Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support to upgrade the FIPS config during the reboot #2998

Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

Support to upgrade the FIPS config during the reboot #2998

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d9dc775
Support to upgrade the FIPS config during the reboot
xumia Sep 25, 2023
570b70a
Fix the golden config path issue
xumia Sep 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions scripts/fast-reboot
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -588,6 +588,8 @@ save_counters_folder

unload_kernel

upgrade-fips-config

setup_reboot_variables

reboot_pre_check
Expand Down
2 changes: 2 additions & 0 deletions scripts/reboot
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,6 +197,8 @@ fi

debug "User requested rebooting device ..."

upgrade-fips-config

check_conflict_boot_in_fw_update

setup_reboot_variables
Expand Down
50 changes: 50 additions & 0 deletions scripts/upgrade-fips-config
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
#!/bin/bash

function set_fips_option()
{
GOLDEN_CONFIG=/host/old_config/golden_config_db.json
CUR_SONIC_IMAGE=$(sonic-installer list | grep "Current: " | cut -d ' ' -f 2)
NEXT_SONIC_IMAGE=$(sonic-installer list | grep "Next: " | cut -d ' ' -f 2)
IMAGE_NAME="image-${NEXT_SONIC_IMAGE#SONiC-OS-}"
IMAGE_PATH="/host/$IMAGE_NAME"
NEXT_IMAGE_VERSION=$(echo $NEXT_SONIC_IMAGE | cut -c 1-6)

# Skip to set fips option if not in upgrading
if [ "$CUR_SONIC_IMAGE" == "$NEXT_SONIC_IMAGE" ]; then
return
fi

# Skip to set fips option if the next image version is lower 202305
if [[ "$NEXT_IMAGE_VERSION" -lt "202305" ]];then
echo "Skipped to set fips for the next version $next_image_version less than 202305."
return
fi
# Check if config exists
if [ ! -f $GOLDEN_CONFIG ]; then
echo "Skipped to set fips for the config file $GOLDEN_CONFIG not found."
return
fi

# Check if FIPS
FIPS=$(cat $GOLDEN_CONFIG | python -c 'import sys, json; print(json.load(sys.stdin)["FIPS"]["global"]["enforce"].lower())' 2>/dev/null)
if [ -z "$FIPS" ]; then
echo "Skipped to set fips for the fips not enabled"
return
fi

echo "The FIPS option is $FIPS."
FIPS=0
[ "$FIPS" == "true" ] && FIPS=1

echo "Set FIPS option to $FIPS"
if grep -q "Aboot=" /proc/cmdline; then
sed -iE -e "s/sonic_fips=.//" -e "s/$/sonic_fips=$FIPS/" $IMAGE_PATH/kernel-cmdline
elif [ -f /host/grub/grub.cfg ]; then
sed -iE -e "/^\s+linux\s+\/$IMAGE_NAME\// s/sonic_fips=. *//" -e "/^\s+linux\s+\/$IMAGE_NAME\// s/$/sonic_fips=$FIPS/" /host/grub/grub.cfg
elif [ -n $(which fw_setenv) ]; then
linuxargs=$(fw_printenv linuxargs | sed -E -e "s/sonic_fips=.//" -e "s/$/sonic_fips=$FIPS/")
fw_setenv linuxargs "$linuxargs"
fi
}

set_fips_option
3 changes: 2 additions & 1 deletion setup.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -187,7 +187,8 @@
'scripts/verify_image_sign.sh',
'scripts/verify_image_sign_common.sh',
'scripts/check_db_integrity.py',
'scripts/sysreadyshow'
'scripts/sysreadyshow',
'scripts/upgrade-fips-config'
],
entry_points={
'console_scripts': [
Expand Down
Loading