From 6be04f343c79ff5ed826d0e166324af720e7c85e Mon Sep 17 00:00:00 2001
From: Nick Bofferding <bofferdn@us.ibm.com>
Date: Wed, 30 May 2018 09:55:33 -0500
Subject: Secure Boot: Purge SW signature cache for multinode binaries

When signing targeting binaries for multinode systems, the build process
erroneously reuses the SW signature for node 0 when creating the secure header
for other nodes.  This change moves the signature purge logic into the loop that
handles multiple nodes worth of content

Change-Id: I1e1154cbfb06375c3b62e3710c9bd2384b961076
CQ: SW430711
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/59548
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: ILYA SMIRNOV <ismirno@us.ibm.com>
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: William G. Hoffa <wghoffa@us.ibm.com>
---
 src/build/buildpnor/genPnorImages.pl | 27 ++++++++++++++-------------
 1 file changed, 14 insertions(+), 13 deletions(-)

diff --git a/src/build/buildpnor/genPnorImages.pl b/src/build/buildpnor/genPnorImages.pl
index d90f18023..b5633d66f 100755
--- a/src/build/buildpnor/genPnorImages.pl
+++ b/src/build/buildpnor/genPnorImages.pl
@@ -527,19 +527,6 @@ sub manipulateImages
         my $componentId = convertEyecatchToCompId($eyeCatch);
         $CUR_OPEN_SIGN_REQUEST .= " --sign-project-FW-token $componentId ";
 
-        # @TODO RTC 182358
-        # This is a tactical workaround for the signing tooling not being
-        # able to handle muliple different platform binary contents for the same
-        # component ID.  The signing tooling should be modified to tolerate this
-        # scenario, at which point the workaround can be removed.
-        if ($buildType eq "fspbuild")
-        {
-            my @signatureFiles=
-                glob("$bin_dir/SIGNTOOL_*/$componentId/*sig_p.raw $bin_dir/SIGNTOOL_*/$componentId/*key_p.sig");
-            print "Deleting @signatureFiles\n";
-            unlink @signatureFiles;
-        }
-
         # Used for corrupting partitions. By default all protected offsets start
         # immediately after the container header which is size = PAGE_SIZE.
         # *Note: this is before ECC.
@@ -554,6 +541,20 @@ sub manipulateImages
         my $nodeIDstr = "";
         foreach my $bin_file (@binFilesArray)
         {
+            # @TODO RTC 182358
+            # This is a tactical workaround for the signing tooling not being
+            # able to handle muliple different platform binary (or multiple
+            # node) contents for the same component ID.  The signing tooling
+            # should be modified to tolerate this scenario, at which point the
+            # workaround can be removed.
+            if ($buildType eq "fspbuild")
+            {
+                my @signatureFiles=
+                    glob("$bin_dir/SIGNTOOL_*/$componentId/*sig_p.raw $bin_dir/SIGNTOOL_*/$componentId/*key_p.sig");
+                print "Deleting @signatureFiles\n";
+                unlink @signatureFiles;
+            }
+
             # If there are more than 1 bin files per section, final name should
             # have a node ID included.
             if (scalar @binFilesArray > 1)
-- 
cgit v1.2.3