diff options
author | Nick Bofferding <bofferdn@us.ibm.com> | 2017-04-22 17:15:03 -0500 |
---|---|---|
committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2017-05-08 14:12:48 -0400 |
commit | 8527fc2b9549b9b6782fdffde29ff8713e677bc4 (patch) | |
tree | eb277c60fcf28eec2116546c2ce4be6ca4a53144 /src/build/buildpnor/genPnorImages.pl | |
parent | b93bb1c4e5151e309231a6b667bc98deaf98572f (diff) | |
download | talos-hostboot-8527fc2b9549b9b6782fdffde29ff8713e677bc4.tar.gz talos-hostboot-8527fc2b9549b9b6782fdffde29ff8713e677bc4.zip |
Support gracefully adding signing headers to PNOR sections
Change-Id: Ie8ce7672a41c0b6230918911f59ada5443c552f5
RTC: 170650
CMVC-Coreq: 1022416
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/39869
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src/build/buildpnor/genPnorImages.pl')
-rwxr-xr-x | src/build/buildpnor/genPnorImages.pl | 70 |
1 files changed, 43 insertions, 27 deletions
diff --git a/src/build/buildpnor/genPnorImages.pl b/src/build/buildpnor/genPnorImages.pl index f02d0433b..dd0be0fce 100755 --- a/src/build/buildpnor/genPnorImages.pl +++ b/src/build/buildpnor/genPnorImages.pl @@ -617,7 +617,7 @@ sub manipulateImages $eccless_prefix.=".header"; # Add secure container header # @TODO RTC:155374 Remove when official signing supported - if ($secureboot && $secureSupported) + if ($secureboot && $isSpecialSecure) { $callerHwHdrFields{configure} = 1; if (exists $hashPageTablePartitions{$eyeCatch}) @@ -737,7 +737,25 @@ sub manipulateImages die "Error closing of $preReqImages{HBB_SW_SIG_FILE} failed" if $!; } } - # Add simiple version header + elsif($secureboot && $isNormalSecure) + { + $callerHwHdrFields{configure} = 1; + if($openSigningTool) + { + run_command("$CUR_OPEN_SIGN_REQUEST " + . "-protectedPayload $bin_file " + . "-out $tempImages{HDR_PHASE}"); + } + else + { + # @TODO RTC:155374 Remove when official signing + # supported + run_command("$SIGNING_DIR/build -good -if " + . "$secureboot_hdr -of $tempImages{HDR_PHASE} -bin " + . "$bin_file $SIGN_BUILD_PARAMS"); + } + } + # Add simple version header else { run_command("env echo -en VERSION\\\\0 > $tempImages{TEMP_SHA_IMG}"); @@ -746,23 +764,6 @@ sub manipulateImages run_command("cat $bin_file >> $tempImages{HDR_PHASE}"); } } - elsif ($secureboot && $isNormalSecure) - { - $eccless_prefix .=".header"; - - $callerHwHdrFields{configure} = 1; - if($openSigningTool) - { - run_command("$CUR_OPEN_SIGN_REQUEST " - . "-protectedPayload $bin_file " - . "-out $tempImages{HDR_PHASE}"); - } - else - { - # @TODO RTC:155374 Remove when official signing supported - run_command("$SIGNING_DIR/build -good -if $secureboot_hdr -of $tempImages{HDR_PHASE} -bin $bin_file $SIGN_BUILD_PARAMS"); - } - } else { run_command("cp $bin_file $tempImages{HDR_PHASE}"); @@ -830,17 +831,32 @@ sub manipulateImages run_command("dd if=/dev/zero bs=$size count=1 | tr \"\\000\" \"\\377\" > $tempImages{PAD_PHASE}"); # Add secure container header - if ($secureboot && $isNormalSecure && $eyeCatch ne "SBKT") + if( ($sectionHash{$layoutKey}{sha512Version} eq "yes") + && ($eyeCatch ne "SBKT")) { - $callerHwHdrFields{configure} = 1; - # Remove PAGE_SIZE bytes from generated dummy content of file - # to make room for the secure header + # Remove PAGE_SIZE bytes from generated dummy content of + # file to make room for the secure header my $fileSize = (-s $tempImages{PAD_PHASE}) - PAGE_SIZE; - die "fileSize undefined: errno = $!" unless(defined $fileSize); + die "fileSize undefined: errno = $!" + unless(defined $fileSize); run_command("dd if=$tempImages{PAD_PHASE} of=$tempImages{TEMP_BIN} count=1 bs=$fileSize"); - # @TODO RTC:155374 Remove when official signing supported - run_command("$SIGNING_DIR/build -good -if $secureboot_hdr -of $tempImages{PAD_PHASE} -bin $tempImages{TEMP_BIN} $SIGN_BUILD_PARAMS"); - setCallerHwHdrFields(\%callerHwHdrFields, $tempImages{PAD_PHASE}); + + if ($secureboot && $secureSupported) + { + $callerHwHdrFields{configure} = 1; + # @TODO RTC:155374 Remove when official signing + # supported + run_command("$SIGNING_DIR/build -good -if $secureboot_hdr -of $tempImages{PAD_PHASE} -bin $tempImages{TEMP_BIN} $SIGN_BUILD_PARAMS"); + setCallerHwHdrFields(\%callerHwHdrFields, + $tempImages{PAD_PHASE}); + } + else + { + run_command("env echo -en VERSION\\\\0 > $tempImages{TEMP_SHA_IMG}"); + run_command("sha512sum $tempImages{TEMP_BIN} | awk \'{print \$1}\' | xxd -pr -r >> $tempImages{TEMP_SHA_IMG}"); + run_command("dd if=$tempImages{TEMP_SHA_IMG} of=$tempImages{PAD_PHASE} ibs=4k conv=sync"); + run_command("cat $tempImages{TEMP_BIN} >> $tempImages{PAD_PHASE}"); + } } } } |