Skip to content

Commit

Permalink
[build]: Added flag in sonic_version.yml to see if image is secured o…
Browse files Browse the repository at this point in the history
…r non-secured (#16191)

What I did:

Added flag in sonic_version.yml to see if compiled image is secured or non-secured. This is done using build/compile time environmental variable SECURE_UPGRADE_MODE as define in HLD: https://github.com/sonic-net/SONiC/blob/master/doc/secure_boot/hld_secure_boot.md

This flag does not provide the runtime status of whether the image has booted securely or not. It's possible that compile time signed image (secured image) can boot on non secure platform.

Why I did:
Flag can be used for manual check or by the test case.

ADO: 24319390

How I verify:
Manual Verification

---
build_version: 'master-16191.346262-cdc5e72a3'
debian_version: '11.7'
kernel_version: '5.10.0-18-2-amd64'
asic_type: broadcom
asic_subtype: 'broadcom'
commit_id: 'cdc5e72a3'
branch: 'master-16191'
release: 'none'
build_date: Fri Aug 25 03:15:45 UTC 2023
build_number: 346262
built_by: AzDevOps@vmss-soni001UR5
libswsscommon: 1.0.0
sonic_utilities: 1.2
sonic_os_version: 11
secure_boot_image: 'no'

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
  • Loading branch information
abdosi authored and mssonicbld committed Jan 18, 2024
1 parent 9f81d9d commit aa01630
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions files/build_templates/sonic_version.yml.j2
Original file line number Diff line number Diff line change
Expand Up @@ -30,3 +30,8 @@ built_by: {{ built_by }}
asan: 'yes'
{% endif -%}
sonic_os_version: {{ sonic_os_version }}
{% if SECURE_UPGRADE_MODE == "dev" or SECURE_UPGRADE_MODE == "prod" -%}
secure_boot_image: 'yes'
{% else -%}
secure_boot_image: 'no'
{% endif -%}

0 comments on commit aa01630

Please sign in to comment.