diff options
| author | Nick Bofferding <bofferdn@us.ibm.com> | 2017-11-15 00:04:34 -0600 |
|---|---|---|
| committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2017-11-19 13:10:13 -0500 |
| commit | 9470c51fc4861bd7fcb0c68d8eade5dc62f1fa5e (patch) | |
| tree | bf5420075bcbd701b0099d8394e71106189f5a90 | |
| parent | 48b14aae87046c5bb8391aa7e0bfca9a81cd37b8 (diff) | |
| download | talos-hostboot-9470c51fc4861bd7fcb0c68d8eade5dc62f1fa5e.tar.gz talos-hostboot-9470c51fc4861bd7fcb0c68d8eade5dc62f1fa5e.zip | |
Secure Boot: Support FSP/HB standalone production signing
Change-Id: I6eaec8fdc4dab8a7343de0c62352c7d92024ec1d
RTC: 180781
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/49698
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
| -rwxr-xr-x | src/build/mkrules/hbfw/img/makefile | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/src/build/mkrules/hbfw/img/makefile b/src/build/mkrules/hbfw/img/makefile index 69846a142..5aab72e81 100755 --- a/src/build/mkrules/hbfw/img/makefile +++ b/src/build/mkrules/hbfw/img/makefile @@ -149,6 +149,10 @@ GEN_PNOR_IMAGE_SCRIPT = ${genPnorImages.pl:P} # [a-zA-Z0-9,._+:@%/-] RH_DIR%=${DUMMY:!sed "s/\^.\*release \\\(\[0-9\]\*\\\)\..\*\$/rh\\1/\" /etc/redhat-release!e} +# Use Secure Boot development signing if not specified in the environment +BR2_OPENPOWER_SECUREBOOT_SIGN_MODE?=development +SIGN_MODE_ARG=--sign-mode ${BR2_OPENPOWER_SECUREBOOT_SIGN_MODE} + # Concatenate the base path, Redhat specific dir, and tool subdir to form the # complete signing tools path SIGNING_DIR%=${SIGNING_BASE_DIR}/${RH_DIR}/${SIGNING_UTILS_DIR} @@ -159,7 +163,7 @@ SIGNING_LIBS%=${SIGNING_DIR}/libssl.so:${SIGNING_DIR}/libcrypto.so # Put signing tool dir in the path so child programs can be located. # Additionally, put /usr/bin at the front to prevent certain CI situations from # using old openssl binaries. -PATH%=/usr/bin:${SIGNING_DIR}:${PATH} +PATH%=/usr/bin:${SIGNING_DIR}:${SIGNING_DIR}/../sb-signing-framework/sb-signing-framework/src/client:${PATH} # Dump information about the Secure Boot configuration dump-secureboot-config : .FORCEBLD @@ -171,6 +175,7 @@ Secure Boot Signing Config:\n\ Final signing dir [${SIGNING_DIR}]\n\ Development key dir [${DEV_KEY_DIR}]\n\ Signing edition [${SIGNING_TOOL_EDITION}]\n\ + Signing mode [${BR2_OPENPOWER_SECUREBOOT_SIGN_MODE}]\n\ Compile secureboot? [${CONFIG_SECUREBOOT}]\n\ Libs to preload [${SIGNING_LIBS}]\n\ Path [${PATH}]\n\n" @@ -243,7 +248,7 @@ gen_default_images: ${GEN_DEFAULT_IMAGES_DEPS} # result [hbbl][pad:8:if-applicable][securerom-size:8][securerom] # Call script to generate final bin files for default images - export LD_PRELOAD=${SIGNING_LIBS} && ${GEN_PNOR_IMAGE_SCRIPT} ${DEFAULT_PARAMS} ${BUILD_TYPE_PARAMS} ${KEY_TRANSITION_MODE_PARAMS} + export LD_PRELOAD=${SIGNING_LIBS} && ${GEN_PNOR_IMAGE_SCRIPT} ${DEFAULT_PARAMS} ${BUILD_TYPE_PARAMS} ${KEY_TRANSITION_MODE_PARAMS} ${SIGN_MODE_ARG} clobber_cp_hbfiles: rm -f ${ALL_DEFAULT_IMAGES} @@ -396,7 +401,7 @@ ZEPPELIN_HBD_FINAL_IMG = ZEPPELIN.HBD.bin gen_system_specific_images_bypass_cache : dump-secureboot-config # Call script to generate final bin file for chip/system specific images - export LD_PRELOAD=${SIGNING_LIBS} && ${GEN_PNOR_IMAGE_SCRIPT} ${SYSTEM_SPECIFIC_PARAMS} ${BUILD_TYPE_PARAMS} + export LD_PRELOAD=${SIGNING_LIBS} && ${GEN_PNOR_IMAGE_SCRIPT} ${SYSTEM_SPECIFIC_PARAMS} ${BUILD_TYPE_PARAMS} ${SIGN_MODE_ARG} #for NIMBUS fake pnor skip version header .if(${FAKEPNOR} != "") |
