diff options
author | Jaymes Wilks <mjwilks@us.ibm.com> | 2017-10-26 09:37:07 -0500 |
---|---|---|
committer | William G. Hoffa <wghoffa@us.ibm.com> | 2017-11-09 17:50:21 -0500 |
commit | 5fa02a909075081da87ea537d13cb7a61e543176 (patch) | |
tree | 5fb5437e9f54d6964f6bdb9c10bb8306b19ad585 /src | |
parent | 3378748dbc2e153ed005e832b8398adfb2729a74 (diff) | |
download | talos-hostboot-5fa02a909075081da87ea537d13cb7a61e543176.tar.gz talos-hostboot-5fa02a909075081da87ea537d13cb7a61e543176.zip |
Support selecting fips or op-build for signing process
Adds a new '--build-type' option to genPnorImages.pl to specify
either fspbuild or opbuild, which adds the appropriate magic
value to the secure header during the signing process.
Change-Id: I46a97f88666a5cc925797d3ad0e870a5f5bac89a
RTC:163655
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/48930
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: William G. Hoffa <wghoffa@us.ibm.com>
Diffstat (limited to 'src')
-rwxr-xr-x | src/build/buildpnor/genPnorImages.pl | 24 | ||||
-rwxr-xr-x | src/build/mkrules/hbfw/img/makefile | 8 | ||||
-rw-r--r-- | src/include/usr/secureboot/containerheader.H | 7 | ||||
-rw-r--r-- | src/usr/pnor/spnorrp.C | 3 | ||||
-rw-r--r-- | src/usr/secureboot/common/containerheader.C | 5 |
5 files changed, 41 insertions, 6 deletions
diff --git a/src/build/buildpnor/genPnorImages.pl b/src/build/buildpnor/genPnorImages.pl index 614c44334..5d5d207d2 100755 --- a/src/build/buildpnor/genPnorImages.pl +++ b/src/build/buildpnor/genPnorImages.pl @@ -79,16 +79,18 @@ use constant LOCAL_SIGNING_FLAG => " -flag "; use constant OP_SIGNING_FLAG => " --flags "; # Security bits HW flag strings use constant OP_BUILD_FLAG => 0x80000000; -use constant FIPS_BUILD_FLAG => 0x40000000; +# TODO 1633655 For now, as a workaround FIPS_BUILD_FLAG will be the same as +# OP_BUILD_FLAG until the larger team is ready to take on the new value. +use constant FIPS_BUILD_FLAG => 0x80000000; +# use constant FIPS_BUILD_FLAG => 0x40000000; # Applies to SBE image only use constant LAB_SECURITY_OVERRIDE_FLAG => 0x00080000; use constant KEY_TRANSITION_FLAG => 0x00000001; # Size of HW keys' Hash use constant HW_KEYS_HASH_SIZE => 64; -# TODO: RTC 163655 -# Implement dynamic support for choosing FSP or op-build flag type. -# For now, assume OP build +# Dynamic support for choosing FSP or op-build flag type. +# Default to OP build my $buildFlag = OP_BUILD_FLAG; # Corrupt parameter strings @@ -122,6 +124,7 @@ my %partitionsToCorrupt = (); my $sign_mode = $DEVELOPMENT; my $hwKeyHashFile = ""; my $hb_standalone=""; +my $buildType=""; # @TODO RTC 170650: Set default to 0 after all environments provide external # control over this policy, plus remove '!' from 'lab-security-override' @@ -143,6 +146,7 @@ GetOptions("binDir:s" => \$bin_dir, "hb-standalone" => \$hb_standalone, "lab-security-override!" => \$labSecurityOverride, "emit-eccless" => \$emitEccless, + "build-type:s" => \$buildType, "help" => \$help); if ($help) @@ -155,6 +159,12 @@ if ($help) # Environment Setup, Checking, and Variable Initialization ################################################################################ +# Get the build type +if ($buildType eq "fspbuild") +{ + $buildFlag = FIPS_BUILD_FLAG; +} + # Put mode transition input into a hash and ensure a valid signing mode my %signMode = ( $DEVELOPMENT => 1, $PRODUCTION => 0 ); @@ -1313,6 +1323,12 @@ print <<"ENDUSAGE"; physical jumpers on the system planar. --emit-eccless In addition to typical output, also emit ECC-less versions of any input binaries + --build-type Specify whether the type of build is FIPS or + OpenPower, indicated by either 'fspbuild' + or 'opbuild' immediately following the + switch (separated with a space and not + including the single quotes). OpenPower is + the default. Current Limitations: - Issues with dependency on ENGD build for certain files such as SBE. This is why [--build-all | --install-all ] are used. diff --git a/src/build/mkrules/hbfw/img/makefile b/src/build/mkrules/hbfw/img/makefile index d878a6521..a420b6e3b 100755 --- a/src/build/mkrules/hbfw/img/makefile +++ b/src/build/mkrules/hbfw/img/makefile @@ -176,6 +176,10 @@ PNOR_LAYOUT = ${pnorLayoutFSP.xml:P} PNOR_LAYOUT = ${defaultPnorLayout.xml:P} .endif +# Since this makefile is only ever used for an FSP signing environment, then +# we can just specify that we want an fspbuild here without any condition. +BUILD_TYPE_PARAMS = --build-type fspbuild + # Decide which PNOR to build .if(${FAKEPNOR} == "") # Parameters passed into GEN_PNOR_IMAGE_SCRIPT. @@ -226,7 +230,7 @@ gen_default_images: ${GEN_DEFAULT_IMAGES_DEPS} # result [hbbl][pad:8:if-applicable][securerom-size:8][securerom] # Call script to generate final bin files for default images - export LD_PRELOAD=${SIGNING_LIBS} && ${GEN_PNOR_IMAGE_SCRIPT} ${DEFAULT_PARAMS} + export LD_PRELOAD=${SIGNING_LIBS} && ${GEN_PNOR_IMAGE_SCRIPT} ${DEFAULT_PARAMS} ${BUILD_TYPE_PARAMS} clobber_cp_hbfiles: rm -f ${ALL_DEFAULT_IMAGES} @@ -379,7 +383,7 @@ ZEPPELIN_HBD_FINAL_IMG = ZEPPELIN.HBD.bin gen_system_specific_images_bypass_cache : dump-secureboot-config # Call script to generate final bin file for chip/system specific images - export LD_PRELOAD=${SIGNING_LIBS} && ${GEN_PNOR_IMAGE_SCRIPT} ${SYSTEM_SPECIFIC_PARAMS} + export LD_PRELOAD=${SIGNING_LIBS} && ${GEN_PNOR_IMAGE_SCRIPT} ${SYSTEM_SPECIFIC_PARAMS} ${BUILD_TYPE_PARAMS} #for NIMBUS fake pnor skip version header .if(${FAKEPNOR} != "") diff --git a/src/include/usr/secureboot/containerheader.H b/src/include/usr/secureboot/containerheader.H index 49ecc9223..255566c9d 100644 --- a/src/include/usr/secureboot/containerheader.H +++ b/src/include/usr/secureboot/containerheader.H @@ -75,6 +75,13 @@ class ContainerHeader size_t totalContainerSize() const; /** + * @brief Retrieves the prefix header flags + * + * @return uint32_t containing prefix header flags + */ + uint32_t prefixHeaderFlags() const; + + /** * @brief Retrieves pointer to first hw key * @return ecc_key_t* - ptr to first hw key */ diff --git a/src/usr/pnor/spnorrp.C b/src/usr/pnor/spnorrp.C index 1643215fd..b45ac3e71 100644 --- a/src/usr/pnor/spnorrp.C +++ b/src/usr/pnor/spnorrp.C @@ -425,6 +425,9 @@ uint64_t SPnorRP::verifySections(SectionId i_id, SECUREBOOT::ContainerHeader l_conHdr(l_tempAddr); size_t l_totalContainerSize = l_conHdr.totalContainerSize(); + auto l_prefixHdrFlags = l_conHdr.prefixHeaderFlags(); + + TRACFCOMP(g_trac_pnor, "Prefix hdr flags:0x%X",l_prefixHdrFlags); TRACFCOMP(g_trac_pnor, "SPnorRP::verifySections " "Total container size = 0x%.16llX", l_totalContainerSize); diff --git a/src/usr/secureboot/common/containerheader.C b/src/usr/secureboot/common/containerheader.C index 169c1254d..069a587d9 100644 --- a/src/usr/secureboot/common/containerheader.C +++ b/src/usr/secureboot/common/containerheader.C @@ -152,6 +152,11 @@ size_t ContainerHeader::totalContainerSize() const return iv_headerInfo.hw_hdr.container_size; } +uint32_t ContainerHeader::prefixHeaderFlags() const +{ + return iv_headerInfo.hw_prefix_hdr.flags; +} + const ecc_key_t* ContainerHeader::hw_keys() const { return &iv_headerInfo.hw_hdr.hw_pkey_a; |