secureboot: Enable signing SONiC kernel

Makefile.work

@@ -97,6 +97,17 @@ ifeq ($(PLATFORM_ARCH),)
 	override PLATFORM_ARCH = $(CONFIGURED_ARCH)
 endif
 
+ifeq ($(SECURE_BOOT),)
+    override SECURE_BOOT = no
+endif
+
+SBSIGN_CONF := $(shell [ -f .sbsign.conf ] && cat .sbsign.conf || echo $(SBSIGN_CONF))
+ifneq ($(SBSIGN_CONF),)
+SONIC_SECURE_BOOT = yes
+SONIC_SBSIGN_DIR = $(SBSIGN_CONF)
+SONIC_SBSIGN_MOUNT=$(shell echo $(SONIC_SBSIGN_DIR):$(SONIC_SBSIGN_DIR):ro)
+endif
+
 ifeq ($(BLDENV), bullseye)
 SLAVE_DIR = sonic-slave-bullseye
 else ifeq ($(BLDENV), buster)
@@ -188,6 +199,10 @@ ifneq ($(SONIC_DPKG_CACHE_SOURCE),)
 	DOCKER_RUN += -v "$(SONIC_DPKG_CACHE_SOURCE):/dpkg_cache:rw"
 endif
 
+ifneq ($(SONIC_SBSIGN_MOUNT),)
+	DOCKER_RUN += -v "$(SONIC_SBSIGN_MOUNT)"
+endif
+
 ifeq ($(SONIC_CONFIG_USE_NATIVE_DOCKERD_FOR_BUILD), y)
 ifneq ($(MULTIARCH_QEMU_ENVIRON), y)
     DOCKER_RUN += -v /var/run/docker.sock:/var/run/docker.sock
@@ -263,6 +278,8 @@ SONIC_BUILD_INSTRUCTION :=  make \
                            BUILD_NUMBER=$(BUILD_NUMBER) \
                            BUILD_TIMESTAMP=$(BUILD_TIMESTAMP) \
                            SONIC_IMAGE_VERSION=$(SONIC_IMAGE_VERSION) \
+                           SONIC_SECURE_BOOT=$(SONIC_SECURE_BOOT) \
+                           SONIC_SBSIGN_DIR=$(SONIC_SBSIGN_DIR) \
                            ENABLE_DHCP_GRAPH_SERVICE=$(ENABLE_DHCP_GRAPH_SERVICE) \
                            ENABLE_ZTP=$(ENABLE_ZTP) \
                            INCLUDE_PDE=$(INCLUDE_PDE) \

build_debian.sh

@@ -37,6 +37,7 @@ LINUX_KERNEL_VERSION=5.10.0-8-2
 ## Working directory to prepare the file system
 FILESYSTEM_ROOT=./fsroot
 PLATFORM_DIR=platform
+PLATFORM_SECURITY_CONF=./.sbsign.conf
 ## Hostname for the linux image
 HOSTNAME=sonic
 DEFAULT_USERINFO="Default admin user,,,"
@@ -143,6 +144,31 @@ if [[ $CONFIGURED_ARCH == amd64 ]]; then
     sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install dmidecode hdparm
 fi
 
+## Sign the kernel
+if [ -f $PLATFORM_SECURITY_CONF ]; then
+    sbsign_key_dir=`cat $PLATFORM_SECURITY_CONF`
+
+    if [ -d $sbsign_key_dir ]; then
+        secure_boot_key=`find $sbsign_key_dir -name "*.key"`
+        secure_boot_cert=`find $sbsign_key_dir -name "*.cert"`
+        if [[ ! -f $secure_boot_key ]]; then
+            echo "Error: SONiC linux kernel signing key missing"
+            exit 1
+        fi
+        if [[ ! -f $secure_boot_cert ]]; then
+            echo "Error: SONiC linux kernel signing cert missing"
+            exit 1
+        fi
+
+        echo '[INFO] Signing SONiC linux kernel image'
+        K=$FILESYSTEM_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-amd64
+        sbsign --key $secure_boot_key --cert $secure_boot_cert --output /tmp/${K##*/} ${K}
+        sudo cp -f /tmp/${K##*/} ${K}
+    else
+        echo '[INFO] Skipping signing SONiC Linux kernel image'
+    fi
+fi
+
 ## Update initramfs for booting with squashfs+overlay
 cat files/initramfs-tools/modules | sudo tee -a $FILESYSTEM_ROOT/etc/initramfs-tools/modules > /dev/null
 

slave.mk

@@ -108,10 +108,12 @@ configure :
 	@mkdir -p $(DPKG_ADMINDIR_PATH)
 	@echo $(PLATFORM) > .platform
 	@echo $(PLATFORM_ARCH) > .arch
+	@echo $(SONIC_SBSIGN_DIR) > .sbsign.conf
 
 distclean : .platform clean
 	@rm -f .platform
 	@rm -f .arch
+	@rm -f .sbsign.conf
 
 list :
 	@$(foreach target,$(SONIC_TARGET_LIST),echo $(target);)
@@ -289,6 +291,7 @@ $(info "SONIC_CONFIG_MAKE_JOBS"          : "$(SONIC_CONFIG_MAKE_JOBS)")
 $(info "SONIC_USE_DOCKER_BUILDKIT"       : "$(SONIC_USE_DOCKER_BUILDKIT)")
 $(info "USERNAME"                        : "$(USERNAME)")
 $(info "PASSWORD"                        : "$(PASSWORD)")
+$(info "SONIC_SECURE_BOOT"               : "$(SONIC_SECURE_BOOT)")
 $(info "ENABLE_DHCP_GRAPH_SERVICE"       : "$(ENABLE_DHCP_GRAPH_SERVICE)")
 $(info "SHUTDOWN_BGP_ON_START"           : "$(SHUTDOWN_BGP_ON_START)")
 $(info "ENABLE_PFCWD_ON_START"           : "$(ENABLE_PFCWD_ON_START)")

sonic-slave-bullseye/Dockerfile.j2

@@ -117,6 +117,7 @@ RUN apt-get update && apt-get install -y \
         devscripts \
         quilt \
         stgit \
+        sbsigntool \
 # For platform-modules build
         module-assistant \
 # For thrift build\

sonic-slave-buster/Dockerfile.j2

@@ -125,6 +125,7 @@ RUN apt-get update && apt-get install -y \
         devscripts \
         quilt \
         stgit \
+        sbsigntool \
 # For platform-modules build
         module-assistant \
 # For thrift build\

sonic-slave-jessie/Dockerfile.j2

@@ -101,6 +101,7 @@ RUN apt-get update && apt-get install -y \
         devscripts \
         quilt \
         stgit \
+        sbsigntool \
 # For platform-modules build
         module-assistant \
 # For thrift build\

sonic-slave-stretch/Dockerfile.j2

@@ -117,6 +117,7 @@ RUN apt-get update && apt-get install -y \
         devscripts \
         quilt \
         stgit \
+        sbsigntool \
 # For platform-modules build
         module-assistant \
 # For thrift build\