From 5fa02a909075081da87ea537d13cb7a61e543176 Mon Sep 17 00:00:00 2001
From: Jaymes Wilks <mjwilks@us.ibm.com>
Date: Thu, 26 Oct 2017 09:37:07 -0500
Subject: Support selecting fips or op-build for signing process

Adds a new '--build-type' option to genPnorImages.pl to specify
either fspbuild or opbuild, which adds the appropriate magic
value to the secure header during the signing process.

Change-Id: I46a97f88666a5cc925797d3ad0e870a5f5bac89a
RTC:163655
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/48930
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: William G. Hoffa <wghoffa@us.ibm.com>
---
 src/build/buildpnor/genPnorImages.pl         | 24 ++++++++++++++++++++----
 src/build/mkrules/hbfw/img/makefile          |  8 ++++++--
 src/include/usr/secureboot/containerheader.H |  7 +++++++
 src/usr/pnor/spnorrp.C                       |  3 +++
 src/usr/secureboot/common/containerheader.C  |  5 +++++
 5 files changed, 41 insertions(+), 6 deletions(-)

(limited to 'src')

diff --git a/src/build/buildpnor/genPnorImages.pl b/src/build/buildpnor/genPnorImages.pl
index 614c44334..5d5d207d2 100755
--- a/src/build/buildpnor/genPnorImages.pl
+++ b/src/build/buildpnor/genPnorImages.pl
@@ -79,16 +79,18 @@ use constant LOCAL_SIGNING_FLAG => " -flag ";
 use constant OP_SIGNING_FLAG => " --flags ";
 # Security bits HW flag strings
 use constant OP_BUILD_FLAG => 0x80000000;
-use constant FIPS_BUILD_FLAG => 0x40000000;
+# TODO 1633655 For now, as a workaround FIPS_BUILD_FLAG will be the same as
+# OP_BUILD_FLAG until the larger team is ready to take on the new value.
+use constant FIPS_BUILD_FLAG => 0x80000000;
+# use constant FIPS_BUILD_FLAG => 0x40000000;
 # Applies to SBE image only
 use constant LAB_SECURITY_OVERRIDE_FLAG => 0x00080000;
 use constant KEY_TRANSITION_FLAG => 0x00000001;
 # Size of HW keys' Hash
 use constant HW_KEYS_HASH_SIZE => 64;
 
-# TODO: RTC 163655
-# Implement dynamic support for choosing FSP or op-build flag type.
-# For now, assume OP build
+# Dynamic support for choosing FSP or op-build flag type.
+# Default to OP build
 my $buildFlag = OP_BUILD_FLAG;
 
 # Corrupt parameter strings
@@ -122,6 +124,7 @@ my %partitionsToCorrupt = ();
 my $sign_mode = $DEVELOPMENT;
 my $hwKeyHashFile = "";
 my $hb_standalone="";
+my $buildType="";
 
 # @TODO RTC 170650: Set default to 0 after all environments provide external
 # control over this policy, plus remove '!' from 'lab-security-override'
@@ -143,6 +146,7 @@ GetOptions("binDir:s" => \$bin_dir,
            "hb-standalone" => \$hb_standalone,
            "lab-security-override!" => \$labSecurityOverride,
            "emit-eccless" => \$emitEccless,
+           "build-type:s" => \$buildType,
            "help" => \$help);
 
 if ($help)
@@ -155,6 +159,12 @@ if ($help)
 # Environment Setup, Checking, and Variable Initialization
 ################################################################################
 
+# Get the build type
+if ($buildType eq "fspbuild")
+{
+    $buildFlag = FIPS_BUILD_FLAG;
+}
+
 # Put mode transition input into a hash and ensure a valid signing mode
 my %signMode = ( $DEVELOPMENT => 1,
                  $PRODUCTION => 0 );
@@ -1313,6 +1323,12 @@ print <<"ENDUSAGE";
                                       physical jumpers on the system planar.
     --emit-eccless                In addition to typical output, also emit
                                       ECC-less versions of any input binaries
+    --build-type                  Specify whether the type of build is FIPS or
+                                      OpenPower, indicated by either 'fspbuild'
+                                      or 'opbuild' immediately following the
+                                      switch (separated with a space and not
+                                      including the single quotes). OpenPower is
+                                      the default.
 
   Current Limitations:
     - Issues with dependency on ENGD build for certain files such as SBE. This is why [--build-all | --install-all ] are used.
diff --git a/src/build/mkrules/hbfw/img/makefile b/src/build/mkrules/hbfw/img/makefile
index d878a6521..a420b6e3b 100755
--- a/src/build/mkrules/hbfw/img/makefile
+++ b/src/build/mkrules/hbfw/img/makefile
@@ -176,6 +176,10 @@ PNOR_LAYOUT = ${pnorLayoutFSP.xml:P}
     PNOR_LAYOUT = ${defaultPnorLayout.xml:P}
 .endif
 
+# Since this makefile is only ever used for an FSP signing environment, then
+# we can just specify that we want an fspbuild here without any condition.
+BUILD_TYPE_PARAMS = --build-type fspbuild
+
 # Decide which PNOR to build
 .if(${FAKEPNOR} == "")
     # Parameters passed into GEN_PNOR_IMAGE_SCRIPT.
@@ -226,7 +230,7 @@ gen_default_images: ${GEN_DEFAULT_IMAGES_DEPS}
     # result [hbbl][pad:8:if-applicable][securerom-size:8][securerom]
 
 	# Call script to generate final bin files for default images
-	export LD_PRELOAD=${SIGNING_LIBS} && ${GEN_PNOR_IMAGE_SCRIPT} ${DEFAULT_PARAMS}
+	export LD_PRELOAD=${SIGNING_LIBS} && ${GEN_PNOR_IMAGE_SCRIPT} ${DEFAULT_PARAMS} ${BUILD_TYPE_PARAMS}
 
 clobber_cp_hbfiles:
 	rm -f ${ALL_DEFAULT_IMAGES}
@@ -379,7 +383,7 @@ ZEPPELIN_HBD_FINAL_IMG = ZEPPELIN.HBD.bin
 
 gen_system_specific_images_bypass_cache : dump-secureboot-config
 	# Call script to generate final bin file for chip/system specific images
-	export LD_PRELOAD=${SIGNING_LIBS} && ${GEN_PNOR_IMAGE_SCRIPT} ${SYSTEM_SPECIFIC_PARAMS}
+	export LD_PRELOAD=${SIGNING_LIBS} && ${GEN_PNOR_IMAGE_SCRIPT} ${SYSTEM_SPECIFIC_PARAMS} ${BUILD_TYPE_PARAMS}
 
 	#for NIMBUS fake pnor skip version header
 	.if(${FAKEPNOR} != "")
diff --git a/src/include/usr/secureboot/containerheader.H b/src/include/usr/secureboot/containerheader.H
index 49ecc9223..255566c9d 100644
--- a/src/include/usr/secureboot/containerheader.H
+++ b/src/include/usr/secureboot/containerheader.H
@@ -74,6 +74,13 @@ class ContainerHeader
          */
         size_t totalContainerSize() const;
 
+        /**
+         * @brief Retrieves the prefix header flags
+         *
+         * @return uint32_t containing prefix header flags
+         */
+        uint32_t prefixHeaderFlags() const;
+
         /**
          * @brief Retrieves pointer to first hw key
          * @return ecc_key_t* - ptr to first hw key
diff --git a/src/usr/pnor/spnorrp.C b/src/usr/pnor/spnorrp.C
index 1643215fd..b45ac3e71 100644
--- a/src/usr/pnor/spnorrp.C
+++ b/src/usr/pnor/spnorrp.C
@@ -425,6 +425,9 @@ uint64_t SPnorRP::verifySections(SectionId i_id,
 
         SECUREBOOT::ContainerHeader l_conHdr(l_tempAddr);
         size_t l_totalContainerSize = l_conHdr.totalContainerSize();
+        auto l_prefixHdrFlags = l_conHdr.prefixHeaderFlags();
+
+        TRACFCOMP(g_trac_pnor, "Prefix hdr flags:0x%X",l_prefixHdrFlags);
 
         TRACFCOMP(g_trac_pnor, "SPnorRP::verifySections "
                 "Total container size = 0x%.16llX", l_totalContainerSize);
diff --git a/src/usr/secureboot/common/containerheader.C b/src/usr/secureboot/common/containerheader.C
index 169c1254d..069a587d9 100644
--- a/src/usr/secureboot/common/containerheader.C
+++ b/src/usr/secureboot/common/containerheader.C
@@ -152,6 +152,11 @@ size_t ContainerHeader::totalContainerSize() const
     return iv_headerInfo.hw_hdr.container_size;
 }
 
+uint32_t ContainerHeader::prefixHeaderFlags() const
+{
+    return iv_headerInfo.hw_prefix_hdr.flags;
+}
+
 const ecc_key_t* ContainerHeader::hw_keys() const
 {
     return &iv_headerInfo.hw_hdr.hw_pkey_a;
-- 
cgit v1.2.1