Secure Boot: Emit signature-less header in non-secure compile

- Relevant for open signing only at this time RTC: 174017 Change-Id: I6c16f2c06785debaae3006ef66e54fa7102f27da Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/43825 Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com> Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com> Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
author: Nick Bofferding <bofferdn@us.ibm.com> 2017-07-28 01:45:20 -0500
committer: Daniel M. Crowell <dcrowell@us.ibm.com> 2017-08-04 09:56:21 -0400
commit: 220fa8c77eb127697c977f18890f1f49fdf040e6 (patch)
tree: dbed9ee949c58b503893b9463871b4418098ccab /src/build/buildpnor/genPnorImages.pl
parent: 1e846c106286181bf82e1e5bbc68b47b6e490ce1 (diff)
download: talos-hostboot-220fa8c77eb127697c977f18890f1f49fdf040e6.tar.gz
talos-hostboot-220fa8c77eb127697c977f18890f1f49fdf040e6.zip
1 files changed, 38 insertions, 11 deletions
diff --git a/src/build/buildpnor/genPnorImages.pl b/src/build/buildpnor/genPnorImages.pl
index 2b7b8c708..cec025ef3 100755
--- a/src/build/buildpnor/genPnorImages.pl
+++ b/src/build/buildpnor/genPnorImages.pl
@@ -284,11 +284,17 @@ my $OPEN_SIGN_KEY_TRANS_REQUEST = $OPEN_SIGN_REQUEST;
 # Production signing parameters
 my $OPEN_PRD_SIGN_PARAMS = "--mode production "
     . " --sign-project-config $sb_signing_config_file";
-# Imprint key signing parameters
-my $OPEN_DEV_SIGN_PARAMS = " --hwPrivKeyA $DEV_KEY_DIR/hw_key_a.key "
+
+# Imprint key signing parameters.  In a non-secure compile, omit the keys to
+# generate a secure header without signatures
+my $OPEN_DEV_SIGN_PARAMS = "";
+if($secureboot)
+{
+    $OPEN_DEV_SIGN_PARAMS = " --hwPrivKeyA $DEV_KEY_DIR/hw_key_a.key "
     . "--hwPrivKeyB $DEV_KEY_DIR/hw_key_b.key "
     . "--hwPrivKeyC $DEV_KEY_DIR/hw_key_c.key "
     . "--swPrivKeyP $DEV_KEY_DIR/sw_key_a.key";
+}
 
 # Handle key transition and production signing logic
 # If in production mode, key transition is not supported yet
@@ -754,13 +760,23 @@ sub manipulateImages
                             . "$bin_file $SIGN_BUILD_PARAMS");
                     }
                 }
-                # Add simple version header
+                # Add non-secure version header
                 else
                 {
-                    run_command("env echo -en VERSION\\\\0 > $tempImages{TEMP_SHA_IMG}");
-                    run_command("sha512sum $bin_file | awk \'{print \$1}\' | xxd -pr -r >> $tempImages{TEMP_SHA_IMG}");
-                    run_command("dd if=$tempImages{TEMP_SHA_IMG} of=$tempImages{HDR_PHASE} ibs=4k conv=sync");
-                    run_command("cat $bin_file >> $tempImages{HDR_PHASE}");
+                    # Attach signature-less secure header for OpenPOWER builds
+                    if($openSigningTool)
+                    {
+                        run_command("$CUR_OPEN_SIGN_REQUEST "
+                            . "--protectedPayload $bin_file "
+                            . "--out $tempImages{HDR_PHASE}");
+                    }
+                    else # attach the legacy header
+                    {
+                        run_command("env echo -en VERSION\\\\0 > $tempImages{TEMP_SHA_IMG}");
+                        run_command("sha512sum $bin_file | awk \'{print \$1}\' | xxd -pr -r >> $tempImages{TEMP_SHA_IMG}");
+                        run_command("dd if=$tempImages{TEMP_SHA_IMG} of=$tempImages{HDR_PHASE} ibs=4k conv=sync");
+                        run_command("cat $bin_file >> $tempImages{HDR_PHASE}");
+                    }
                 }
             }
             else
@@ -858,12 +874,23 @@ sub manipulateImages
                         setCallerHwHdrFields(\%callerHwHdrFields,
                                              $tempImages{PAD_PHASE});
                     }
+                    # Add non-secure version header
                     else
                     {
-                        run_command("env echo -en VERSION\\\\0 > $tempImages{TEMP_SHA_IMG}");
-                        run_command("sha512sum $tempImages{TEMP_BIN} | awk \'{print \$1}\' | xxd -pr -r >> $tempImages{TEMP_SHA_IMG}");
-                        run_command("dd if=$tempImages{TEMP_SHA_IMG} of=$tempImages{PAD_PHASE} ibs=4k conv=sync");
-                        run_command("cat $tempImages{TEMP_BIN} >> $tempImages{PAD_PHASE}");
+                        # Attach signature-less secure header for OpenPOWER builds
+                        if($openSigningTool)
+                        {
+                            run_command("$CUR_OPEN_SIGN_REQUEST "
+                                . "--protectedPayload $tempImages{TEMP_BIN} "
+                                . "--out $tempImages{PAD_PHASE}");
+                        }
+                        else # Attach legacy header
+                        {
+                            run_command("env echo -en VERSION\\\\0 > $tempImages{TEMP_SHA_IMG}");
+                            run_command("sha512sum $tempImages{TEMP_BIN} | awk \'{print \$1}\' | xxd -pr -r >> $tempImages{TEMP_SHA_IMG}");
+                            run_command("dd if=$tempImages{TEMP_SHA_IMG} of=$tempImages{PAD_PHASE} ibs=4k conv=sync");
+                            run_command("cat $tempImages{TEMP_BIN} >> $tempImages{PAD_PHASE}");
+                        }
                     }
                 }
             }
author	Nick Bofferding <bofferdn@us.ibm.com>	2017-07-28 01:45:20 -0500
committer	Daniel M. Crowell <dcrowell@us.ibm.com>	2017-08-04 09:56:21 -0400
commit	220fa8c77eb127697c977f18890f1f49fdf040e6 (patch)
tree	dbed9ee949c58b503893b9463871b4418098ccab /src/build/buildpnor/genPnorImages.pl
parent	1e846c106286181bf82e1e5bbc68b47b6e490ce1 (diff)
download	talos-hostboot-220fa8c77eb127697c977f18890f1f49fdf040e6.tar.gz talos-hostboot-220fa8c77eb127697c977f18890f1f49fdf040e6.zip