diff options
author | Stephen Cprek <smcprek@us.ibm.com> | 2017-04-10 16:32:00 -0500 |
---|---|---|
committer | William G. Hoffa <wghoffa@us.ibm.com> | 2017-05-01 17:53:46 -0400 |
commit | 863b78e70f9b11e9948c380e1d5cd5790d8d9962 (patch) | |
tree | 37e0685a747c34d2bc4e58018eb2ac7f1910072a /src/build | |
parent | 142a25c1a3453d0cc5bac4a93a2765e60a281d2d (diff) | |
download | talos-hostboot-863b78e70f9b11e9948c380e1d5cd5790d8d9962.tar.gz talos-hostboot-863b78e70f9b11e9948c380e1d5cd5790d8d9962.zip |
Port P8 HBI page verification functionality
Verify HBI pages via its securely signed hash page table
Change-Id: I86d29ee393c19aa0d9c5270b0b6c561a9fc4ab51
RTC: 167668
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/39071
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: William G. Hoffa <wghoffa@us.ibm.com>
Diffstat (limited to 'src/build')
-rwxr-xr-x | src/build/buildpnor/genPnorImages.pl | 10 | ||||
-rwxr-xr-x | src/build/tools/hb | 5 | ||||
-rwxr-xr-x | src/build/tools/hbDistribute | 7 |
3 files changed, 12 insertions, 10 deletions
diff --git a/src/build/buildpnor/genPnorImages.pl b/src/build/buildpnor/genPnorImages.pl index 3c8d4c973..fb5c5f5d7 100755 --- a/src/build/buildpnor/genPnorImages.pl +++ b/src/build/buildpnor/genPnorImages.pl @@ -541,7 +541,7 @@ sub manipulateImages # Sections that have secureboot support. Secureboot still must be # enabled for secureboot actions on these partitions to occur. # @TODO securebootp9 re-enable with SBE/SBEC/PAYLOAD secureboot ports - my $isNormalSecure ||= ($eyeCatch eq "HBBL"); + my $isNormalSecure = ($eyeCatch eq "HBBL"); $isNormalSecure ||= ($eyeCatch eq "SBE"); $isNormalSecure ||= ($eyeCatch eq "HBRT"); #$isNormalSecure ||= ($eyeCatch eq "SBEC"); @@ -552,7 +552,7 @@ sub manipulateImages my $isSpecialSecure = ($eyeCatch eq "HBB"); $isSpecialSecure ||= ($eyeCatch eq "HBD"); - #$isSpecialSecure ||= ($eyeCatch eq "HBI"); + $isSpecialSecure ||= ($eyeCatch eq "HBI"); # Used to indicate security is supported in firmware my $secureSupported = $isNormalSecure || $isSpecialSecure; @@ -620,8 +620,7 @@ sub manipulateImages if ($secureboot && $secureSupported) { $callerHwHdrFields{configure} = 1; - # @TODO securebootp9 re-enable hash page table with vfs page table port - if (0) #exists $hashPageTablePartitions{$eyeCatch}) + if (exists $hashPageTablePartitions{$eyeCatch}) { if ($eyeCatch eq "HBI") { @@ -635,8 +634,7 @@ sub manipulateImages } } # Add hash page table - # @TODO securebootp9 re-enable hash page table with vfs page table port - if (0) #$tempImages{hashPageTable} ne "" && -e $tempImages{hashPageTable}) + if ($tempImages{hashPageTable} ne "" && -e $tempImages{hashPageTable}) { trace(1,"Adding hash page table for $eyeCatch"); my $hashPageTableSize = -s $tempImages{hashPageTable}; diff --git a/src/build/tools/hb b/src/build/tools/hb index fb049d5f4..ceb40b7bb 100755 --- a/src/build/tools/hb +++ b/src/build/tools/hb @@ -6,7 +6,7 @@ # # OpenPOWER HostBoot Project # -# Contributors Listed Below - COPYRIGHT 2011,2016 +# Contributors Listed Below - COPYRIGHT 2011,2017 # [+] International Business Machines Corp. # # @@ -242,9 +242,6 @@ hb_helptext() echo " #!/bin/sh" echo " export SANDBOXROOT=~/sandboxes" echo " export SANDBOXNAME=hostboot" - echo " # Dev key signing of images for secureboot" - echo " export SIGNING_DIR=/esw/san2/hostboot/secure-boot/secure-boot-scripts/rom_new_header/sign/obj" - echo " export DEV_KEY_DIR=/esw/san2/hostboot/secure-boot/dev_keys" echo echo " See also:" echo " All other sub-commands." diff --git a/src/build/tools/hbDistribute b/src/build/tools/hbDistribute index 003905e93..99119c818 100755 --- a/src/build/tools/hbDistribute +++ b/src/build/tools/hbDistribute @@ -199,6 +199,13 @@ else export DEFAULT_PNOR=1 fi +# Clean up preivous rand files. Should only be needed if a previous call failed. +# Done before dist.targets.mk because there are parallel operations that occur. +# So if we delete in genPnorImages.pl we would wipe out stuff currently being +# used elsewhere and cause a file not found error. +# Note: Prefix is set by genPnorImages.pl +rm -f ${SANDBOXROOT}/${SANDBOXNAME}/obj/ppc/hbfw/img/rand-* + # Execute makefile for distribution. mkdir -p $TARGET_DIR mkdir -p $SBFW_DIR |