diff options
author | Jaymes Wilks <mjwilks@us.ibm.com> | 2017-10-26 09:37:07 -0500 |
---|---|---|
committer | William G. Hoffa <wghoffa@us.ibm.com> | 2017-11-09 17:50:21 -0500 |
commit | 5fa02a909075081da87ea537d13cb7a61e543176 (patch) | |
tree | 5fb5437e9f54d6964f6bdb9c10bb8306b19ad585 /src/build/buildpnor/genPnorImages.pl | |
parent | 3378748dbc2e153ed005e832b8398adfb2729a74 (diff) | |
download | talos-hostboot-5fa02a909075081da87ea537d13cb7a61e543176.tar.gz talos-hostboot-5fa02a909075081da87ea537d13cb7a61e543176.zip |
Support selecting fips or op-build for signing process
Adds a new '--build-type' option to genPnorImages.pl to specify
either fspbuild or opbuild, which adds the appropriate magic
value to the secure header during the signing process.
Change-Id: I46a97f88666a5cc925797d3ad0e870a5f5bac89a
RTC:163655
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/48930
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: William G. Hoffa <wghoffa@us.ibm.com>
Diffstat (limited to 'src/build/buildpnor/genPnorImages.pl')
-rwxr-xr-x | src/build/buildpnor/genPnorImages.pl | 24 |
1 files changed, 20 insertions, 4 deletions
diff --git a/src/build/buildpnor/genPnorImages.pl b/src/build/buildpnor/genPnorImages.pl index 614c44334..5d5d207d2 100755 --- a/src/build/buildpnor/genPnorImages.pl +++ b/src/build/buildpnor/genPnorImages.pl @@ -79,16 +79,18 @@ use constant LOCAL_SIGNING_FLAG => " -flag "; use constant OP_SIGNING_FLAG => " --flags "; # Security bits HW flag strings use constant OP_BUILD_FLAG => 0x80000000; -use constant FIPS_BUILD_FLAG => 0x40000000; +# TODO 1633655 For now, as a workaround FIPS_BUILD_FLAG will be the same as +# OP_BUILD_FLAG until the larger team is ready to take on the new value. +use constant FIPS_BUILD_FLAG => 0x80000000; +# use constant FIPS_BUILD_FLAG => 0x40000000; # Applies to SBE image only use constant LAB_SECURITY_OVERRIDE_FLAG => 0x00080000; use constant KEY_TRANSITION_FLAG => 0x00000001; # Size of HW keys' Hash use constant HW_KEYS_HASH_SIZE => 64; -# TODO: RTC 163655 -# Implement dynamic support for choosing FSP or op-build flag type. -# For now, assume OP build +# Dynamic support for choosing FSP or op-build flag type. +# Default to OP build my $buildFlag = OP_BUILD_FLAG; # Corrupt parameter strings @@ -122,6 +124,7 @@ my %partitionsToCorrupt = (); my $sign_mode = $DEVELOPMENT; my $hwKeyHashFile = ""; my $hb_standalone=""; +my $buildType=""; # @TODO RTC 170650: Set default to 0 after all environments provide external # control over this policy, plus remove '!' from 'lab-security-override' @@ -143,6 +146,7 @@ GetOptions("binDir:s" => \$bin_dir, "hb-standalone" => \$hb_standalone, "lab-security-override!" => \$labSecurityOverride, "emit-eccless" => \$emitEccless, + "build-type:s" => \$buildType, "help" => \$help); if ($help) @@ -155,6 +159,12 @@ if ($help) # Environment Setup, Checking, and Variable Initialization ################################################################################ +# Get the build type +if ($buildType eq "fspbuild") +{ + $buildFlag = FIPS_BUILD_FLAG; +} + # Put mode transition input into a hash and ensure a valid signing mode my %signMode = ( $DEVELOPMENT => 1, $PRODUCTION => 0 ); @@ -1313,6 +1323,12 @@ print <<"ENDUSAGE"; physical jumpers on the system planar. --emit-eccless In addition to typical output, also emit ECC-less versions of any input binaries + --build-type Specify whether the type of build is FIPS or + OpenPower, indicated by either 'fspbuild' + or 'opbuild' immediately following the + switch (separated with a space and not + including the single quotes). OpenPower is + the default. Current Limitations: - Issues with dependency on ENGD build for certain files such as SBE. This is why [--build-all | --install-all ] are used. |