Added check for image verification support

sonic-net · Jun 21, 2023 · 7062ef1 · 7062ef1
1 parent 4d32280
commit 7062ef1
Show file tree

Hide file tree

Showing 8 changed files with 39 additions and 11 deletions.
diff --git a/scripts/verify_image_sign.sh b/scripts/verify_image_sign.sh
@@ -14,13 +14,13 @@ else
     exit 0
 fi
 
-. /usr/local/bin/verify_image_sign_common.sh
-
 if [ ${SECURE_UPGRADE_ENABLED} -eq 0 ]; then
     echo "secure boot not enabled - exiting without image verification"
     exit 0
 fi
 
+. /usr/local/bin/verify_image_sign_common.sh
+
 clean_up ()
 {
     if  [ -d ${EFI_CERTS_DIR} ]; then rm -rf ${EFI_CERTS_DIR}; fi

diff --git a/sonic_installer/bootloader/bootloader.py b/sonic_installer/bootloader/bootloader.py
@@ -79,6 +79,9 @@ def verify_image_sign(self, image_path):
         """verify image signature is valid"""
         raise NotImplementedError
 
+    def is_secure_upgrade_image_verification_supported(self):
+        return False
+
     @classmethod
     def detect(cls):
         """returns True if the bootloader is in use"""

diff --git a/sonic_installer/bootloader/grub.py b/sonic_installer/bootloader/grub.py
@@ -153,6 +153,30 @@ def verify_image_platform(self, image_path):
         # Check if platform is inside image's target platforms
         return self.platform_in_platforms_asic(platform, image_path)
 
+    def is_secure_upgrade_image_verification_supported(self):
+
+        check_if_verification_is_enabled_and_supported_code = '''
+        SECURE_UPGRADE_ENABLED=0
+        if [ -d "/sys/firmware/efi/efivars" ]; then
+            if ! [ -n "$(ls -A /sys/firmware/efi/efivars 2>/dev/null)" ]; then
+                mount -t efivarfs none /sys/firmware/efi/efivars 2>/dev/null
+            fi
+            SECURE_UPGRADE_ENABLED=$(bootctl status 2>/dev/null | grep -c "Secure Boot: enabled")
+        else
+            echo "efi not supported - exiting without verification"
+            exit 1
+        fi
+
+        if [ ${SECURE_UPGRADE_ENABLED} -eq 0 ]; then
+            echo "secure boot not enabled - exiting without image verification"
+            exit 1
+        fi
+        exit 0
+        '''
+        verification_result = subprocess.run(['bash', '-c', check_if_verification_is_enabled_and_supported_code], check=True, capture_output=True)
+        click.echo(str(verification_result.stdout) + " " + str(verification_result.stderr))
+        return verification_result.returncode == 0
+
     def verify_image_sign(self, image_path):
         click.echo('Verifying image signature')
         verification_script_name = 'verify_image_sign.sh'

diff --git a/sonic_installer/main.py b/sonic_installer/main.py
@@ -577,16 +577,14 @@ def install(url, force, skip_platform_check=False, skip_migration=False, skip_pa
                 "Aborting...", LOG_ERR)
             raise click.Abort()
 
-        # Calling verification script by default - signature will be checked if enabled in bios
-        echo_and_log("Verifing image {} signature...".format(binary_image_version))
-        try:
+        if bootloader.is_secure_upgrade_image_verification_supported():
+            echo_and_log("Verifing image {} signature...".format(binary_image_version))
             if not bootloader.verify_image_sign(image_path):
                 echo_and_log('Error: Failed verify image signature', LOG_ERR)
                 raise click.Abort()
             else:
                 echo_and_log('Verification successful')
-        except NotImplementedError:
-            echo_and_log('Image verification not impelmented, continue image install without it')
+
         echo_and_log("Installing image {} and setting it as default...".format(binary_image_version))
         with SWAPAllocator(not skip_setup_swap, swap_mem_size, total_mem_threshold, available_mem_threshold):
             bootloader.install_image(image_path)

diff --git a/tests/installer_bootloader_aboot_test.py b/tests/installer_bootloader_aboot_test.py
@@ -96,9 +96,10 @@ def test_set_fips_aboot():
 def test_verify_image_sign():
     bootloader = aboot.AbootBootloader()
     return_value = None
+    is_supported = bootloader.is_secure_upgrade_image_verification_supported()
     try:
         return_value = bootloader.verify_image_sign(exp_image)
     except NotImplementedError:
-        pass
+        assert not is_supported
     else:
         assert False, "Wrong return value from verify_image_sign, returned" + str(return_value)
diff --git a/tests/installer_bootloader_grub_test.py b/tests/installer_bootloader_grub_test.py
@@ -93,6 +93,6 @@ def test_verify_image():
 
     bootloader = grub.GrubBootloader()
     image = f'{grub.IMAGE_PREFIX}expeliarmus-{grub.IMAGE_PREFIX}abcde'
-
+    assert bootloader.is_secure_upgrade_image_verification_supported()
     # command should fail
     assert not bootloader.verify_image_sign(image)
diff --git a/tests/installer_bootloader_onie_test.py b/tests/installer_bootloader_onie_test.py
@@ -19,9 +19,10 @@ def test_get_current_image(re_search):
 def test_verify_image_sign():
     bootloader = onie.OnieInstallerBootloader()
     return_value = None
+    is_supported = bootloader.is_secure_upgrade_image_verification_supported()
     try:
         return_value = bootloader.verify_image_sign('some_path.path')
     except NotImplementedError:
-        pass
+        assert not is_supported
     else:
         assert False, "Wrong return value from verify_image_sign, returned" + str(return_value)
diff --git a/tests/installer_bootloader_uboot_test.py b/tests/installer_bootloader_uboot_test.py
@@ -146,9 +146,10 @@ def test_verify_image_sign():
     bootloader = uboot.UbootBootloader()
     image = 'test-image'
     return_value = None
+    is_supported = bootloader.is_secure_upgrade_image_verification_supported()
     try:
         return_value = bootloader.verify_image_sign(image)
     except NotImplementedError:
-        pass
+        assert not is_supported
     else:
         assert False, "Wrong return value from verify_image_sign, returned" + str(return_value)