Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Secure upgrade #2337

Merged
merged 9 commits into from
Jan 30, 2023
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
fixed minor issues
ycoheNvidia committed Aug 23, 2022
commit 6504dd89b7fb754c138fc9e8bff3cc8a5c085f53
2 changes: 1 addition & 1 deletion scripts/verify_image_sign.sh
Original file line number Diff line number Diff line change
@@ -14,7 +14,7 @@ else
exit 0
fi

. /usr/local/bin/verify_image_common.sh
. /usr/local/bin/verify_image_sign_common.sh

if [ ${SECURE_UPGRADE_ENABLED} -eq 0 ]; then
echo "secure boot not enabled - exiting without image verification"
15 changes: 8 additions & 7 deletions sonic_installer/main.py
Original file line number Diff line number Diff line change
@@ -959,18 +959,19 @@ def verify_next_image():


def _verify_signature(image_path):
script_path = os.path.join('usr', 'local', 'bin', 'verify_image_sign.sh')
verification_script_name = 'verify_image_sign.sh'
script_path = os.path.join('/usr', 'local', 'bin', verification_script_name)
if not os.path.exists(script_path):
echo_and_log("No need to verify mock image")
return True
script_path = os.path.join(os.path.dirname(__file__), '..', 'scripts', verification_script_name)
if not os.path.exists(script_path):
echo_and_log("Unable to find verification script")
return False
verification_result = subprocess.Popen([script_path, image_path], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
stdout, stderr = verification_result.communicate()
if verification_result.returncode != 0:
echo_and_log(stdout, LOG_ERR)
echo_and_log(stderr, LOG_ERR)
echo_and_log(str(stdout) + " " + str(stderr), LOG_ERR)
else:
echo_and_log(stdout)
echo_and_log(stderr)
echo_and_log(str(stdout) + " " + str(stderr))
return verification_result.returncode == 0