Secure Boot: Purge SW signature cache for multinode binaries

When signing targeting binaries for multinode systems, the build process erroneously reuses the SW signature for node 0 when creating the secure header for other nodes. This change moves the signature purge logic into the loop that handles multiple nodes worth of content Change-Id: I1e1154cbfb06375c3b62e3710c9bd2384b961076 CQ: SW430711 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/59548 Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com> Reviewed-by: ILYA SMIRNOV <ismirno@us.ibm.com> Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Reviewed-by: William G. Hoffa <wghoffa@us.ibm.com>
open-power · May 31, 2018 · 6be04f3 · 6be04f3
1 parent 26d9aed
commit 6be04f3
Showing 1 changed file with 14 additions and 13 deletions.
diff --git a/src/build/buildpnor/genPnorImages.pl b/src/build/buildpnor/genPnorImages.pl
@@ -527,19 +527,6 @@ sub manipulateImages
         my $componentId = convertEyecatchToCompId($eyeCatch);
         $CUR_OPEN_SIGN_REQUEST .= " --sign-project-FW-token $componentId ";
 
-        # @TODO RTC 182358
-        # This is a tactical workaround for the signing tooling not being
-        # able to handle muliple different platform binary contents for the same
-        # component ID.  The signing tooling should be modified to tolerate this
-        # scenario, at which point the workaround can be removed.
-        if ($buildType eq "fspbuild")
-        {
-            my @signatureFiles=
-                glob("$bin_dir/SIGNTOOL_*/$componentId/*sig_p.raw $bin_dir/SIGNTOOL_*/$componentId/*key_p.sig");
-            print "Deleting @signatureFiles\n";
-            unlink @signatureFiles;
-        }
-
         # Used for corrupting partitions. By default all protected offsets start
         # immediately after the container header which is size = PAGE_SIZE.
         # *Note: this is before ECC.
@@ -554,6 +541,20 @@ sub manipulateImages
         my $nodeIDstr = "";
         foreach my $bin_file (@binFilesArray)
         {
+            # @TODO RTC 182358
+            # This is a tactical workaround for the signing tooling not being
+            # able to handle muliple different platform binary (or multiple
+            # node) contents for the same component ID.  The signing tooling
+            # should be modified to tolerate this scenario, at which point the
+            # workaround can be removed.
+            if ($buildType eq "fspbuild")
+            {
+                my @signatureFiles=
+                    glob("$bin_dir/SIGNTOOL_*/$componentId/*sig_p.raw $bin_dir/SIGNTOOL_*/$componentId/*key_p.sig");
+                print "Deleting @signatureFiles\n";
+                unlink @signatureFiles;
+            }
+
             # If there are more than 1 bin files per section, final name should
             # have a node ID included.
             if (scalar @binFilesArray > 1)