From 8527fc2b9549b9b6782fdffde29ff8713e677bc4 Mon Sep 17 00:00:00 2001 From: Nick Bofferding Date: Sat, 22 Apr 2017 17:15:03 -0500 Subject: Support gracefully adding signing headers to PNOR sections Change-Id: Ie8ce7672a41c0b6230918911f59ada5443c552f5 RTC: 170650 CMVC-Coreq: 1022416 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/39869 Reviewed-by: Stephen M. Cprek Tested-by: Jenkins Server Reviewed-by: Michael Baiocchi Tested-by: FSP CI Jenkins Tested-by: Jenkins OP Build CI Reviewed-by: Daniel M. Crowell --- src/build/buildpnor/genPnorImages.pl | 70 ++++++++++++++++++++++-------------- 1 file changed, 43 insertions(+), 27 deletions(-) (limited to 'src/build/buildpnor/genPnorImages.pl') diff --git a/src/build/buildpnor/genPnorImages.pl b/src/build/buildpnor/genPnorImages.pl index f02d0433b..dd0be0fce 100755 --- a/src/build/buildpnor/genPnorImages.pl +++ b/src/build/buildpnor/genPnorImages.pl @@ -617,7 +617,7 @@ sub manipulateImages $eccless_prefix.=".header"; # Add secure container header # @TODO RTC:155374 Remove when official signing supported - if ($secureboot && $secureSupported) + if ($secureboot && $isSpecialSecure) { $callerHwHdrFields{configure} = 1; if (exists $hashPageTablePartitions{$eyeCatch}) @@ -737,7 +737,25 @@ sub manipulateImages die "Error closing of $preReqImages{HBB_SW_SIG_FILE} failed" if $!; } } - # Add simiple version header + elsif($secureboot && $isNormalSecure) + { + $callerHwHdrFields{configure} = 1; + if($openSigningTool) + { + run_command("$CUR_OPEN_SIGN_REQUEST " + . "-protectedPayload $bin_file " + . "-out $tempImages{HDR_PHASE}"); + } + else + { + # @TODO RTC:155374 Remove when official signing + # supported + run_command("$SIGNING_DIR/build -good -if " + . "$secureboot_hdr -of $tempImages{HDR_PHASE} -bin " + . "$bin_file $SIGN_BUILD_PARAMS"); + } + } + # Add simple version header else { run_command("env echo -en VERSION\\\\0 > $tempImages{TEMP_SHA_IMG}"); @@ -746,23 +764,6 @@ sub manipulateImages run_command("cat $bin_file >> $tempImages{HDR_PHASE}"); } } - elsif ($secureboot && $isNormalSecure) - { - $eccless_prefix .=".header"; - - $callerHwHdrFields{configure} = 1; - if($openSigningTool) - { - run_command("$CUR_OPEN_SIGN_REQUEST " - . "-protectedPayload $bin_file " - . "-out $tempImages{HDR_PHASE}"); - } - else - { - # @TODO RTC:155374 Remove when official signing supported - run_command("$SIGNING_DIR/build -good -if $secureboot_hdr -of $tempImages{HDR_PHASE} -bin $bin_file $SIGN_BUILD_PARAMS"); - } - } else { run_command("cp $bin_file $tempImages{HDR_PHASE}"); @@ -830,17 +831,32 @@ sub manipulateImages run_command("dd if=/dev/zero bs=$size count=1 | tr \"\\000\" \"\\377\" > $tempImages{PAD_PHASE}"); # Add secure container header - if ($secureboot && $isNormalSecure && $eyeCatch ne "SBKT") + if( ($sectionHash{$layoutKey}{sha512Version} eq "yes") + && ($eyeCatch ne "SBKT")) { - $callerHwHdrFields{configure} = 1; - # Remove PAGE_SIZE bytes from generated dummy content of file - # to make room for the secure header + # Remove PAGE_SIZE bytes from generated dummy content of + # file to make room for the secure header my $fileSize = (-s $tempImages{PAD_PHASE}) - PAGE_SIZE; - die "fileSize undefined: errno = $!" unless(defined $fileSize); + die "fileSize undefined: errno = $!" + unless(defined $fileSize); run_command("dd if=$tempImages{PAD_PHASE} of=$tempImages{TEMP_BIN} count=1 bs=$fileSize"); - # @TODO RTC:155374 Remove when official signing supported - run_command("$SIGNING_DIR/build -good -if $secureboot_hdr -of $tempImages{PAD_PHASE} -bin $tempImages{TEMP_BIN} $SIGN_BUILD_PARAMS"); - setCallerHwHdrFields(\%callerHwHdrFields, $tempImages{PAD_PHASE}); + + if ($secureboot && $secureSupported) + { + $callerHwHdrFields{configure} = 1; + # @TODO RTC:155374 Remove when official signing + # supported + run_command("$SIGNING_DIR/build -good -if $secureboot_hdr -of $tempImages{PAD_PHASE} -bin $tempImages{TEMP_BIN} $SIGN_BUILD_PARAMS"); + setCallerHwHdrFields(\%callerHwHdrFields, + $tempImages{PAD_PHASE}); + } + else + { + run_command("env echo -en VERSION\\\\0 > $tempImages{TEMP_SHA_IMG}"); + run_command("sha512sum $tempImages{TEMP_BIN} | awk \'{print \$1}\' | xxd -pr -r >> $tempImages{TEMP_SHA_IMG}"); + run_command("dd if=$tempImages{TEMP_SHA_IMG} of=$tempImages{PAD_PHASE} ibs=4k conv=sync"); + run_command("cat $tempImages{TEMP_BIN} >> $tempImages{PAD_PHASE}"); + } } } } -- cgit v1.2.1