diff options
author | Nick Bofferding <bofferdn@us.ibm.com> | 2017-07-28 01:45:20 -0500 |
---|---|---|
committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2017-08-04 09:56:21 -0400 |
commit | 220fa8c77eb127697c977f18890f1f49fdf040e6 (patch) | |
tree | dbed9ee949c58b503893b9463871b4418098ccab /src/build/buildpnor/genPnorImages.pl | |
parent | 1e846c106286181bf82e1e5bbc68b47b6e490ce1 (diff) | |
download | talos-hostboot-220fa8c77eb127697c977f18890f1f49fdf040e6.tar.gz talos-hostboot-220fa8c77eb127697c977f18890f1f49fdf040e6.zip |
Secure Boot: Emit signature-less header in non-secure compile
- Relevant for open signing only at this time
RTC: 174017
Change-Id: I6c16f2c06785debaae3006ef66e54fa7102f27da
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/43825
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src/build/buildpnor/genPnorImages.pl')
-rwxr-xr-x | src/build/buildpnor/genPnorImages.pl | 49 |
1 files changed, 38 insertions, 11 deletions
diff --git a/src/build/buildpnor/genPnorImages.pl b/src/build/buildpnor/genPnorImages.pl index 2b7b8c708..cec025ef3 100755 --- a/src/build/buildpnor/genPnorImages.pl +++ b/src/build/buildpnor/genPnorImages.pl @@ -284,11 +284,17 @@ my $OPEN_SIGN_KEY_TRANS_REQUEST = $OPEN_SIGN_REQUEST; # Production signing parameters my $OPEN_PRD_SIGN_PARAMS = "--mode production " . " --sign-project-config $sb_signing_config_file"; -# Imprint key signing parameters -my $OPEN_DEV_SIGN_PARAMS = " --hwPrivKeyA $DEV_KEY_DIR/hw_key_a.key " + +# Imprint key signing parameters. In a non-secure compile, omit the keys to +# generate a secure header without signatures +my $OPEN_DEV_SIGN_PARAMS = ""; +if($secureboot) +{ + $OPEN_DEV_SIGN_PARAMS = " --hwPrivKeyA $DEV_KEY_DIR/hw_key_a.key " . "--hwPrivKeyB $DEV_KEY_DIR/hw_key_b.key " . "--hwPrivKeyC $DEV_KEY_DIR/hw_key_c.key " . "--swPrivKeyP $DEV_KEY_DIR/sw_key_a.key"; +} # Handle key transition and production signing logic # If in production mode, key transition is not supported yet @@ -754,13 +760,23 @@ sub manipulateImages . "$bin_file $SIGN_BUILD_PARAMS"); } } - # Add simple version header + # Add non-secure version header else { - run_command("env echo -en VERSION\\\\0 > $tempImages{TEMP_SHA_IMG}"); - run_command("sha512sum $bin_file | awk \'{print \$1}\' | xxd -pr -r >> $tempImages{TEMP_SHA_IMG}"); - run_command("dd if=$tempImages{TEMP_SHA_IMG} of=$tempImages{HDR_PHASE} ibs=4k conv=sync"); - run_command("cat $bin_file >> $tempImages{HDR_PHASE}"); + # Attach signature-less secure header for OpenPOWER builds + if($openSigningTool) + { + run_command("$CUR_OPEN_SIGN_REQUEST " + . "--protectedPayload $bin_file " + . "--out $tempImages{HDR_PHASE}"); + } + else # attach the legacy header + { + run_command("env echo -en VERSION\\\\0 > $tempImages{TEMP_SHA_IMG}"); + run_command("sha512sum $bin_file | awk \'{print \$1}\' | xxd -pr -r >> $tempImages{TEMP_SHA_IMG}"); + run_command("dd if=$tempImages{TEMP_SHA_IMG} of=$tempImages{HDR_PHASE} ibs=4k conv=sync"); + run_command("cat $bin_file >> $tempImages{HDR_PHASE}"); + } } } else @@ -858,12 +874,23 @@ sub manipulateImages setCallerHwHdrFields(\%callerHwHdrFields, $tempImages{PAD_PHASE}); } + # Add non-secure version header else { - run_command("env echo -en VERSION\\\\0 > $tempImages{TEMP_SHA_IMG}"); - run_command("sha512sum $tempImages{TEMP_BIN} | awk \'{print \$1}\' | xxd -pr -r >> $tempImages{TEMP_SHA_IMG}"); - run_command("dd if=$tempImages{TEMP_SHA_IMG} of=$tempImages{PAD_PHASE} ibs=4k conv=sync"); - run_command("cat $tempImages{TEMP_BIN} >> $tempImages{PAD_PHASE}"); + # Attach signature-less secure header for OpenPOWER builds + if($openSigningTool) + { + run_command("$CUR_OPEN_SIGN_REQUEST " + . "--protectedPayload $tempImages{TEMP_BIN} " + . "--out $tempImages{PAD_PHASE}"); + } + else # Attach legacy header + { + run_command("env echo -en VERSION\\\\0 > $tempImages{TEMP_SHA_IMG}"); + run_command("sha512sum $tempImages{TEMP_BIN} | awk \'{print \$1}\' | xxd -pr -r >> $tempImages{TEMP_SHA_IMG}"); + run_command("dd if=$tempImages{TEMP_SHA_IMG} of=$tempImages{PAD_PHASE} ibs=4k conv=sync"); + run_command("cat $tempImages{TEMP_BIN} >> $tempImages{PAD_PHASE}"); + } } } } |