From aa01630841bd0179dab1951ac2fab87f15480727 Mon Sep 17 00:00:00 2001 From: abdosi <58047199+abdosi@users.noreply.github.com> Date: Tue, 29 Aug 2023 13:41:01 -0700 Subject: [PATCH] [build]: Added flag in sonic_version.yml to see if image is secured or non-secured (#16191) What I did: Added flag in sonic_version.yml to see if compiled image is secured or non-secured. This is done using build/compile time environmental variable SECURE_UPGRADE_MODE as define in HLD: https://github.com/sonic-net/SONiC/blob/master/doc/secure_boot/hld_secure_boot.md This flag does not provide the runtime status of whether the image has booted securely or not. It's possible that compile time signed image (secured image) can boot on non secure platform. Why I did: Flag can be used for manual check or by the test case. ADO: 24319390 How I verify: Manual Verification --- build_version: 'master-16191.346262-cdc5e72a3' debian_version: '11.7' kernel_version: '5.10.0-18-2-amd64' asic_type: broadcom asic_subtype: 'broadcom' commit_id: 'cdc5e72a3' branch: 'master-16191' release: 'none' build_date: Fri Aug 25 03:15:45 UTC 2023 build_number: 346262 built_by: AzDevOps@vmss-soni001UR5 libswsscommon: 1.0.0 sonic_utilities: 1.2 sonic_os_version: 11 secure_boot_image: 'no' Signed-off-by: Abhishek Dosi --- files/build_templates/sonic_version.yml.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/files/build_templates/sonic_version.yml.j2 b/files/build_templates/sonic_version.yml.j2 index 8b829feeed00..510b3d3c6044 100644 --- a/files/build_templates/sonic_version.yml.j2 +++ b/files/build_templates/sonic_version.yml.j2 @@ -30,3 +30,8 @@ built_by: {{ built_by }} asan: 'yes' {% endif -%} sonic_os_version: {{ sonic_os_version }} +{% if SECURE_UPGRADE_MODE == "dev" or SECURE_UPGRADE_MODE == "prod" -%} +secure_boot_image: 'yes' +{% else -%} +secure_boot_image: 'no' +{% endif -%}