diff options
| author | Dave Heller <hellerda@linux.vnet.ibm.com> | 2018-04-01 14:05:37 -0400 |
|---|---|---|
| committer | William G. Hoffa <wghoffa@us.ibm.com> | 2018-07-05 12:19:06 -0400 |
| commit | adc91be44ab6b61691801820aa2fc053db8cebbf (patch) | |
| tree | 82ca4d30e150f31e9b9500a20af32e15f7dbab88 /src/build/buildpnor/genPnorImages.pl | |
| parent | 50e72792adbdea613e4a2aeea25b60ba1043a2b8 (diff) | |
| download | talos-hostboot-adc91be44ab6b61691801820aa2fc053db8cebbf.tar.gz talos-hostboot-adc91be44ab6b61691801820aa2fc053db8cebbf.zip | |
Secure Boot: Support Independent signing mode in genPnorImages.pl
This changes signMode() from a tuple to a triple, supporting 'independent'
as an allowable value, and passing this value to crtSignedContaner.sh as
appropriate. For simplicity, Independent mode is not considered in the
setting of the LAB_SECURITY_OVERRIDE_FLAG or for transition containers.
Change-Id: Ibda46b963805f378e37d271e31ed31dff36daaf8
Signed-off-by: Dave Heller <hellerda@linux.vnet.ibm.com>
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/61782
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Disable-CI: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: William G. Hoffa <wghoffa@us.ibm.com>
Diffstat (limited to 'src/build/buildpnor/genPnorImages.pl')
| -rwxr-xr-x | src/build/buildpnor/genPnorImages.pl | 28 |
1 files changed, 19 insertions, 9 deletions
diff --git a/src/build/buildpnor/genPnorImages.pl b/src/build/buildpnor/genPnorImages.pl index ba42d81ec..9de7b3113 100755 --- a/src/build/buildpnor/genPnorImages.pl +++ b/src/build/buildpnor/genPnorImages.pl @@ -98,6 +98,7 @@ use constant RAND_PREFIX => "rand-"; my $DEVELOPMENT = "development"; my $IMPRINT = "imprint"; my $PRODUCTION = "production"; +my $INDEPENDENT = "independent"; ################################################################################ # I/O parsing @@ -161,13 +162,21 @@ if ($buildType eq "fspbuild") # Put mode transition input into a hash and ensure a valid signing mode my %signMode = ( $DEVELOPMENT => 1, - $PRODUCTION => 0 ); + $PRODUCTION => 0, + $INDEPENDENT => 0 ); if ($sign_mode =~ m/^$DEVELOPMENT/i) {} elsif ($sign_mode =~ m/^$PRODUCTION/i) { $signMode{$PRODUCTION} = 1; $signMode{$DEVELOPMENT} = 0; + $signMode{$INDEPENDENT} = 0; +} +elsif ($sign_mode =~ m/^$INDEPENDENT/i) +{ + $signMode{$PRODUCTION} = 0; + $signMode{$DEVELOPMENT} = 0; + $signMode{$INDEPENDENT} = 1; } else { @@ -267,20 +276,21 @@ my $OPEN_SIGN_KEY_TRANS_REQUEST = $OPEN_SIGN_REQUEST; # Production signing parameters my $OPEN_PRD_SIGN_PARAMS = "--mode production " - . "--hwPrivKeyA __get " - . "--hwPrivKeyB __get " - . "--hwPrivKeyC __get " - . "--swPrivKeyP __get "; + . "--hwKeyA __get " + . "--hwKeyB __get " + . "--hwKeyC __get " + . "--swKeyP __get "; # Imprint key signing parameters. In a non-secure compile, omit the keys to # generate a secure header without signatures my $OPEN_DEV_SIGN_PARAMS = ""; if($secureboot) { - $OPEN_DEV_SIGN_PARAMS = " --hwPrivKeyA $DEV_KEY_DIR/hw_key_a.key " - . "--hwPrivKeyB $DEV_KEY_DIR/hw_key_b.key " - . "--hwPrivKeyC $DEV_KEY_DIR/hw_key_c.key " - . "--swPrivKeyP $DEV_KEY_DIR/sw_key_a.key"; + $OPEN_DEV_SIGN_PARAMS = "--mode $sign_mode " + . "--hwKeyA $DEV_KEY_DIR/hw_key_a.key " + . "--hwKeyB $DEV_KEY_DIR/hw_key_b.key " + . "--hwKeyC $DEV_KEY_DIR/hw_key_c.key " + . "--swKeyP $DEV_KEY_DIR/sw_key_a.key"; } # Handle key transition and production signing logic |
