diff options
-rwxr-xr-x | src/build/buildpnor/genPnorImages.pl | 247 | ||||
-rwxr-xr-x | src/build/mkrules/hbfw/img/makefile | 1 | ||||
-rwxr-xr-x | src/build/tools/hbDistribute | 6 |
3 files changed, 49 insertions, 205 deletions
diff --git a/src/build/buildpnor/genPnorImages.pl b/src/build/buildpnor/genPnorImages.pl index 463e595a3..8a9bcfd4b 100755 --- a/src/build/buildpnor/genPnorImages.pl +++ b/src/build/buildpnor/genPnorImages.pl @@ -34,8 +34,6 @@ use PnorUtils qw(loadPnorLayout getNumber traceErr trace run_command PAGE_SIZE getSwSignatures getBinDataFromFile); use Getopt::Long qw(:config pass_through); -use constant COMMUNITY => "community"; - # Hostboot base image constants for the hardware header portion of the # secureboot header use constant BASE_IMAGE_TOTAL_CONTAINER_SIZE => 0x000000000007EF80; @@ -75,7 +73,6 @@ use constant VFS_MODULE_TABLE_MAX_SIZE => VFS_EXTENDED_MODULE_MAX * VFS_MODULE_TABLE_ENTRY_SIZE; # Flag parameter string passed into signing tools # Note spaces before/after are critical. -use constant LOCAL_SIGNING_FLAG => " -flag "; use constant OP_SIGNING_FLAG => " --flags "; # Security bits HW flag strings use constant OP_BUILD_FLAG => 0x80000000; @@ -249,33 +246,6 @@ if ($secureboot) die "sw_key_a DNE in $DEV_KEY_DIR" if(!glob("$DEV_KEY_DIR/sw_key_a*")); } -my $openSigningTool = 0; -my $SIGNING_TOOL_EDITION = $ENV{'SIGNING_TOOL_EDITION'}; -if($SIGNING_TOOL_EDITION eq COMMUNITY) -{ - $openSigningTool = 1; -} - -### Local development signing -# Requires naming convention of hw/sw keys in DEV_KEY_DIR -my $SIGN_BUILD_PARAMS = "-skp ${DEV_KEY_DIR}/sw_key_a"; - -# Key prefix used for current key siging of partitions (N/A for open edition) -my $SIGN_PREFIX_PARAMS = "-hka ${DEV_KEY_DIR}/hw_key_a -hkb " - . "${DEV_KEY_DIR}/hw_key_b -hkc ${DEV_KEY_DIR}/hw_key_c " - . "-skp ${DEV_KEY_DIR}/sw_key_a"; - -# Key prefix used for secureboot key transition partition. -# Default key transition to same keys. -my $SIGN_SBKT_PREFIX_PARAMS = $SIGN_PREFIX_PARAMS; -if ($keyTransition{enabled}) -{ - # Note: simply reordered the keys to create a pseudo production key. - $SIGN_SBKT_PREFIX_PARAMS = "-hka ${DEV_KEY_DIR}/hw_key_c -hkb " - . "${DEV_KEY_DIR}/hw_key_b -hkc ${DEV_KEY_DIR}/hw_key_a " - . "-skp ${DEV_KEY_DIR}/sw_key_a"; -} - ### Open POWER signing my $OPEN_SIGN_REQUEST= "$SIGNING_DIR/crtSignedContainer.sh --scratchDir $bin_dir "; @@ -340,23 +310,19 @@ my $randPrefix = "rand-".POSIX::ceil(rand(0xFFFFFFFF)); my %sb_hdrs = ( DEFAULT => { flags => sprintf("0x%08X",$buildFlag), - prefix => $SIGN_PREFIX_PARAMS, file => "$bin_dir/$randPrefix.default.secureboot.hdr.bin" }, SBE => { flags => sprintf("0x%08X",($buildFlag | $labSecurityOverrideFlag)), - prefix => $SIGN_PREFIX_PARAMS, file => "$bin_dir/$randPrefix.sbe.default.secureboot.hdr.bin" }, SBKT => { outer => { flags => sprintf("0x%08X", $buildFlag | KEY_TRANSITION_FLAG), - prefix => $SIGN_PREFIX_PARAMS, file => "$bin_dir/$randPrefix.sbkt.outer.secureboot.hdr.bin" }, inner => { flags => sprintf("0x%08X", $buildFlag), - prefix => $SIGN_SBKT_PREFIX_PARAMS, file => "$bin_dir/$randPrefix.sbkt.inner.secureboot.hdr.bin" } } @@ -384,36 +350,9 @@ $SETTINGS .= $labSecurityOverride ? "Yes\n" : "No\n"; $SETTINGS .= "//======================================================//\n\n"; print $SETTINGS; -if($secureboot && !$openSigningTool) +if ($build_all && $secureboot) { - # Generate each secureboot header file - foreach my $header (keys %sb_hdrs) - { - next if($header eq "SBKT" && !$key_transition); - - # SBKT parition has 2 sections outer and inner, need to create both - if ($header eq "SBKT") - { - foreach my $section (keys %{$sb_hdrs{$header}}) - { - run_command("$SIGNING_DIR/prefix -good -of $sb_hdrs{$header}{$section}{file}". - LOCAL_SIGNING_FLAG."$sb_hdrs{$header}{$section}{flags}". - " $sb_hdrs{$header}{$section}{prefix}"); - } - } - else - { - run_command("$SIGNING_DIR/prefix -good -of $sb_hdrs{$header}{file}". - LOCAL_SIGNING_FLAG."$sb_hdrs{$header}{flags}". - " $sb_hdrs{$header}{prefix}"); - } - } - - # Generate test containers once and limit to build phase - if ($build_all) - { - gen_test_containers(); - } + gen_test_containers(); } #Load PNOR Layout XML file @@ -443,25 +382,6 @@ foreach my $binFilesCSV (@systemBinFiles) checkSpaceConstraints(\%pnorLayout, \%binFiles, $testRun); } - -# Clean up temp header files -foreach my $header (keys %sb_hdrs) -{ - if($header eq "SBKT") - { - foreach my $section (keys %{$sb_hdrs{$header}}) - { - system("rm -f $sb_hdrs{$header}{$section}{file}"); - die "Could not delete $sb_hdrs{$header}{$section}{file}" if $?; - } - } - else - { - system("rm -f $sb_hdrs{$header}{file}"); - die "Could not delete $sb_hdrs{$header}{file}" if $?; - } -} - ################################################################################ # Subroutines ################################################################################ @@ -589,7 +509,6 @@ sub manipulateImages } my $openSigningFlags = OP_SIGNING_FLAG.$header->{flags}; - my $secureboot_hdr = $header->{file}; my $CUR_OPEN_SIGN_REQUEST = "$OPEN_SIGN_REQUEST $openSigningFlags"; my $componentId = convertEyecatchToCompId($eyeCatch); @@ -717,56 +636,29 @@ sub manipulateImages run_command("cp $tempImages{hashPageTable} $tempImages{PAYLOAD_TEXT}"); } - if($openSigningTool) - { - run_command("$CUR_OPEN_SIGN_REQUEST " - . "--protectedPayload $tempImages{PAYLOAD_TEXT} " - . "--out $tempImages{PROTECTED_PAYLOAD}"); - } - else - { - # @TODO RTC:183183 Remove when official signing - # supported - run_command("$SIGNING_DIR/build -good -if $secureboot_hdr -of $tempImages{PROTECTED_PAYLOAD} -bin $tempImages{PAYLOAD_TEXT} $SIGN_BUILD_PARAMS"); - } + run_command("$CUR_OPEN_SIGN_REQUEST " + . "--protectedPayload $tempImages{PAYLOAD_TEXT} " + . "--out $tempImages{PROTECTED_PAYLOAD}"); run_command("cat $tempImages{PROTECTED_PAYLOAD} $bin_file > $tempImages{HDR_PHASE}"); } # Handle read-only protected payload elsif ($eyeCatch eq "HBD") { - if($openSigningTool) - { - run_command("$CUR_OPEN_SIGN_REQUEST " - . "--protectedPayload $bin_file.protected " - . "--out $tempImages{PROTECTED_PAYLOAD}"); - } - else - { - # @TODO RTC:183183 Remove when official signing - # supported - run_command("$SIGNING_DIR/build -good -if $secureboot_hdr -of $tempImages{PROTECTED_PAYLOAD} -bin $bin_file.protected $SIGN_BUILD_PARAMS"); - } + run_command("$CUR_OPEN_SIGN_REQUEST " + . "--protectedPayload $bin_file.protected " + . "--out $tempImages{PROTECTED_PAYLOAD}"); run_command("cat $tempImages{PROTECTED_PAYLOAD} $bin_file.unprotected > $tempImages{HDR_PHASE}"); } else { - if($openSigningTool) - { - my $codeStartOffset = ($eyeCatch eq "HBB") ? - "--code-start-offset 0x00000180" : ""; - run_command("$CUR_OPEN_SIGN_REQUEST " - . "$codeStartOffset " - . "--protectedPayload $bin_file " - . "--out $tempImages{HDR_PHASE}"); - } - else - { - # @TODO RTC:183183 Remove when official signing - # supported - run_command("$SIGNING_DIR/build -good -if $secureboot_hdr -of $tempImages{HDR_PHASE} -bin $bin_file $SIGN_BUILD_PARAMS"); - } + my $codeStartOffset = ($eyeCatch eq "HBB") ? + "--code-start-offset 0x00000180" : ""; + run_command("$CUR_OPEN_SIGN_REQUEST " + . "$codeStartOffset " + . "--protectedPayload $bin_file " + . "--out $tempImages{HDR_PHASE}"); } # Customize secureboot prefix header with container size, @@ -794,39 +686,17 @@ sub manipulateImages elsif($secureboot && $isNormalSecure) { $callerHwHdrFields{configure} = 1; - if($openSigningTool) - { - run_command("$CUR_OPEN_SIGN_REQUEST " - . "--protectedPayload $bin_file " - . "--out $tempImages{HDR_PHASE}"); - } - else - { - # @TODO RTC:183183 Remove when official signing - # supported - run_command("$SIGNING_DIR/build -good -if " - . "$secureboot_hdr -of $tempImages{HDR_PHASE} -bin " - . "$bin_file $SIGN_BUILD_PARAMS"); - } + run_command("$CUR_OPEN_SIGN_REQUEST " + . "--protectedPayload $bin_file " + . "--out $tempImages{HDR_PHASE}"); } # Add non-secure version header else { # Attach signature-less secure header for OpenPOWER builds - if($openSigningTool) - { - run_command("$CUR_OPEN_SIGN_REQUEST " - . "--protectedPayload $bin_file " - . "--out $tempImages{HDR_PHASE}"); - } - # @TODO RTC:183183 Remove when official signing supported - else # attach the legacy header - { - run_command("env echo -en VERSION\\\\0 > $tempImages{TEMP_SHA_IMG}"); - run_command("sha512sum $bin_file | awk \'{print \$1}\' | xxd -pr -r >> $tempImages{TEMP_SHA_IMG}"); - run_command("dd if=$tempImages{TEMP_SHA_IMG} of=$tempImages{HDR_PHASE} ibs=4k conv=sync"); - run_command("cat $bin_file >> $tempImages{HDR_PHASE}"); - } + run_command("$CUR_OPEN_SIGN_REQUEST " + . "--protectedPayload $bin_file " + . "--out $tempImages{HDR_PHASE}"); } } else @@ -915,18 +785,9 @@ sub manipulateImages if ($secureboot && $secureSupported) { $callerHwHdrFields{configure} = 1; - if($openSigningTool) - { - run_command("$CUR_OPEN_SIGN_REQUEST " - . "--protectedPayload $tempImages{TEMP_BIN} " - . "--out $tempImages{PAD_PHASE}"); - } - else - { - # @TODO RTC:183183 Remove when official signing - # supported - run_command("$SIGNING_DIR/build -good -if $secureboot_hdr -of $tempImages{PAD_PHASE} -bin $tempImages{TEMP_BIN} $SIGN_BUILD_PARAMS"); - } + run_command("$CUR_OPEN_SIGN_REQUEST " + . "--protectedPayload $tempImages{TEMP_BIN} " + . "--out $tempImages{PAD_PHASE}"); setCallerHwHdrFields(\%callerHwHdrFields, $tempImages{PAD_PHASE}); } @@ -934,20 +795,9 @@ sub manipulateImages else { # Attach signature-less secure header for OpenPOWER builds - if($openSigningTool) - { - run_command("$CUR_OPEN_SIGN_REQUEST " - . "--protectedPayload $tempImages{TEMP_BIN} " - . "--out $tempImages{PAD_PHASE}"); - } - # @TODO RTC:183183 Remove when official signing supported - else # Attach legacy header - { - run_command("env echo -en VERSION\\\\0 > $tempImages{TEMP_SHA_IMG}"); - run_command("sha512sum $tempImages{TEMP_BIN} | awk \'{print \$1}\' | xxd -pr -r >> $tempImages{TEMP_SHA_IMG}"); - run_command("dd if=$tempImages{TEMP_SHA_IMG} of=$tempImages{PAD_PHASE} ibs=4k conv=sync"); - run_command("cat $tempImages{TEMP_BIN} >> $tempImages{PAD_PHASE}"); - } + run_command("$CUR_OPEN_SIGN_REQUEST " + . "--protectedPayload $tempImages{TEMP_BIN} " + . "--out $tempImages{PAD_PHASE}"); } } # Corrupt section if user specified to do so, before ECC injection. @@ -1192,18 +1042,27 @@ sub gen_test_containers PROTECTED_PAYLOAD => "$bin_dir/$randPrefix.test.protected_payload.bin" ); + # Setup open signing for test image + my $header = $sb_hdrs{DEFAULT}; + + my $openSigningFlags = OP_SIGNING_FLAG.$header->{flags}; + + my $CUR_OPEN_SIGN_REQUEST = "$OPEN_SIGN_REQUEST $openSigningFlags"; + my $componentId = "TESTCONT"; + $CUR_OPEN_SIGN_REQUEST .= " --sign-project-FW-token $componentId "; + # Create a signed test container # name = secureboot_signed_container (no prefix in hb cacheadd) my $test_container = "$bin_dir/secureboot_signed_container"; run_command("dd if=/dev/zero count=1 | tr \"\\000\" \"\\377\" > $tempImages{TEST_CONTAINER_DATA}"); - run_command("$SIGNING_DIR/build -good -if $sb_hdrs{DEFAULT}{file} -of $test_container -bin $tempImages{TEST_CONTAINER_DATA} $SIGN_BUILD_PARAMS"); + run_command("$CUR_OPEN_SIGN_REQUEST --protectedPayload $tempImages{TEST_CONTAINER_DATA} --out $test_container"); # Create a signed test container with a hash page table # name = secureboot_hash_page_table_container (no prefix in hb cacheadd) $test_container = "$bin_dir/secureboot_hash_page_table_container"; run_command("dd if=/dev/urandom count=5 ibs=4096 | tr \"\\000\" \"\\377\" > $tempImages{TEST_CONTAINER_DATA}"); $tempImages{hashPageTable} = genHashPageTable($tempImages{TEST_CONTAINER_DATA}, "secureboot_test"); - run_command("$SIGNING_DIR/build -good -if $sb_hdrs{DEFAULT}{file} -of $tempImages{PROTECTED_PAYLOAD} -bin $tempImages{hashPageTable} $SIGN_BUILD_PARAMS"); + run_command("$CUR_OPEN_SIGN_REQUEST --protectedPayload $tempImages{hashPageTable} --out $tempImages{PROTECTED_PAYLOAD}"); run_command("cat $tempImages{PROTECTED_PAYLOAD} $tempImages{TEST_CONTAINER_DATA} > $test_container "); # Clean up temp images @@ -1238,27 +1097,17 @@ sub create_sb_key_transition_container # Gen 4K blob of random data run_command("dd if=/dev/urandom of=$tempImages{RAND_BLOB} count=1 bs=4k"); - if($openSigningTool) - { - die "Key transition not allowed in $sign_mode mode" if ($OPEN_SIGN_KEY_TRANS_REQUEST eq ""); - - # Create a signed container with new production keys - run_command("$OPEN_SIGN_KEY_TRANS_REQUEST".OP_SIGNING_FLAG - . "$sb_hdrs{SBKT}{inner}{flags} --protectedPayload $tempImages{RAND_BLOB} " - . "--out $tempImages{PRD_KEY_FILE}"); - # Sign new production key container with imprint keys - my $sbktComponentIdArg = "--sign-project-FW-token SBKT "; - run_command("$OPEN_SIGN_REQUEST ".$sbktComponentIdArg.OP_SIGNING_FLAG - . "$sb_hdrs{SBKT}{outer}{flags} --protectedPayload $tempImages{PRD_KEY_FILE} " - . "--out $o_file"); - } - else - { - # Create a signed container with new production keys - run_command("$SIGNING_DIR/build -good -if $sb_hdrs{SBKT}{inner}{file} -of $tempImages{PRD_KEY_FILE} -bin $tempImages{RAND_BLOB} $SIGN_BUILD_PARAMS"); - # Sign new production key container with imprint keys - run_command("$SIGNING_DIR/build -good -if $sb_hdrs{SBKT}{outer}{file} -of $o_file -bin $tempImages{PRD_KEY_FILE} $SIGN_BUILD_PARAMS"); - } + die "Key transition not allowed in $sign_mode mode" if ($OPEN_SIGN_KEY_TRANS_REQUEST eq ""); + + # Create a signed container with new production keys + run_command("$OPEN_SIGN_KEY_TRANS_REQUEST".OP_SIGNING_FLAG + . "$sb_hdrs{SBKT}{inner}{flags} --protectedPayload $tempImages{RAND_BLOB} " + . "--out $tempImages{PRD_KEY_FILE}"); + # Sign new production key container with imprint keys + my $sbktComponentIdArg = "--sign-project-FW-token SBKT "; + run_command("$OPEN_SIGN_REQUEST ".$sbktComponentIdArg.OP_SIGNING_FLAG + . "$sb_hdrs{SBKT}{outer}{flags} --protectedPayload $tempImages{PRD_KEY_FILE} " + . "--out $o_file"); # Clean up temp images foreach my $image (keys %tempImages) diff --git a/src/build/mkrules/hbfw/img/makefile b/src/build/mkrules/hbfw/img/makefile index d13a5528f..634ea1341 100755 --- a/src/build/mkrules/hbfw/img/makefile +++ b/src/build/mkrules/hbfw/img/makefile @@ -175,7 +175,6 @@ Secure Boot Signing Config:\n\ Signing utils subdir [${SIGNING_UTILS_DIR}]\n\ Final signing dir [${SIGNING_DIR}]\n\ Development key dir [${DEV_KEY_DIR}]\n\ - Signing edition [${SIGNING_TOOL_EDITION}]\n\ Signing mode [${BR2_OPENPOWER_SECUREBOOT_SIGN_MODE}]\n\ Compile secureboot? [${CONFIG_SECUREBOOT}]\n\ Libs to preload [${SIGNING_LIBS}]\n\ diff --git a/src/build/tools/hbDistribute b/src/build/tools/hbDistribute index 188145c77..41936cb93 100755 --- a/src/build/tools/hbDistribute +++ b/src/build/tools/hbDistribute @@ -6,7 +6,7 @@ # # OpenPOWER HostBoot Project # -# Contributors Listed Below - COPYRIGHT 2012,2017 +# Contributors Listed Below - COPYRIGHT 2012,2018 # [+] International Business Machines Corp. # # @@ -187,10 +187,6 @@ echo "Secure Boot: Signing utils dir is ${SIGNING_UTILS_DIR}" export DEV_KEY_DIR="${SIGNING_BASE_DIR}/sb-signing-keys" echo "Secure Boot: Development keys dir is ${DEV_KEY_DIR}" -# Force genPnorImages.pl to use the open signing tool -export SIGNING_TOOL_EDITION="community"; -echo "Secure Boot: Signing tool edition is ${SIGNING_TOOL_EDITION}" - # Dynamically check config file if secureboot enabled build occurred if [[ -f ${PROJECT_ROOT}/obj/genfiles/config.h ]]; then if cat ${PROJECT_ROOT}/obj/genfiles/config.h | grep -q "CONFIG_SECUREBOOT 1"; then |