From bc5682af46e7bb2db079ce72ed51c18231d22bb8 Mon Sep 17 00:00:00 2001
From: Nick Bofferding <bofferdn@us.ibm.com>
Date: Thu, 28 Sep 2017 22:55:54 -0500
Subject: [PATCH] Secure Boot: Remove requirement to specify production config
 file

RTC: 177220
Change-Id: I6dde362df4d8a441d950071333b64f014e819267
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/46916
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Reviewed-by: Marshall J. Wilks <mjwilks@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
---
 src/build/buildpnor/genPnorImages.pl | 14 ++------------
 1 file changed, 2 insertions(+), 12 deletions(-)

diff --git a/src/build/buildpnor/genPnorImages.pl b/src/build/buildpnor/genPnorImages.pl
index 7681023a4fd..beaa81e03f1 100755
--- a/src/build/buildpnor/genPnorImages.pl
+++ b/src/build/buildpnor/genPnorImages.pl
@@ -120,7 +120,6 @@
 my $help = 0;
 my %partitionsToCorrupt = ();
 my $sign_mode = $DEVELOPMENT;
-my $sb_signing_config_file = "";
 my $hwKeyHashFile = "";
 my $hb_standalone="";
 
@@ -140,7 +139,6 @@
            "key-transition:s" => \$key_transition,
            "corrupt:s" => \%partitionsToCorrupt,
            "sign-mode:s" => \$sign_mode,
-           "sb-signing-config-file:s" => \$sb_signing_config_file,
            "hwKeyHashFile:s" => \$hwKeyHashFile,
            "hb-standalone" => \$hb_standalone,
            "lab-security-override!" => \$labSecurityOverride,
@@ -172,12 +170,6 @@
     die "Invalid signing mode = $sign_mode";
 }
 
-# Secure boot signing config file only required in production mode.
-if ($signMode{$PRODUCTION})
-{
-    die "SB signing config file path not provided" if ($sb_signing_config_file eq "");
-}
-
 # Put key transition input into a hash and ensure a valid key transition mode
 my %keyTransition = ( enabled => 0,
                       $IMPRINT => 0,
@@ -280,13 +272,12 @@
 
 ### Open POWER signing
 my $OPEN_SIGN_REQUEST=
-    "$SIGNING_DIR/crtSignedContainer.sh --scratchDir $bin_dir";
+    "$SIGNING_DIR/crtSignedContainer.sh --scratchDir $bin_dir ";
 # By default key transition container is unused
 my $OPEN_SIGN_KEY_TRANS_REQUEST = $OPEN_SIGN_REQUEST;
 
 # Production signing parameters
-my $OPEN_PRD_SIGN_PARAMS = "--mode production "
-    . " --sign-project-config $sb_signing_config_file";
+my $OPEN_PRD_SIGN_PARAMS = "--mode production ";
 
 # Imprint key signing parameters.  In a non-secure compile, omit the keys to
 # generate a secure header without signatures
@@ -1292,7 +1283,6 @@ sub usage
     --key-transition <imprint|production>   Indicates a key transition is needed and creates a secureboot key transition container.
                                             Note: "--sign-mode production" is not allowed with "--key-transition imprint"
                                             With [--test] will transition to test dev keys, which are a fixed permutation of imprint keys.
-    --sb-signing-config-file    Path to ini-formatted config file for production signing
     --lab-security-override       If signing SBE image, set bit in signing
                                       header which turns on security override
                                       checking in the SBE the next time it is