diff options
Diffstat (limited to 'src/soc')
| -rw-r--r-- | src/soc/ibm/power9/Kconfig | 11 | ||||
| -rw-r--r-- | src/soc/ibm/power9/Makefile.mk | 32 |
2 files changed, 39 insertions, 4 deletions
diff --git a/src/soc/ibm/power9/Kconfig b/src/soc/ibm/power9/Kconfig index 9f3323b63b..232beb77f9 100644 --- a/src/soc/ibm/power9/Kconfig +++ b/src/soc/ibm/power9/Kconfig @@ -10,5 +10,14 @@ config SOC_IBM_POWER9 This SoC is the minimal template working on POWER9 Talos II platform. if SOC_IBM_POWER9 - # nothing here yet + +config SIGNING_KEYS_DIR + string "Directory with OpenPower signing keys" + default "" + help + Specifies path to directory containing hw_key_{a,b,c}.key + and sw_key_p.key files (all in PEM format). Key name suffixes + correspond to options of create-container from OpenPower + Signing Utils. By default, test keys are used. + endif diff --git a/src/soc/ibm/power9/Makefile.mk b/src/soc/ibm/power9/Makefile.mk index f0ce2ead0e..b2aa581afa 100644 --- a/src/soc/ibm/power9/Makefile.mk +++ b/src/soc/ibm/power9/Makefile.mk @@ -14,9 +14,35 @@ ramstage-y += chip.c ramstage-y += rom_media.c ramstage-y += timer.c -files_added:: $(obj)/coreboot.rom.ecc +ifeq ($(CONFIG_SIGNING_KEYS_DIR),"") + KEYDIR = $(top)/3rdparty/open-power-signing-utils/test/keys +else + KEYDIR = $(CONFIG_SIGNING_KEYS_DIR) +endif + +PHONY += sign_and_add_ecc +sign_and_add_ecc: $(obj)/coreboot.rom | $(ECCTOOL) $(CREATE_CONTAINER) +ifeq ($(CONFIG_SIGNING_KEYS_DIR),"") + @printf " NOTE: signing firmware with test keys\n" +endif + @printf " SBSIGN $(subst $(obj)/,,$<)\n" + [ -e "$(KEYDIR)/hw_key_a.key" ] || ( echo "error: $(KEYDIR)/hw_key_a.key" is missing; exit 1 ) + [ -e "$(KEYDIR)/hw_key_b.key" ] || ( echo "error: $(KEYDIR)/hw_key_b.key" is missing; exit 1 ) + [ -e "$(KEYDIR)/hw_key_c.key" ] || ( echo "error: $(KEYDIR)/hw_key_c.key" is missing; exit 1 ) + [ -e "$(KEYDIR)/sw_key_p.key" ] || ( echo "error: $(KEYDIR)/sw_key_p.key" is missing; exit 1 ) + $(CREATE_CONTAINER) -a $(KEYDIR)/hw_key_a.key -b $(KEYDIR)/hw_key_b.key -c $(KEYDIR)/hw_key_c.key \ + -p $(KEYDIR)/sw_key_p.key --payload $(objcbfs)/bootblock.bin \ + --imagefile $(obj)/bootblock.signed + $(CREATE_CONTAINER) -a $(KEYDIR)/hw_key_a.key -b $(KEYDIR)/hw_key_b.key -c $(KEYDIR)/hw_key_c.key \ + -p $(KEYDIR)/sw_key_p.key --payload $< --imagefile $<.signed + @printf " ECC $(subst $(obj)/,,$<)\n" + $(ECCTOOL) --inject $<.signed --output $<.signed.ecc --p8 + $(ECCTOOL) --inject $< --output $<.ecc --p8 + @printf " ECC bootblock\n" + dd if=$(obj)/bootblock.signed of=$(obj)/bootblock.signed.pad ibs=25486 conv=sync 2> /dev/null + $(ECCTOOL) --inject $(obj)/bootblock.signed.pad --output $(obj)/bootblock.signed.ecc --p8 + rm $(obj)/bootblock.signed $(obj)/bootblock.signed.pad -$(obj)/coreboot.rom.ecc: $(obj)/coreboot.rom | $(ECCTOOL) - $(ECCTOOL) --inject $< --output $@ --p8 +files_added:: sign_and_add_ecc endif |