diff options
| -rw-r--r-- | .gitmodules | 3 | ||||
| m--------- | 3rdparty/open-power-signing-utils | 0 | ||||
| -rw-r--r-- | Makefile.mk | 9 | ||||
| -rw-r--r-- | src/soc/ibm/power9/Kconfig | 11 | ||||
| -rw-r--r-- | src/soc/ibm/power9/Makefile.mk | 32 |
5 files changed, 50 insertions, 5 deletions
diff --git a/.gitmodules b/.gitmodules index eec69fd1ec..c1d7849a9e 100644 --- a/.gitmodules +++ b/.gitmodules @@ -65,3 +65,6 @@ [submodule "src/vendorcode/amd/opensil/genoa_poc/opensil"] path = src/vendorcode/amd/opensil/genoa_poc/opensil url = https://review.coreboot.org/opensil_genoa_poc.git +[submodule "3rdparty/open-power-signing-utils"] + path = 3rdparty/open-power-signing-utils + url = https://review.coreboot.org/open-power-signing-utils.git diff --git a/3rdparty/open-power-signing-utils b/3rdparty/open-power-signing-utils new file mode 160000 +Subproject 591c8f53482243626901e1cc8a4ae321f314040 diff --git a/Makefile.mk b/Makefile.mk index 2b67947a43..a0464385d7 100644 --- a/Makefile.mk +++ b/Makefile.mk @@ -679,6 +679,7 @@ AMDCOMPRESS:=$(objutil)/cbfstool/amdcompress CSE_FPT:=$(objutil)/cbfstool/cse_fpt CSE_SERGER:=$(objutil)/cbfstool/cse_serger ECCTOOL:=$(objutil)/ffs/ecc/ecc +CREATE_CONTAINER:=$(objutil)/open-power-signing-utils/create-container $(obj)/cbfstool: $(CBFSTOOL) cp $< $@ @@ -726,6 +727,12 @@ $(ECCTOOL): cd $(objutil)/ffs && autoreconf -i && ./configure $(MAKE) -C $(objutil)/ffs +$(CREATE_CONTAINER): + @printf " Compile Open-Power SecureBoot Signing Utils\n" + cp -r $(top)/3rdparty/open-power-signing-utils $(objutil) + cd $(objutil)/open-power-signing-utils && autoreconf -i -Wno-unsupported && ./configure + $(MAKE) -C $(objutil)/open-power-signing-utils + APCB_EDIT_TOOL:=$(top)/util/apcb/apcb_edit.py APCB_V3_EDIT_TOOL:=$(top)/util/apcb/apcb_v3_edit.py @@ -836,7 +843,7 @@ install-git-commit-clangfmt: include util/crossgcc/Makefile.mk .PHONY: tools -tools: $(objutil)/kconfig/conf $(objutil)/kconfig/toada $(CBFSTOOL) $(objutil)/cbfstool/cbfs-compression-tool $(FMAPTOOL) $(RMODTOOL) $(IFWITOOL) $(objutil)/nvramtool/nvramtool $(objutil)/sconfig/sconfig $(IFDTOOL) $(CBOOTIMAGE) $(AMDFWTOOL) $(AMDCOMPRESS) $(FUTILITY) $(BINCFG) $(IFITTOOL) $(objutil)/supermicro/smcbiosinfo $(CSE_FPT) $(CSE_SERGER) $(AMDFWREAD) $(ECCTOOL) +tools: $(objutil)/kconfig/conf $(objutil)/kconfig/toada $(CBFSTOOL) $(objutil)/cbfstool/cbfs-compression-tool $(FMAPTOOL) $(RMODTOOL) $(IFWITOOL) $(objutil)/nvramtool/nvramtool $(objutil)/sconfig/sconfig $(IFDTOOL) $(CBOOTIMAGE) $(AMDFWTOOL) $(AMDCOMPRESS) $(FUTILITY) $(BINCFG) $(IFITTOOL) $(objutil)/supermicro/smcbiosinfo $(CSE_FPT) $(CSE_SERGER) $(AMDFWREAD) $(ECCTOOL) $(CREATE_CONTAINER) ########################################################################### # Common recipes for all stages diff --git a/src/soc/ibm/power9/Kconfig b/src/soc/ibm/power9/Kconfig index 9f3323b63b..232beb77f9 100644 --- a/src/soc/ibm/power9/Kconfig +++ b/src/soc/ibm/power9/Kconfig @@ -10,5 +10,14 @@ config SOC_IBM_POWER9 This SoC is the minimal template working on POWER9 Talos II platform. if SOC_IBM_POWER9 - # nothing here yet + +config SIGNING_KEYS_DIR + string "Directory with OpenPower signing keys" + default "" + help + Specifies path to directory containing hw_key_{a,b,c}.key + and sw_key_p.key files (all in PEM format). Key name suffixes + correspond to options of create-container from OpenPower + Signing Utils. By default, test keys are used. + endif diff --git a/src/soc/ibm/power9/Makefile.mk b/src/soc/ibm/power9/Makefile.mk index f0ce2ead0e..b2aa581afa 100644 --- a/src/soc/ibm/power9/Makefile.mk +++ b/src/soc/ibm/power9/Makefile.mk @@ -14,9 +14,35 @@ ramstage-y += chip.c ramstage-y += rom_media.c ramstage-y += timer.c -files_added:: $(obj)/coreboot.rom.ecc +ifeq ($(CONFIG_SIGNING_KEYS_DIR),"") + KEYDIR = $(top)/3rdparty/open-power-signing-utils/test/keys +else + KEYDIR = $(CONFIG_SIGNING_KEYS_DIR) +endif + +PHONY += sign_and_add_ecc +sign_and_add_ecc: $(obj)/coreboot.rom | $(ECCTOOL) $(CREATE_CONTAINER) +ifeq ($(CONFIG_SIGNING_KEYS_DIR),"") + @printf " NOTE: signing firmware with test keys\n" +endif + @printf " SBSIGN $(subst $(obj)/,,$<)\n" + [ -e "$(KEYDIR)/hw_key_a.key" ] || ( echo "error: $(KEYDIR)/hw_key_a.key" is missing; exit 1 ) + [ -e "$(KEYDIR)/hw_key_b.key" ] || ( echo "error: $(KEYDIR)/hw_key_b.key" is missing; exit 1 ) + [ -e "$(KEYDIR)/hw_key_c.key" ] || ( echo "error: $(KEYDIR)/hw_key_c.key" is missing; exit 1 ) + [ -e "$(KEYDIR)/sw_key_p.key" ] || ( echo "error: $(KEYDIR)/sw_key_p.key" is missing; exit 1 ) + $(CREATE_CONTAINER) -a $(KEYDIR)/hw_key_a.key -b $(KEYDIR)/hw_key_b.key -c $(KEYDIR)/hw_key_c.key \ + -p $(KEYDIR)/sw_key_p.key --payload $(objcbfs)/bootblock.bin \ + --imagefile $(obj)/bootblock.signed + $(CREATE_CONTAINER) -a $(KEYDIR)/hw_key_a.key -b $(KEYDIR)/hw_key_b.key -c $(KEYDIR)/hw_key_c.key \ + -p $(KEYDIR)/sw_key_p.key --payload $< --imagefile $<.signed + @printf " ECC $(subst $(obj)/,,$<)\n" + $(ECCTOOL) --inject $<.signed --output $<.signed.ecc --p8 + $(ECCTOOL) --inject $< --output $<.ecc --p8 + @printf " ECC bootblock\n" + dd if=$(obj)/bootblock.signed of=$(obj)/bootblock.signed.pad ibs=25486 conv=sync 2> /dev/null + $(ECCTOOL) --inject $(obj)/bootblock.signed.pad --output $(obj)/bootblock.signed.ecc --p8 + rm $(obj)/bootblock.signed $(obj)/bootblock.signed.pad -$(obj)/coreboot.rom.ecc: $(obj)/coreboot.rom | $(ECCTOOL) - $(ECCTOOL) --inject $< --output $@ --p8 +files_added:: sign_and_add_ecc endif |