Gitiles
Code Review Sign In
gerrit.openbmc.org / mdmillerii / openbmc / 5f87e5375bdc441e0f34156f6305147047390aa6 / . / meta-aspeed / classes / socsec-sign.bbclass
blob: f46147d748a8dcc1397ea8070692f129747184aa [file] [log] [blame]
Klaus Heinrich Kiwi92f659d2021-03-09 21:03:42 -0300[diff] [blame]1# ASPEED AST2600 devices can use Aspeed's utility 'socsec'
2# to sign the SPL (pubkey written to OTP region)
3# The variables below carry default values to the spl_sign()
4# function below.
5SOCSEC_SIGN_ENABLE ?= "0"
6SOCSEC_SIGN_KEY ?= ""
7SOCSEC_SIGN_SOC ?= "2600"
8SOCSEC_SIGN_ALGO ?= "RSA4096_SHA512"
9SOCSEC_SIGN_HELPER ?= ""
10# u-boot-aspeed-sdk commit '2c3b53489c ast2600: Modify SPL SRAM layout'
11# changes the SDRAM layout so that the verification region does NOT
12# intersects the stack. The parameter below can be used to instruct
13# socsec to work in either mode (ommitting it throws a warning), but
14# newer (post v00.03.03) u-boot-aspeed-sdk need this set to false
Jamin Line73cb4a2021-12-17 15:04:35 +0800[diff] [blame]15# A1 rsa order is little endian and A3 is big endian
16# Set big endian for A3 support
17SOCSEC_SIGN_EXTRA_OPTS ?= "--stack_intersects_verification_region=false --rsa_key_order=big"
Klaus Heinrich Kiwi92f659d2021-03-09 21:03:42 -0300[diff] [blame]18DEPENDS += '${@oe.utils.conditional("SOCSEC_SIGN_ENABLE", "1", " socsec-native", "", d)}'
19
20
21# Signs the SPL binary with a pre-established key
22sign_spl_helper() {
23 signing_helper_args=""
24
25 if [ "${SOC_FAMILY}" != "aspeed-g6" ] ; then
Brad Bishop2c95c912022-02-01 15:35:01 -0500[diff] [blame]26 bbwarn "SPL signing is only supported on AST2600 boards"
Klaus Heinrich Kiwi92f659d2021-03-09 21:03:42 -0300[diff] [blame]27 elif [ ! -e "${SOCSEC_SIGN_KEY}" ] ; then
Brad Bishop2c95c912022-02-01 15:35:01 -0500[diff] [blame]28 bbfatal "Invalid socsec signing key: ${SOCSEC_SIGN_KEY}"
Klaus Heinrich Kiwi92f659d2021-03-09 21:03:42 -0300[diff] [blame]29 else
30 rm -f ${SPL_BINARY}.staged
31
32 if [ -n "${SOCSEC_SIGN_HELPER}" ] ; then
33 signing_helper_args="--signing_helper ${SOCSEC_SIGN_HELPER}"
34 fi
35 socsec make_secure_bl1_image \
36 --soc ${SOCSEC_SIGN_SOC} \
37 --algorithm ${SOCSEC_SIGN_ALGO} \
38 --rsa_sign_key ${SOCSEC_SIGN_KEY} \
39 --bl1_image ${DEPLOYDIR}/${SPL_IMAGE} \
Brad Bishop85c14d82022-02-01 15:37:16 -0500[diff] [blame]40 $signing_helper_args \
Klaus Heinrich Kiwi92f659d2021-03-09 21:03:42 -0300[diff] [blame]41 ${SOCSEC_SIGN_EXTRA_OPTS} \
42 --output ${SPL_BINARY}.staged
Brad Bishop85c14d82022-02-01 15:37:16 -0500[diff] [blame]43 cp -f ${SPL_BINARY}.staged ${B}/$CONFIG_B_PATH/${SPL_BINARY}
Klaus Heinrich Kiwi92f659d2021-03-09 21:03:42 -0300[diff] [blame]44 mv -f ${SPL_BINARY}.staged ${DEPLOYDIR}/${SPL_IMAGE}
45 fi
46}
47
48sign_spl() {
49 mkdir -p ${DEPLOYDIR}
50 if [ -n "${UBOOT_CONFIG}" ]; then
51 for config in ${UBOOT_MACHINE}; do
Brad Bishop85c14d82022-02-01 15:37:16 -0500[diff] [blame]52 CONFIG_B_PATH="$config"
53 cd ${B}/$config
Klaus Heinrich Kiwi92f659d2021-03-09 21:03:42 -0300[diff] [blame]54 sign_spl_helper
55 done
56 else
57 CONFIG_B_PATH=""
58 cd ${B}
59 sign_spl_helper
60 fi
61}
62
Jamin Lineed879f2021-12-17 15:45:25 +0800[diff] [blame]63verify_spl_otp() {
64 socsec verify \
65 --sec_image ${DEPLOYDIR}/${SPL_IMAGE} \
66 --otp_image ${DEPLOYDIR}/otp-all.image
67
68 if [ $? -ne 0 ]; then
69 bbfatal "Verified OTP image failed."
70 fi
71}
Klaus Heinrich Kiwi92f659d2021-03-09 21:03:42 -0300[diff] [blame]72
Patrick Williamsb9799be2021-08-06 09:13:33 -0500[diff] [blame]73do_deploy:append() {
Klaus Heinrich Kiwi92f659d2021-03-09 21:03:42 -0300[diff] [blame]74 if [ "${SOCSEC_SIGN_ENABLE}" = "1" -a -n "${SPL_BINARY}" ] ; then
75 sign_spl
Jamin Lineed879f2021-12-17 15:45:25 +0800[diff] [blame]76 verify_spl_otp
Klaus Heinrich Kiwi92f659d2021-03-09 21:03:42 -0300[diff] [blame]77 fi
78}