Secure Boot: Support open signing with component IDs

Change-Id: Ic817a045128e7f7c64b342f4f3682a1bb5930468 RTC: 177220 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/46247 Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com> Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
author: Nick Bofferding <bofferdn@us.ibm.com> 2017-09-14 23:19:36 -0500
committer: Daniel M. Crowell <dcrowell@us.ibm.com> 2017-09-25 14:03:06 -0400
commit: 54c1fc7cd2b58df60cf5b7dd480414daaabc5e0f (patch)
tree: c705f38b1a645fb2438cd74aa9fa52cf41c912d3 /src/build/buildpnor/genPnorImages.pl
parent: 1b3b999258db544d6af1dbfb7ee3437efd17581b (diff)
download: talos-hostboot-54c1fc7cd2b58df60cf5b7dd480414daaabc5e0f.tar.gz
talos-hostboot-54c1fc7cd2b58df60cf5b7dd480414daaabc5e0f.zip
1 files changed, 34 insertions, 7 deletions
diff --git a/src/build/buildpnor/genPnorImages.pl b/src/build/buildpnor/genPnorImages.pl
index b56de0273..bc8e7ac47 100755
--- a/src/build/buildpnor/genPnorImages.pl
+++ b/src/build/buildpnor/genPnorImages.pl
@@ -42,6 +42,8 @@ use constant BASE_IMAGE_TOTAL_CONTAINER_SIZE => 0x000000000007EF80;
 use constant BASE_IMAGE_TARGET_HRMOR => 0x0000000008000000;
 use constant BASE_IMAGE_INSTRUCTION_START_STACK_POINTER => 0x0000000008280000;
 
+use constant MAX_COMP_ID_LEN => 8;
+
 # Max HBBL content size is 20K
 my $MAX_HBBL_SIZE = 20480;
 
@@ -309,13 +311,19 @@ if ($signMode{$PRODUCTION})
 elsif ($keyTransition{enabled} && $signMode{$DEVELOPMENT})
 {
     $OPEN_SIGN_REQUEST .= $OPEN_DEV_SIGN_PARAMS;
+
+    # Since this request signs 4k of random data for SBKT, but is not a named
+    # section, we'll make up a component ID of "SBKTRAND"
+    my $sbktDataComponentIdArg = "--sign-project-FW-token SBKTRAND";
     if ($keyTransition{$IMPRINT})
     {
-        $OPEN_SIGN_KEY_TRANS_REQUEST .= $OPEN_DEV_SIGN_PARAMS;
+        $OPEN_SIGN_KEY_TRANS_REQUEST .=
+            "$OPEN_DEV_SIGN_PARAMS $sbktDataComponentIdArg";
     }
     elsif ($keyTransition{$PRODUCTION})
     {
-        $OPEN_SIGN_KEY_TRANS_REQUEST .= "$OPEN_PRD_SIGN_PARAMS --sign-project-FW-token SBKT";
+        $OPEN_SIGN_KEY_TRANS_REQUEST .=
+            "$OPEN_PRD_SIGN_PARAMS $sbktDataComponentIdArg";
     }
 }
 else
@@ -579,10 +587,8 @@ sub manipulateImages
         my $secureboot_hdr =  $header->{file};
 
         my $CUR_OPEN_SIGN_REQUEST = "$OPEN_SIGN_REQUEST $openSigningFlags";
-        if ($signMode{$PRODUCTION})
-        {
-            $CUR_OPEN_SIGN_REQUEST .= " --sign-project-FW-token $eyeCatch ";
-        }
+        my $componentId = convertEyecatchToCompId($eyeCatch);
+        $CUR_OPEN_SIGN_REQUEST .= " --sign-project-FW-token $componentId ";
 
         # Used for corrupting partitions. By default all protected offsets start
         # immediately after the container header which is size = PAGE_SIZE.
@@ -1177,7 +1183,8 @@ sub create_sb_key_transition_container
             . "$sb_hdrs{SBKT}{inner}{flags} --protectedPayload $tempImages{RAND_BLOB} "
             . "--out $tempImages{PRD_KEY_FILE}");
         # Sign new production key container with imprint keys
-        run_command("$OPEN_SIGN_REQUEST ".OP_SIGNING_FLAG
+        my $sbktComponentIdArg = "--sign-project-FW-token SBKT ";
+        run_command("$OPEN_SIGN_REQUEST ".$sbktComponentIdArg.OP_SIGNING_FLAG
             . "$sb_hdrs{SBKT}{outer}{flags} --protectedPayload $tempImages{PRD_KEY_FILE} "
             . "--out $o_file");
     }
@@ -1198,6 +1205,26 @@ sub create_sb_key_transition_container
 }
 
 ################################################################################
+# convertEyecatchToCompId
+#     Converts eyecatcher to component ID, truncating it to the lesser of its
+#     current size or MAX_COMP_ID_LEN bytes, in order to fit within the confines
+#     of the component ID field of the firmware header.
+################################################################################
+
+sub convertEyecatchToCompId
+{
+    my ($eyeCatcher) = @_;
+
+    my $maxLen = MAX_COMP_ID_LEN;
+    my $len = length($eyeCatcher);
+    die "BUG! Empty eyecatcher not allowed.\n" if !$len;
+    my $finalLen = ($maxLen > $len) ? $len : $maxLen;
+    my $componentId = substr($eyeCatcher,0,$finalLen);
+
+    return $componentId;
+}
+
+################################################################################
 # setCallerHwHdrFields
 #       Sets the caller hardware header fields in the passed in file based on
 #       the input hash passed in.
author	Nick Bofferding <bofferdn@us.ibm.com>	2017-09-14 23:19:36 -0500
committer	Daniel M. Crowell <dcrowell@us.ibm.com>	2017-09-25 14:03:06 -0400
commit	54c1fc7cd2b58df60cf5b7dd480414daaabc5e0f (patch)
tree	c705f38b1a645fb2438cd74aa9fa52cf41c912d3 /src/build/buildpnor/genPnorImages.pl
parent	1b3b999258db544d6af1dbfb7ee3437efd17581b (diff)
download	talos-hostboot-54c1fc7cd2b58df60cf5b7dd480414daaabc5e0f.tar.gz talos-hostboot-54c1fc7cd2b58df60cf5b7dd480414daaabc5e0f.zip