Secure Boot: Support HB standalone imprint signing with open tooling

Change-Id: I679c9ad2984c2331f0f5d98ff3378801859ba96e RTC: 157356 CMVC-Coreq: 1036927 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/48530 Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com> Reviewed-by: Marshall J. Wilks <mjwilks@us.ibm.com> Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com> Reviewed-by: William G. Hoffa <wghoffa@us.ibm.com>
open-power · Oct 23, 2017 · 5fe2342 · 5fe2342
1 parent f0e2eeb
commit 5fe2342
Show file tree

Hide file tree

Showing 2 changed files with 58 additions and 8 deletions.
diff --git a/src/build/mkrules/hbfw/img/makefile b/src/build/mkrules/hbfw/img/makefile
@@ -113,6 +113,42 @@ IMPRINT_HW_KEY_HASH = ${imprintHwKeyHash:P}
 #       the same --systemBinFiles parameter for genPnorImages
 GEN_PNOR_IMAGE_SCRIPT = ${genPnorImages.pl:P}
 
+# Determine which version of Redhat we're building on and generate the
+# associated sub-directory name used to construct the signing binaries path.
+# Most pool machines have back level libraries used for signing, so point to
+# usable ones.
+# The unescaped version of the command is:
+#     sed "s/^.*release \([0-9]*\)\..*$/rh\1/" /etc/redhat-release
+# Any character not in the following set must be escaped:
+#     [a-zA-Z0-9,._+:@%/-]
+RH_DIR%=${DUMMY:!sed "s/\^.\*release \\\(\[0-9\]\*\\\)\..\*\$/rh\\1/\" /etc/redhat-release!e}
+
+# Concatenate the base path, Redhat specific dir, and tool subdir to form the
+# complete signing tools path
+SIGNING_DIR%=${SIGNING_BASE_DIR}/${RH_DIR}/${SIGNING_UTILS_DIR}
+
+# Construct the set of libs we need to preload to ensure compatibility
+SIGNING_LIBS%=${SIGNING_DIR}/libssl.so:${SIGNING_DIR}/libcrypto.so
+
+# Put signing tool dir in the path so child programs can be located.
+# Additionally, put /usr/bin at the front to prevent certain CI situations from
+# using old openssl binaries.
+PATH%=/usr/bin:${SIGNING_DIR}:${PATH}
+
+# Dump information about the Secure Boot configuration
+dump-secureboot-config : .FORCEBLD
+	echo -e "\n\n\
+Secure Boot Signing Config:\n\
+    Signing base dir     [${SIGNING_BASE_DIR}]\n\
+    Redhat subdir        [${RH_DIR}]\n\
+    Signing utils subdir [${SIGNING_UTILS_DIR}]\n\
+    Final signing dir    [${SIGNING_DIR}]\n\
+    Development key dir  [${DEV_KEY_DIR}]\n\
+    Signing edition      [${SIGNING_TOOL_EDITION}]\n\
+    Compile secureboot?  [${CONFIG_SECUREBOOT}]\n\
+    Libs to preload      [${SIGNING_LIBS}]\n\
+    Path                 [${PATH}]\n\n"
+
 # Default to using FSP layout for common file purposes and use existing hb
 # techniques to enable default layout when appropriate.
 PNOR_LAYOUT = ${pnorLayoutFSP.xml:P}
@@ -142,7 +178,7 @@ PNOR_LAYOUT = ${pnorLayoutFSP.xml:P}
 cp_hbfiles: .SPECTARG
 	${BASE_IMAGES:@image@cp -f ${SRCPATH:F${image}} ${image};@}
 
-gen_default_images: cp_hbfiles
+gen_default_images: cp_hbfiles dump-secureboot-config
 	currentsb -chain
 	ecc --inject ${HBB_IMG} --output ${HBB_ECC_IMG} --p8
 
@@ -160,7 +196,7 @@ gen_default_images: cp_hbfiles
     # result [hbbl][pad:8:if-applicable][securerom-size:8][securerom]
 
 	# Call script to generate final bin files for default images
-	${GEN_PNOR_IMAGE_SCRIPT} ${DEFAULT_PARAMS}
+	export LD_PRELOAD=${SIGNING_LIBS} && ${GEN_PNOR_IMAGE_SCRIPT} ${DEFAULT_PARAMS}
 
 clobber_cp_hbfiles:
 	rm -f ${ALL_DEFAULT_IMAGES}
@@ -301,9 +337,9 @@ ZZ_MEMD_FINAL_IMG = ZZ.MEMD.bin
                              --systemBinFiles ${GEN_CUMULUS_BIN_FILES}
 .endif
 
-gen_system_specific_images_bypass_cache :
+gen_system_specific_images_bypass_cache : dump-secureboot-config
 	# Call script to generate final bin file for chip/system specific images
-	${GEN_PNOR_IMAGE_SCRIPT} ${SYSTEM_SPECIFIC_PARAMS}
+	export LD_PRELOAD=${SIGNING_LIBS} && ${GEN_PNOR_IMAGE_SCRIPT} ${SYSTEM_SPECIFIC_PARAMS}
 
 	#for NIMBUS fake pnor skip version header
 	.if(${FAKEPNOR} != "")

diff --git a/src/build/tools/hbDistribute b/src/build/tools/hbDistribute
@@ -23,6 +23,10 @@
 # permissions and limitations under the License.
 #
 # IBM_PROLOG_END_TAG
+
+# Enable strict error checking
+set -exo pipefail
+
 TARGET_DIR="invalid directory"
 TARGET="fsp_TARGET"
 SBFW_DIR="invalid directory"
@@ -173,10 +177,20 @@ else
     fi
 fi
 
-# @TODO RTC:157356
-# Temporary development signing tools to create valid container headers
-export SIGNING_DIR="/gsa/ausgsa/home/h/o/hostboot/hostboot-project/secure-dev-signing/secure-boot-scripts/rom_new_header/sign/obj"
-export DEV_KEY_DIR="/gsa/ausgsa/home/h/o/hostboot/hostboot-project/secure-dev-signing/dev_keys"
+# Point to various signing related path components
+export SIGNING_BASE_DIR=/esw/bin/sb-signing
+echo "Secure Boot: Signing base dir is ${SIGNING_BASE_DIR}"
+export SIGNING_UTILS_DIR=sb-signing-utils
+echo "Secure Boot: Signing utils dir is ${SIGNING_UTILS_DIR}"
+
+# Point to the development signing keys
+export DEV_KEY_DIR="${SIGNING_BASE_DIR}/sb-signing-keys"
+echo "Secure Boot: Development keys dir is ${DEV_KEY_DIR}"
+
+# Force genPnorImages.pl to use the open signing tool
+export SIGNING_TOOL_EDITION="community";
+echo "Secure Boot: Signing tool edition is ${SIGNING_TOOL_EDITION}"
+
 # Dynamically check config file if secureboot enabled build occurred
 if [[ -f ${PROJECT_ROOT}/obj/genfiles/config.h ]]; then
     if cat ${PROJECT_ROOT}/obj/genfiles/config.h | grep -q "CONFIG_SECUREBOOT 1"; then