ||
| " | ||
| /usr/bin/grub-mkimage --format="x86_64-efi" --directory="/usr/lib/grub/x86_64-efi" \ |
There was a problem hiding this comment.
grub-mkimage [](start = 9, length = 12)
Check the build failure, seems this command is missing.
Why I did it
Add signed shim and grub, secure boot key signing and importing tools
How I did it
Add corresponding packages
How to verify it
Verify secure boot state and import keys with mokutil
Sign binaries with sbsign
Check if the following exist:
/usr/lib/shim/shimx64.efi.signed
/usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed