diff options
author | Nick Bofferding <bofferdn@us.ibm.com> | 2017-04-20 09:45:03 -0500 |
---|---|---|
committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2017-04-28 14:18:14 -0400 |
commit | 21187e0ac2c55cd238b915a0d1c9e80ff2fbaacd (patch) | |
tree | a44d87c3eca5517716c75fad1e5f5a82d7486ec5 /src/build/buildpnor/genPnorImages.pl | |
parent | 70907451b700daaa7c3960e03dc7fd69dc478270 (diff) | |
download | talos-hostboot-21187e0ac2c55cd238b915a0d1c9e80ff2fbaacd.tar.gz talos-hostboot-21187e0ac2c55cd238b915a0d1c9e80ff2fbaacd.zip |
Support signing SBE code with lab override bit
Change-Id: Ibeef78b9b63d4e148b7ef44691c43987bcb52b2a
RTC: 170650
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/39475
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src/build/buildpnor/genPnorImages.pl')
-rwxr-xr-x | src/build/buildpnor/genPnorImages.pl | 63 |
1 files changed, 59 insertions, 4 deletions
diff --git a/src/build/buildpnor/genPnorImages.pl b/src/build/buildpnor/genPnorImages.pl index a9052c972..5edc38d0a 100755 --- a/src/build/buildpnor/genPnorImages.pl +++ b/src/build/buildpnor/genPnorImages.pl @@ -79,6 +79,8 @@ use constant OP_SIGNING_FLAG => " -flags "; # Security bits HW flag strings use constant OP_BUILD_FLAG => 0x80000000; use constant FIPS_BUILD_FLAG => 0x40000000; +# Applies to SBE image only +use constant LAB_SECURITY_OVERRIDE_FLAG => 0x00080000; use constant KEY_TRANSITION_FLAG => 0x00000001; # Size of HW keys' Hash use constant HW_KEYS_HASH_SIZE => 64; @@ -120,6 +122,12 @@ my $sb_signing_config_file = ""; my $hwKeyHashFile = ""; my $hb_standalone=""; +# @TODO RTC 170650: Set default to 0 after all environments provide external +# control over this policy, plus remove '!' from 'lab-security-override' +# command line option as well as documentation for +# '--no-lab-security-override' +my $labSecurityOverride = 1; + GetOptions("binDir:s" => \$bin_dir, "secureboot" => \$secureboot, "test" => \$testRun, @@ -133,6 +141,7 @@ GetOptions("binDir:s" => \$bin_dir, "sb-signing-config-file:s" => \$sb_signing_config_file, "hwKeyHashFile:s" => \$hwKeyHashFile, "hb-standalone" => \$hb_standalone, + "lab-security-override!" => \$labSecurityOverride, "help" => \$help); if ($help) @@ -185,6 +194,21 @@ elsif ($key_transition ne "") die "Invalid key transition mode = $key_transition"; } +my $labSecurityOverrideFlag = 0; +if($labSecurityOverride) +{ + if($signMode{$DEVELOPMENT}) + { + $labSecurityOverrideFlag = LAB_SECURITY_OVERRIDE_FLAG; + } + else + { + $labSecurityOverride = 0; + print "WARNING! Lab security override only valid in development/" + . "imprint mode, continuing with lab security override disabled.\n"; + } +} + if ($secureboot) { # Ensure all values of partitionsToCorrupt hash are valid. @@ -302,6 +326,11 @@ my %sb_hdrs = ( prefix => $SIGN_PREFIX_PARAMS, file => "$bin_dir/$randPrefix.default.secureboot.hdr.bin" }, + SBE => { + flags => sprintf("0x%08X",($buildFlag | $labSecurityOverrideFlag)), + prefix => $SIGN_PREFIX_PARAMS, + file => "$bin_dir/$randPrefix.sbe.default.secureboot.hdr.bin" + }, SBKT => { outer => { flags => sprintf("0x%08X", $buildFlag | KEY_TRANSITION_FLAG), @@ -322,7 +351,7 @@ my %sb_hdrs = ( # Print all settings in one print statement to avoid parallel build to mess # up output. -my $SETTINGS = "\n//========== Generate PNOR Image Settings ==========/\n"; +my $SETTINGS = "\n//============= Generate PNOR Image Settings ===========//\n"; $SETTINGS .= "PNOR Layout = ".$pnorLayoutFile."\n"; $SETTINGS .= $build_all ? "Build Phase = build_all\n" : ""; $SETTINGS .= $install_all ? "Build Phase = install_all\n" : ""; @@ -331,7 +360,9 @@ $SETTINGS .= $secureboot ? "Secureboot = Enabled\n" : "Secureboot = Disabled\n"; $SETTINGS .= %partitionsToCorrupt && $secureboot ? "Corrupt Partitions: ".Dumper \%partitionsToCorrupt : ""; $SETTINGS .= $secureboot ? "Sign Mode = $sign_mode\n" : "Sign Mode = NA\n"; $SETTINGS .= $key_transition && $secureboot ? "Key Transition Mode = $key_transition\n" : "Key Transition Mode = NA\n"; -$SETTINGS .= "//====================================================//\n\n"; +$SETTINGS .= "Lab security override (valid for SBE partition only) = "; +$SETTINGS .= $labSecurityOverride ? "Yes\n" : "No\n"; +$SETTINGS .= "//======================================================//\n\n"; print $SETTINGS; if($secureboot && !$openSigningTool) @@ -519,8 +550,15 @@ sub manipulateImages $isSpecialSecure ||= ($eyeCatch eq "HBBL"); #$isSpecialSecure ||= ($eyeCatch eq "HBI"); - my $openSigningFlags = OP_SIGNING_FLAG.$sb_hdrs{DEFAULT}{flags}; - my $secureboot_hdr = $sb_hdrs{DEFAULT}{file}; + # If there is a non-default header for this section, use it instead + my $header = $sb_hdrs{DEFAULT}; + if(exists $sb_hdrs{$eyeCatch}) + { + $header = $sb_hdrs{$eyeCatch}; + } + + my $openSigningFlags = OP_SIGNING_FLAG.$header->{flags}; + my $secureboot_hdr = $header->{file}; my $CUR_OPEN_SIGN_REQUEST = "$OPEN_SIGN_REQUEST $openSigningFlags"; if ($signMode{$PRODUCTION}) @@ -1160,6 +1198,23 @@ print <<"ENDUSAGE"; Note: "--sign-mode production" is not allowed with "--key-transition imprint" With [--test] will transition to test dev keys, which are a fixed permutation of imprint keys. --sb-signing-config-file Path to ini-formatted config file for production signing + --lab-security-override If signing SBE image, set bit in signing + header which turns on security override + checking in the SBE the next time it is + updated and invoked. When security + override checking is enabled, SBE will + check mailbox scratch register 3 bit 6 and + if set, disable security. Otherwise, it + will retain the existing security + settings. NOTE: Only allowed for + development/imprint signed images. + --no-lab-security-override If signing SBE image, clear bit in signing + header which disables security override + checking in the SBE the next time it is + updated and invoked. When security + override checking is disabled, the only + way to bypass security is by manipulating + physical jumpers on the system planar. Current Limitations: - Issues with dependency on ENGD build for certain files such as SBE. This is why [--build-all | --install-all ] are used. |