[Secure Boot] Support to sign swi image (#4627)

* [secure boot] Support to sign swi image * Fix build issue * fix tab format issue * Fix typing issue * Change the sign_image.sh command line * Remove SONIC_CETIFICATE_PATH * Fix bugs
2025-11-02 02:57:45 +00:00 · 2020-06-09 15:25:17 +08:00
parent af81b8ebcd
commit e28cb8f58e
8 changed files with 103 additions and 2 deletions
--- a/scripts/sign_image.sh
+++ b/scripts/sign_image.sh
@@ -0,0 +1,69 @@
+#!/bin/bash -ex
+
+
+IMAGE=""
+SIGNING_KEY=""
+SIGNING_CERT=""
+CA_CERT=""
+
+usage()
+{
+    echo "Usage:  $0 -i <image_path> [-k <signing_key> -c <signing_cert> -a <ca_cert>]"
+    exit 1
+}
+
+generate_signing_key()
+{
+    TMP_CERT_PATH=$(mktemp -d)
+    SIGNING_KEY="${TMP_CERT_PATH}/signing.key"
+    SIGNING_CERT="${TMP_CERT_PATH}/signing.crt"
+    SIGNING_CSR="${TMP_CERT_PATH}/signing.csr"
+    CA_KEY="${TMP_CERT_PATH}/ca.key"
+
+    # Generate the CA key and certificate
+    openssl genrsa -out $CA_KEY 4096
+    openssl req -x509 -new -nodes -key $CA_KEY -sha256 -days 3650 -subj "/C=US/ST=Test/L=Test/O=Test/CN=Test" -out $CA_CERT
+
+    # Generate the signing key, certificate request and certificate
+    openssl genrsa -out $SIGNING_KEY 4096
+    openssl req -new -key $SIGNING_KEY -subj "/C=US/ST=Test/L=Test/O=Test/CN=Test" -out $SIGNING_CSR
+    openssl x509 -req -in $SIGNING_CSR -CA $CA_CERT -CAkey $CA_KEY -CAcreateserial -out $SIGNING_CERT -days 1825 -sha256
+}
+
+while getopts "i:k:c:a:t:" opt; do
+    case $opt in
+        i)
+            IMAGE=$OPTARG
+            ;;
+        k)
+            SIGNING_KEY=$OPTARG
+            ;;
+        c)
+            SIGNING_CERT=$OPTARG
+            ;;
+        a)
+            CA_CERT=$OPTARG
+            ;;
+        *)
+            usage
+            ;;
+    esac
+done
+
+[ -z $CA_CERT ] && echo "Not to sign the image since the CA certificate not provided" 1>&2 && exit 1
+
+# Generate the self signed cert if not provided by input
+[ ! -f $CA_CERT ] && generate_signing_key
+
+# Verify the required files existing
+[ ! -f $SIGNING_KEY ] && echo "$SIGNING_KEY not exist" && exit 1
+[ ! -f $SIGNING_CERT ] && echo "$SIGNING_CERT not exist" && exit 1
+[ ! -f $CA_CERT ] && echo "$CA_CERT not exist" && exit 1
+
+# Prepare the image
+swi-signature prepare $IMAGE
+
+# Sign the image
+swi-signature sign $IMAGE $SIGNING_CERT $CA_CERT --key $SIGNING_KEY
+
+exit 0