diff options
| author | Ilya Smirnov <ismirno@us.ibm.com> | 2018-03-21 09:27:16 -0500 |
|---|---|---|
| committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2018-03-30 17:02:21 -0400 |
| commit | 713f7f024c4545362d304914f7979e0c5128f0b2 (patch) | |
| tree | f60be11976a8f8565fdfe6fa010cc534c6f8ca9f /src/build/buildpnor/genPnorImages.pl | |
| parent | 711723bcb25f9462da10d70564826d78b61fcc3f (diff) | |
| download | talos-hostboot-713f7f024c4545362d304914f7979e0c5128f0b2.tar.gz talos-hostboot-713f7f024c4545362d304914f7979e0c5128f0b2.zip | |
Secure Boot: Close SBE Security Backdoor
During a key transition process from dev to prod keys the
lab override bit does not get unset and does not get customized
into SBE at the time of the transition. Only when the system
reaches istep 10.2 with prod keys does the bit get reset. This
change customizes the bit at the time of the transition, which
ensures the system is secure all the way through IPL with prod
keys.
Change-Id: I1343d2dd95aa4549b92e46ebcb9df142303c1f0b
RTC: 188958
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/56127
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src/build/buildpnor/genPnorImages.pl')
| -rwxr-xr-x | src/build/buildpnor/genPnorImages.pl | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/src/build/buildpnor/genPnorImages.pl b/src/build/buildpnor/genPnorImages.pl index 8a9bcfd4b..3263970d9 100755 --- a/src/build/buildpnor/genPnorImages.pl +++ b/src/build/buildpnor/genPnorImages.pl @@ -194,17 +194,29 @@ elsif ($key_transition ne "") } my $labSecurityOverrideFlag = 0; +my $ktSecurityOverrideFlag = 0; if($labSecurityOverride) { if($signMode{$DEVELOPMENT}) { $labSecurityOverrideFlag = LAB_SECURITY_OVERRIDE_FLAG; + if($keyTransition{$IMPRINT}) + { + $ktSecurityOverrideFlag = LAB_SECURITY_OVERRIDE_FLAG; + } + elsif($keyTransition{$PRODUCTION}) + { + # Key Transition flag will take precedence over the + # lab override flag. + $ktSecurityOverrideFlag = 0; + } } else { $labSecurityOverride = 0; - print "WARNING! Lab security override only valid in development/" - . "imprint mode, continuing with lab security override disabled.\n"; + print "WARNING! Lab security override only valid in development-" + . "signed mode or during a key transition that installs development" + . " keys. Continuing with lab security override disabled.\n"; } } @@ -322,7 +334,7 @@ my %sb_hdrs = ( file => "$bin_dir/$randPrefix.sbkt.outer.secureboot.hdr.bin" }, inner => { - flags => sprintf("0x%08X", $buildFlag), + flags => sprintf("0x%08X", $buildFlag | $ktSecurityOverrideFlag), file => "$bin_dir/$randPrefix.sbkt.inner.secureboot.hdr.bin" } } |
