Secure Boot: Support Independent signing mode in genPnorImages.pl

This changes signMode() from a tuple to a triple, supporting 'independent' as an allowable value, and passing this value to crtSignedContaner.sh as appropriate. For simplicity, Independent mode is not considered in the setting of the LAB_SECURITY_OVERRIDE_FLAG or for transition containers. Change-Id: Ibda46b963805f378e37d271e31ed31dff36daaf8 Signed-off-by: Dave Heller <hellerda@linux.vnet.ibm.com> Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/61782 Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com> Disable-CI: Nicholas E. Bofferding <bofferdn@us.ibm.com> Reviewed-by: William G. Hoffa <wghoffa@us.ibm.com>
open-power · Jul 5, 2018 · adc91be · adc91be
1 parent 50e7279
commit adc91be
Showing 1 changed file with 19 additions and 9 deletions.
diff --git a/src/build/buildpnor/genPnorImages.pl b/src/build/buildpnor/genPnorImages.pl
@@ -98,6 +98,7 @@
 my $DEVELOPMENT = "development";
 my $IMPRINT = "imprint";
 my $PRODUCTION = "production";
+my $INDEPENDENT = "independent";
 
 ################################################################################
 # I/O parsing
@@ -161,13 +162,21 @@
 
 # Put mode transition input into a hash and ensure a valid signing mode
 my %signMode = ( $DEVELOPMENT => 1,
-                 $PRODUCTION => 0 );
+                 $PRODUCTION => 0,
+                 $INDEPENDENT => 0 );
 if ($sign_mode =~ m/^$DEVELOPMENT/i)
 {}
 elsif ($sign_mode =~ m/^$PRODUCTION/i)
 {
     $signMode{$PRODUCTION} = 1;
     $signMode{$DEVELOPMENT} = 0;
+    $signMode{$INDEPENDENT} = 0;
+}
+elsif ($sign_mode =~ m/^$INDEPENDENT/i)
+{
+    $signMode{$PRODUCTION} = 0;
+    $signMode{$DEVELOPMENT} = 0;
+    $signMode{$INDEPENDENT} = 1;
 }
 else
 {
@@ -267,20 +276,21 @@
 
 # Production signing parameters
 my $OPEN_PRD_SIGN_PARAMS = "--mode production "
-    . "--hwPrivKeyA __get "
-    . "--hwPrivKeyB __get "
-    . "--hwPrivKeyC __get "
-    . "--swPrivKeyP __get ";
+    . "--hwKeyA __get "
+    . "--hwKeyB __get "
+    . "--hwKeyC __get "
+    . "--swKeyP __get ";
 
 # Imprint key signing parameters.  In a non-secure compile, omit the keys to
 # generate a secure header without signatures
 my $OPEN_DEV_SIGN_PARAMS = "";
 if($secureboot)
 {
-    $OPEN_DEV_SIGN_PARAMS = " --hwPrivKeyA $DEV_KEY_DIR/hw_key_a.key "
-    . "--hwPrivKeyB $DEV_KEY_DIR/hw_key_b.key "
-    . "--hwPrivKeyC $DEV_KEY_DIR/hw_key_c.key "
-    . "--swPrivKeyP $DEV_KEY_DIR/sw_key_a.key";
+    $OPEN_DEV_SIGN_PARAMS = "--mode $sign_mode "
+    . "--hwKeyA $DEV_KEY_DIR/hw_key_a.key "
+    . "--hwKeyB $DEV_KEY_DIR/hw_key_b.key "
+    . "--hwKeyC $DEV_KEY_DIR/hw_key_c.key "
+    . "--swKeyP $DEV_KEY_DIR/sw_key_a.key";
 }
 
 # Handle key transition and production signing logic