meta-hpe: remove customer key block file requirement
The customer key block HPE signed key is no longer required for machines that have been through the transfer of ownership process.
Change-Id: Idfc94033dec64c62fa773c5511f9d0a17518a1cf
Signed-off-by: Charles Kearney <charles.kearney@hpe.com>
diff --git a/meta-hpe/meta-common/recipes-phosphor/image/obmc-phosphor-image.bbappend b/meta-hpe/meta-common/recipes-phosphor/image/obmc-phosphor-image.bbappend
index 0eb0069..2175ba2 100644
--- a/meta-hpe/meta-common/recipes-phosphor/image/obmc-phosphor-image.bbappend
+++ b/meta-hpe/meta-common/recipes-phosphor/image/obmc-phosphor-image.bbappend
@@ -27,7 +27,6 @@
pass
return version
-CUSTOMER_KEY_BLOCK ?= "customer-key-block"
HPE_GXP_BOOTBLOCK_IMAGE ?= "gxp-bootblock.bin"
HPE_UBOOT_SIGNING_HEADER ?= "hpe-uboot-header.section"
HPE_UBOOT_SIGNING_HEADER_512 ?= "hpe-uboot-header-512.section"
@@ -113,27 +112,17 @@
if=${DEPLOY_DIR_IMAGE}/u-boot.${UBOOT_SUFFIX} \
of=${DEPLOY_DIR_IMAGE}/u-boot-tmp.${UBOOT_SUFFIX}
- keyblockver="$(expr `grep -c -i 'CustomerKeyBlockVersion\$2.0' "${DEPLOY_DIR_IMAGE}/${CUSTOMER_KEY_BLOCK}"` + 1)"
-
+
# TODO - replace this openssl signing command line with whatever command you need to create a
# digital signature of ${DEPLOY_DIR_IMAGE}/u-boot-tmp.${UBOOT_SUFFIX}
- if [ ${keyblockver} -eq 1 ]
- then
- openssl sha256 -sign ${DEPLOY_DIR_IMAGE}/${HPE_UBOOT_SIGNING_KEY} -out ${DEPLOY_DIR_IMAGE}/gxp_tmp.sig \
- ${DEPLOY_DIR_IMAGE}/u-boot-tmp.${UBOOT_SUFFIX}
- # Cat U-Boot header+signature
- cat ${DEPLOY_DIR_IMAGE}/${HPE_UBOOT_SIGNING_HEADER} ${DEPLOY_DIR_IMAGE}/gxp_tmp.sig \
- > ${DEPLOY_DIR_IMAGE}/gxp-uboot.sig
- elif [ ${keyblockver} -eq 2 ]
- then
- openssl sha384 -sign ${DEPLOY_DIR_IMAGE}/${HPE_UBOOT_SIGNING_KEY} -out ${DEPLOY_DIR_IMAGE}/gxp_tmp.sig \
- ${DEPLOY_DIR_IMAGE}/u-boot-tmp.${UBOOT_SUFFIX}
+ openssl sha384 -sign ${DEPLOY_DIR_IMAGE}/${HPE_UBOOT_SIGNING_KEY} -out ${DEPLOY_DIR_IMAGE}/gxp_tmp.sig \
+ ${DEPLOY_DIR_IMAGE}/u-boot-tmp.${UBOOT_SUFFIX}
- # Cat U-Boot header+signature
- cat ${DEPLOY_DIR_IMAGE}/${HPE_UBOOT_SIGNING_HEADER_512} ${DEPLOY_DIR_IMAGE}/gxp_tmp.sig \
- > ${DEPLOY_DIR_IMAGE}/gxp-uboot.sig
- fi
+ # Cat U-Boot header+signature
+ cat ${DEPLOY_DIR_IMAGE}/${HPE_UBOOT_SIGNING_HEADER_512} ${DEPLOY_DIR_IMAGE}/gxp_tmp.sig \
+ > ${DEPLOY_DIR_IMAGE}/gxp-uboot.sig
+
# Create hpe-section
dd if=/dev/zero bs=1k count=576 > ${DEPLOY_DIR_IMAGE}/hpe-section
@@ -151,21 +140,6 @@
# hpe-section2 is the same as hpe-section up to this point
cp ${DEPLOY_DIR_IMAGE}/hpe-section ${DEPLOY_DIR_IMAGE}/hpe-section2
- # Expand the customer-key-block to 64 KB
- dd if=/dev/zero bs=1k count=64 > ${DEPLOY_DIR_IMAGE}/${CUSTOMER_KEY_BLOCK}.tmp
- dd bs=1k conv=notrunc seek=0 count=64 \
- if=${DEPLOY_DIR_IMAGE}/${CUSTOMER_KEY_BLOCK} \
- of=${DEPLOY_DIR_IMAGE}/${CUSTOMER_KEY_BLOCK}.tmp
-
- # Add the customer-key-block to hpe-section
- dd bs=1k conv=notrunc seek=320 count=64 \
- if=${DEPLOY_DIR_IMAGE}/${CUSTOMER_KEY_BLOCK}.tmp \
- of=${DEPLOY_DIR_IMAGE}/hpe-section
-
- # Add a second copy of the customer-key-block to hpe-section
- dd bs=1k conv=notrunc seek=384 count=64 \
- if=${DEPLOY_DIR_IMAGE}/${CUSTOMER_KEY_BLOCK}.tmp \
- of=${DEPLOY_DIR_IMAGE}/hpe-section
# Expand uboot to 384K
dd if=/dev/zero bs=1k count=384 > ${DEPLOY_DIR_IMAGE}/u-boot-tmp.${UBOOT_SUFFIX}
@@ -176,8 +150,7 @@
# Remove unnecessary files
rm ${DEPLOY_DIR_IMAGE}/u-boot.${UBOOT_SUFFIX} \
${DEPLOY_DIR_IMAGE}/gxp_tmp.sig \
- ${DEPLOY_DIR_IMAGE}/gxp-uboot.sig \
- ${DEPLOY_DIR_IMAGE}/${CUSTOMER_KEY_BLOCK}.tmp
+ ${DEPLOY_DIR_IMAGE}/gxp-uboot.sig
mv ${DEPLOY_DIR_IMAGE}/u-boot-tmp.${UBOOT_SUFFIX} ${DEPLOY_DIR_IMAGE}/u-boot.${UBOOT_SUFFIX}
diff --git a/meta-hpe/meta-gxp/classes/gxp2-bootblock-n.bbclass b/meta-hpe/meta-gxp/classes/gxp2-bootblock-n.bbclass
index 3ee93ff..33e23a6 100644
--- a/meta-hpe/meta-gxp/classes/gxp2-bootblock-n.bbclass
+++ b/meta-hpe/meta-gxp/classes/gxp2-bootblock-n.bbclass
@@ -1,4 +1,4 @@
-# TODO: Manually copy the U-Boot signing key and customer-key-block here:
+# TODO: Manually copy the U-Boot signing key here:
HPE_GXP_KEY_FILES_DIR = "${COREBASE}/meta-hpe/meta-gxp/recipes-bsp/image/files"
inherit deploy
@@ -16,6 +16,4 @@
# Copy in the U-Boot signing key
install -m 644 ${HPE_GXP_KEY_FILES_DIR}/customer_private_key.pem ${DEPLOYDIR}/hpe-uboot-signing-key.pem
- # Copy in the customer keyblock
- install -m 644 ${HPE_GXP_KEY_FILES_DIR}/customer-key-block ${DEPLOYDIR}/customer-key-block
}