meta-ibm: p10bmc: Add otptool configuration
Some addition development details must be managed in this bbappend due
to co-development of the AST2600 and IBM p10bmc designs. IBM did bringup
of secure-boot on pre-production AST2600 silicon and this shaped how the
platform's OTP was configured.
The PEM files represent the public portion of the IBM signing key-pairs
for p10bmc systems. These are included to provide a canonical location
for the production OTP image artifact.
Change-Id: I7caa6cfd5848b1d671ef95f8031b76088673900a
Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
diff --git a/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/a3.json b/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/a3.json
new file mode 100644
index 0000000..fdcfd5d
--- /dev/null
+++ b/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/a3.json
@@ -0,0 +1,126 @@
+{
+ "name": "rainier",
+ "version": "A3",
+ "data_region": {
+ "ecc_region": true,
+ "key": [
+ {
+ "types": "rsa_pub_oem",
+ "key_pem": "rsa_pub_oem_dss_key.pem",
+ "offset": "0x40",
+ "number_id": 0,
+ "sha_mode": "SHA512"
+ },
+ {
+ "types": "rsa_pub_oem",
+ "key_pem": "P10BMCAspeedSBPubKey_1.pem",
+ "offset": "0x240",
+ "number_id": 1,
+ "sha_mode": "SHA512"
+ },
+ {
+ "types": "rsa_pub_oem",
+ "key_pem": "P10BMCAspeedSBPubKey_2.pem",
+ "offset": "0x440",
+ "number_id": 2,
+ "sha_mode": "SHA512"
+ },
+ {
+ "types": "rsa_pub_oem",
+ "key_pem": "P10BMCAspeedSBPubKey_3.pem",
+ "offset": "0x640",
+ "number_id": 3,
+ "sha_mode": "SHA512"
+ }
+ ]
+ },
+ "config_region": {
+ "Disable OTP Memory BIST Mode": true,
+ "Enable Secure Boot": false,
+ "User region ECC enable": true,
+ "Secure Region ECC enable": false,
+ "Disable low security key": false,
+ "Ignore Secure Boot hardware strap": false,
+ "Secure Boot Mode": "Mode_2",
+ "Disable Uart Message of ROM code": false,
+ "Secure crypto RSA length": "RSA4096",
+ "Hash mode": "SHA512",
+ "Disable patch code": true,
+ "Disable Boot from Uart": false,
+ "Secure Region size": "0x0",
+ "Write Protect: Secure Region": true,
+ "Write Protect: User region": true,
+ "Write Protect: Configure region": true,
+ "Write Protect: OTP strap region": true,
+ "Copy Boot Image to Internal SRAM": true,
+ "Enable image encryption": false,
+ "Enable write Protect of OTP key retire bits": false,
+ "Disable Auto Boot from UART or VUART": false,
+ "OTP memory lock enable": false,
+ "Key Revision": "0x0",
+ "Secure boot header offset": "0x0",
+ "Boot From UART Port Selection": "UART5",
+ "Disable Auto Boot from UART": false,
+ "Disable Auto Boot from VUART2 over PCIE": true,
+ "Disable Auto Boot from VUART2 over LPC": true,
+ "Disable ROM code based programming control": true,
+ "Rollback prevention shift bit number": "0x0",
+ "Extra Data Write Protection Region Size": "0x0",
+ "Erase signature data after secure boot check": false,
+ "Erase RSA public key after secure boot check": false,
+ "Keys Retire ID": 0,
+ "User define data: random number low": "0x0",
+ "User define data: random number high": "0x0",
+ "Manifest ID": "0x0",
+ "Patch code location": "0x0",
+ "Patch code size": "0x0"
+ },
+ "otp_strap": {
+ "Enable secure boot": { "value": false },
+ "Enable boot from eMMC": { "value": true },
+ "Boot from debug SPI": { "value": false },
+ "Disable ARM CM3": { "value": true },
+ "Enable dedicated VGA BIOS ROM": { "value": false },
+ "MAC 1 RMII mode": { "value": "RMII/NCSI" },
+ "MAC 2 RMII mode": { "value": "RMII/NCSI" },
+ "CPU frequency": { "value": "1.2GHz" },
+ "HCLK ratio": { "value": "default" },
+ "VGA memory size": { "value": "16MB" },
+ "CPU/AXI clock ratio": { "value": "2:1" },
+ "Disable ARM JTAG debug": { "value": true },
+ "VGA class code": { "value": "vga_device" },
+ "Disable debug 0": { "value": false },
+ "Boot from eMMC speed mode": { "value": "normal" },
+ "Enable PCIe EHCI": { "value": false },
+ "Disable ARM JTAG trust world debug": { "value": true },
+ "Disable dedicated BMC function": { "value": false },
+ "Enable dedicate PCIe RC reset": { "value": false },
+ "Disable watchdog to reset full chip": { "value": false },
+ "Internal bridge speed selection": { "value": "1x" },
+ "Disable RVAS function": { "value": false },
+ "MAC 3 RMII mode": { "value": "RMII/NCSI" },
+ "MAC 4 RMII mode": { "value": "RMII/NCSI" },
+ "SuperIO configuration address selection": { "value": "0x2e" },
+ "Disable LPC to decode SuperIO": { "value": true },
+ "Disable debug 1": { "value": false },
+ "Enable ACPI": { "value": false },
+ "Select LPC/eSPI": { "value": "LPC" },
+ "Enable SAFS": { "value": false },
+ "Enable boot from uart5": { "value": false },
+ "Enable boot SPI 3B address mode auto-clear": { "value": false },
+ "Enable SPI 3B/4B address mode auto detection": { "value": false },
+ "Enable boot SPI or eMMC ABR": { "value": true },
+ "Boot SPI ABR Mode": { "value": "dual" },
+ "Boot SPI flash size": { "value": "0" },
+ "Enable host SPI ABR": { "value": false },
+ "Enable host SPI ABR mode select pin": { "value": false },
+ "Host SPI ABR Mode": { "value": "dual" },
+ "Host SPI flash size": { "value": "0" },
+ "Enable boot SPI auxiliary control pins": { "value": false },
+ "Boot SPI CRTM size": { "value": "0" },
+ "Host SPI CRTM size": { "value": "0" },
+ "Enable host SPI auxiliary control pins": { "value": false },
+ "Enable GPIO Pass Through": { "value": false },
+ "Enable Dedicate GPIO Strap Pins": { "value": false }
+ }
+}
diff --git a/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/keys/P10BMCAspeedSBPubKey_1.pem b/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/keys/P10BMCAspeedSBPubKey_1.pem
new file mode 100644
index 0000000..eeba16b
--- /dev/null
+++ b/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/keys/P10BMCAspeedSBPubKey_1.pem
@@ -0,0 +1,14 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtgJW7ar+qtAM3YSYRZBu
+5CNlrZeK//2p45Uwme9bjaFT1T95yvHiK2hwostp0g0Gwa40H2NlRw9V7fEcH+2z
+zpRvyPorgP6rN6gcdvpdkhlrM7ntYoZpqKqstAmsT9xlOL9aYlWZ1mqb31j9WlIz
+wphuWNYKvrS2OvPNFSSWhIXJhekMQCl/b22poydHVslScQDCmUNl4TQXBLpaeVd5
+LqN80JaQEBDZABwBwAfVLbpfgPI5BG0JEiNd77r3AnAp1N7A2oKUBjQK+4ClkqR0
+3zPZ572nEBaXfVRZQsGV0mxwP021I/lncYrlWZrwBxK0fP+VDuIKYcAEmOJ6kEdg
+FfuAgEFJQvlgH45dfHJ6KcN1K4wEU1RHZxho0XnIwrI5GtctTdLl33AfajG0dYKf
+mHUmeli4AS//bjRfR7O2K4mdCMsj06mzXNoTv2wgb/QSkjMUqGLniiaRueuDSiZ0
+/mJfZLCFpZtiVF+wE1meympZqFk+T6j8C5kwCuxB4OqKC7Ec0N6G/NNwQ8m96cFS
+A4SUNAIQGjoSpziqF7N9UNl4rI+kEV/FstXLs7I0eYNpXEts2PDuY+PN+p7wKVrB
+Fet8LI13EAVrJJaKKvF41YXvNlwBxBZ2WBZhhiA/6F0dYcI16mRmnRs+hL7A6adO
+M1JIVupxDJzhQ4+S06VQbSsCAwEAAQ==
+-----END PUBLIC KEY-----
diff --git a/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/keys/P10BMCAspeedSBPubKey_2.pem b/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/keys/P10BMCAspeedSBPubKey_2.pem
new file mode 100644
index 0000000..6247058
--- /dev/null
+++ b/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/keys/P10BMCAspeedSBPubKey_2.pem
@@ -0,0 +1,14 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAn+83VQasyV9G1KSRyABB
+6B0hR5mjnlVcGju4i6xrPF9o7RpT2XzRv6gz9qB/+unLj/XFvXJXQNYRoyXF7wPr
+97mAVF7IANeLyFmkl/wpCrz1mHPgDZw971FPd3/W1Ufp/6KZ1EEJFHHfE9V2/6n/
+6MAIHGkvJwz8H0pDF5pBHkf7dSYJqyrc0aCvBID+o+UkiKK8sxSm4LVmySREIEZP
+YtJxwTYfKXdLIUvXXUOkiZnxKhAtgDYy8QfIOKcVVdSdvRzw7byNwVBln0ndGIwq
+SS6VXxV+ZDjffUbytGz6c5U191DCod81YYK3I2CYrrz7+dojeEWrh4HZ7/4hcy6V
+n4+BO11DwdCYgezkIzNSDyoGUNOc9AC1rXYByqtE5mPtnB+E6Asp5U9g63UE3USz
+6ZxuDMrKRYM8YdkYDjud8xK+qUKYabRceUJ0klh1dlETogjiufqKbemhx4ZMactT
+ggePDjCKChTguqwZXD/MurzTQETesor51g+tbeQkCkMDgFbrmQlPhaKULJJqUlrR
+qpPN7edYYuJa79KAWsSDa6KBxZvraRcCkoCG57cgZNGmk33gYwjghscB3cfd2cNK
+NzSrR5pkOWC2i3lTsXbwTpWmdA/qk3LcmrKS8hRYiZnj+4jS40O/UJedsSrAFl4x
+HG+HZfIDkS3Pf25OiDuGE2sCAwEAAQ==
+-----END PUBLIC KEY-----
diff --git a/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/keys/P10BMCAspeedSBPubKey_3.pem b/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/keys/P10BMCAspeedSBPubKey_3.pem
new file mode 100644
index 0000000..062be04
--- /dev/null
+++ b/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/keys/P10BMCAspeedSBPubKey_3.pem
@@ -0,0 +1,14 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApphrqg9MfkIiDEyMsk0O
+TZptjlpoL9PmZOTPY1kSumUSPhxnTT9b5fVb/yvmPDqiyau56zlDhzRnccnrrnx5
+UN5ciRnjoALxa8ScMWoOHCQV19IjmFd3ir87koL5JwkmblxGFR34ZebcLOwyTn2U
+9pq8jWHFkFpVhrfHkTaV9WO/rrGy0OpuuvQawrdnVUkE3lz+Sye8st+fCw+9clB+
+eGNwz+aYm4mWxhqfCuk5MGpovqinD89U6DWxFLPZ9tEH5L1ukT5Xwa5P1qrhWw3B
+8se2UQarFQzgTrMBME9jcsHtNkiXL5EzSFImxE2/9kF7tgiuJoGBsEMiTABdjHe6
+0vVD8aHgPxK5JeNQgzOWL4lVMbcVPnwae3C4weniizqRDmSKUWmkza44JGrVwKId
+B2KR1WWHf81IICqQwCzg9M/Ta2JUWpqz6moer18RhzdRAPV5OEvdoS2QtbbDTVqk
+EazfTrbO5qPTmwLAqli6rKwBlTGb68hAeWAnC7yQawmv2tgrP7M2KO/0VMXmB9O/
+oUwRgra3gSfVEm41lo4aZfKRCXJ5H9ZK/tj4m0vE/Epf7vb9CGBYILgXkW77bImp
+8Q5zyrks9qELi4gx2LPkHyy6WXBwOexFMlnjEnfI0Xmdr1GEwcpAeZ+BsZlN7qeN
+QnQ71WcCvRXZ307N2chwLi0CAwEAAQ==
+-----END PUBLIC KEY-----
diff --git a/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk_2019.04.bbappend b/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk_2019.04.bbappend
new file mode 100644
index 0000000..2a99328
--- /dev/null
+++ b/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk_2019.04.bbappend
@@ -0,0 +1,20 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
+
+SRC_URI:append:p10bmc = " file://a3.json file://keys/"
+
+OTPTOOL_CONFIG:p10bmc = "${WORKDIR}/a3.json"
+OTPTOOL_KEY_DIR:p10bmc = "${WORKDIR}/keys/"
+
+# !!! Do not copy p10bmc's use of little-endian key ordering !!!
+#
+# The prefered order for production silicon is big-endian. Little-endian is necessary for p10bmc
+# platforms due to development history involving pre-production AST2600 silicon. More discussion
+# here:
+#
+# https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/50716
+SOCSEC_SIGN_EXTRA_OPTS = "--rsa_key_order=little"
+
+do_deploy:prepend:p10bmc() {
+ # otptool needs access to the public and private socsec signing keys in the keys/ directory
+ openssl rsa -in ${SOCSEC_SIGN_KEY} -pubout > ${WORKDIR}/keys/rsa_pub_oem_dss_key.pem
+}