diff options
author | Nick Bofferding <bofferdn@us.ibm.com> | 2018-05-30 09:55:33 -0500 |
---|---|---|
committer | William G. Hoffa <wghoffa@us.ibm.com> | 2018-05-31 11:58:17 -0400 |
commit | 6be04f343c79ff5ed826d0e166324af720e7c85e (patch) | |
tree | d8f928c6948f597cb5cddba85f5df7fcc42a5f3a | |
parent | 26d9aed84b0fa281b0f06278fa05a4d42b3b1acd (diff) | |
download | talos-hostboot-6be04f343c79ff5ed826d0e166324af720e7c85e.tar.gz talos-hostboot-6be04f343c79ff5ed826d0e166324af720e7c85e.zip |
Secure Boot: Purge SW signature cache for multinode binaries
When signing targeting binaries for multinode systems, the build process
erroneously reuses the SW signature for node 0 when creating the secure header
for other nodes. This change moves the signature purge logic into the loop that
handles multiple nodes worth of content
Change-Id: I1e1154cbfb06375c3b62e3710c9bd2384b961076
CQ: SW430711
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/59548
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: ILYA SMIRNOV <ismirno@us.ibm.com>
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: William G. Hoffa <wghoffa@us.ibm.com>
-rwxr-xr-x | src/build/buildpnor/genPnorImages.pl | 27 |
1 files changed, 14 insertions, 13 deletions
diff --git a/src/build/buildpnor/genPnorImages.pl b/src/build/buildpnor/genPnorImages.pl index d90f18023..b5633d66f 100755 --- a/src/build/buildpnor/genPnorImages.pl +++ b/src/build/buildpnor/genPnorImages.pl @@ -527,19 +527,6 @@ sub manipulateImages my $componentId = convertEyecatchToCompId($eyeCatch); $CUR_OPEN_SIGN_REQUEST .= " --sign-project-FW-token $componentId "; - # @TODO RTC 182358 - # This is a tactical workaround for the signing tooling not being - # able to handle muliple different platform binary contents for the same - # component ID. The signing tooling should be modified to tolerate this - # scenario, at which point the workaround can be removed. - if ($buildType eq "fspbuild") - { - my @signatureFiles= - glob("$bin_dir/SIGNTOOL_*/$componentId/*sig_p.raw $bin_dir/SIGNTOOL_*/$componentId/*key_p.sig"); - print "Deleting @signatureFiles\n"; - unlink @signatureFiles; - } - # Used for corrupting partitions. By default all protected offsets start # immediately after the container header which is size = PAGE_SIZE. # *Note: this is before ECC. @@ -554,6 +541,20 @@ sub manipulateImages my $nodeIDstr = ""; foreach my $bin_file (@binFilesArray) { + # @TODO RTC 182358 + # This is a tactical workaround for the signing tooling not being + # able to handle muliple different platform binary (or multiple + # node) contents for the same component ID. The signing tooling + # should be modified to tolerate this scenario, at which point the + # workaround can be removed. + if ($buildType eq "fspbuild") + { + my @signatureFiles= + glob("$bin_dir/SIGNTOOL_*/$componentId/*sig_p.raw $bin_dir/SIGNTOOL_*/$componentId/*key_p.sig"); + print "Deleting @signatureFiles\n"; + unlink @signatureFiles; + } + # If there are more than 1 bin files per section, final name should # have a node ID included. if (scalar @binFilesArray > 1) |