meta-ibm: p10bmc: Add otptool configuration

Some addition development details must be managed in this bbappend due
to co-development of the AST2600 and IBM p10bmc designs. IBM did bringup
of secure-boot on pre-production AST2600 silicon and this shaped how the
platform's OTP was configured.

The PEM files represent the public portion of the IBM signing key-pairs
for p10bmc systems. These are included to provide a canonical location
for the production OTP image artifact.

Change-Id: I7caa6cfd5848b1d671ef95f8031b76088673900a
Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
diff --git a/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk_2019.04.bbappend b/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk_2019.04.bbappend
new file mode 100644
index 0000000..2a99328
--- /dev/null
+++ b/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk_2019.04.bbappend
@@ -0,0 +1,20 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
+
+SRC_URI:append:p10bmc = " file://a3.json file://keys/"
+
+OTPTOOL_CONFIG:p10bmc = "${WORKDIR}/a3.json"
+OTPTOOL_KEY_DIR:p10bmc = "${WORKDIR}/keys/"
+
+# !!! Do not copy p10bmc's use of little-endian key ordering !!!
+#
+# The prefered order for production silicon is big-endian. Little-endian is necessary for p10bmc
+# platforms due to development history involving pre-production AST2600 silicon. More discussion
+# here:
+#
+# https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/50716
+SOCSEC_SIGN_EXTRA_OPTS = "--rsa_key_order=little"
+
+do_deploy:prepend:p10bmc() {
+	# otptool needs access to the public and private socsec signing keys in the keys/ directory
+	openssl rsa -in ${SOCSEC_SIGN_KEY} -pubout > ${WORKDIR}/keys/rsa_pub_oem_dss_key.pem
+}