diff options
| author | Stephen Cprek <smcprek@us.ibm.com> | 2017-11-20 16:56:44 -0600 |
|---|---|---|
| committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2017-12-18 17:27:59 -0500 |
| commit | 9ae6e9595f9773d295b7e3ade47088f554c1ed48 (patch) | |
| tree | f33427b681154991423fb9faad3476bf4aa17ff4 /src/build/buildpnor/genPnorImages.pl | |
| parent | 8392e4f606607e505bb99de2a8d229ae69be5efe (diff) | |
| download | talos-hostboot-9ae6e9595f9773d295b7e3ade47088f554c1ed48.tar.gz talos-hostboot-9ae6e9595f9773d295b7e3ade47088f554c1ed48.zip | |
Remove Secure Boot workarounds
- Removing the magic number checks that would block sb functionality
if things didn't appear secure
- Remove Best Effort Policy and all of its related code
- Remove the legacy PCR extension
- Remove the non-secure header preservation path.
- Always load HB base image header from the bl to hb data path
vs settings unsecurely out of pnor
Change-Id: Ie638384ac50ed47850985c959ea7a32e5757d64e
RTC: 178520
RTC: 155374
RTC: 173489
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/49925
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src/build/buildpnor/genPnorImages.pl')
| -rwxr-xr-x | src/build/buildpnor/genPnorImages.pl | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/src/build/buildpnor/genPnorImages.pl b/src/build/buildpnor/genPnorImages.pl index d075dd436..3f02db1fa 100755 --- a/src/build/buildpnor/genPnorImages.pl +++ b/src/build/buildpnor/genPnorImages.pl @@ -234,7 +234,6 @@ if ($secureboot) } } -# @TODO RTC: 155374 add official signing support including up to 3 sw keys # Signing and Dev key directory location set via env vars my $SIGNING_DIR = $ENV{'SIGNING_DIR'}; my $DEV_KEY_DIR = $ENV{'DEV_KEY_DIR'}; @@ -672,7 +671,6 @@ sub manipulateImages { $eccless_prefix.=".header"; # Add secure container header - # @TODO RTC:155374 Remove when official signing supported if ($secureboot && $isSpecialSecure) { $callerHwHdrFields{configure} = 1; @@ -727,7 +725,7 @@ sub manipulateImages } else { - # @TODO RTC:155374 Remove when official signing + # @TODO RTC:183183 Remove when official signing # supported run_command("$SIGNING_DIR/build -good -if $secureboot_hdr -of $tempImages{PROTECTED_PAYLOAD} -bin $tempImages{PAYLOAD_TEXT} $SIGN_BUILD_PARAMS"); } @@ -745,7 +743,7 @@ sub manipulateImages } else { - # @TODO RTC:155374 Remove when official signing + # @TODO RTC:183183 Remove when official signing # supported run_command("$SIGNING_DIR/build -good -if $secureboot_hdr -of $tempImages{PROTECTED_PAYLOAD} -bin $bin_file.protected $SIGN_BUILD_PARAMS"); } @@ -765,7 +763,7 @@ sub manipulateImages } else { - # @TODO RTC:155374 Remove when official signing + # @TODO RTC:183183 Remove when official signing # supported run_command("$SIGNING_DIR/build -good -if $secureboot_hdr -of $tempImages{HDR_PHASE} -bin $bin_file $SIGN_BUILD_PARAMS"); } @@ -804,7 +802,7 @@ sub manipulateImages } else { - # @TODO RTC:155374 Remove when official signing + # @TODO RTC:183183 Remove when official signing # supported run_command("$SIGNING_DIR/build -good -if " . "$secureboot_hdr -of $tempImages{HDR_PHASE} -bin " @@ -821,6 +819,7 @@ sub manipulateImages . "--protectedPayload $bin_file " . "--out $tempImages{HDR_PHASE}"); } + # @TODO RTC:183183 Remove when official signing supported else # attach the legacy header { run_command("env echo -en VERSION\\\\0 > $tempImages{TEMP_SHA_IMG}"); @@ -924,7 +923,7 @@ sub manipulateImages } else { - # @TODO RTC:155374 Remove when official signing + # @TODO RTC:183183 Remove when official signing # supported run_command("$SIGNING_DIR/build -good -if $secureboot_hdr -of $tempImages{PAD_PHASE} -bin $tempImages{TEMP_BIN} $SIGN_BUILD_PARAMS"); } @@ -941,6 +940,7 @@ sub manipulateImages . "--protectedPayload $tempImages{TEMP_BIN} " . "--out $tempImages{PAD_PHASE}"); } + # @TODO RTC:183183 Remove when official signing supported else # Attach legacy header { run_command("env echo -en VERSION\\\\0 > $tempImages{TEMP_SHA_IMG}"); |
