Secure Boot: Add machine-xml and PNOR support for signing
- For Secure Boot compile, export protected/unprotected targeting binaries
- Add Secure Boot policies to PNOR package
- Pass Secure Boot policies to PNOR packaging tools
- Opportunistically move targeting protected/unprotected sections
- Remove bad secureboot config options from WS hostboot config
- Point to PNOR commit that supports secureboot signing
- Support key transitioning to development keys
Signed-off-by: Nick Bofferding <bofferdn@us.ibm.com>
diff --git a/openpower/package/openpower-pnor/Config.in b/openpower/package/openpower-pnor/Config.in
index 504afef..4e841bb 100644
--- a/openpower/package/openpower-pnor/Config.in
+++ b/openpower/package/openpower-pnor/Config.in
@@ -12,6 +12,38 @@
help
Utilites for building a targeting binary image
+choice
+ prompt "Secure Boot key transition type"
+ default BR2_OPENPOWER_SECUREBOOT_NO_KEY_TRANSITION
+
+config BR2_OPENPOWER_SECUREBOOT_NO_KEY_TRANSITION
+ bool "None"
+ help
+ Builds a driver that does not transition Secure Boot keys
+
+config BR2_OPENPOWER_SECUREBOOT_KEY_TRANSITION_TO_DEV
+ bool "Transition existing keys to development keys"
+ help
+ Builds a driver that transitions Secure Boot keys to development keys and
+ powers off the system. Only usable when system security has been
+ disabled.
+
+config BR2_OPENPOWER_SECUREBOOT_KEY_TRANSITION_TO_PROD
+ bool "Transition development keys to production keys"
+ help
+ Builds a driver that transitions Secure Boot development keys to
+ vendor supplied production keys and powers off the system.
+
+endchoice
+
+config BR2_OPENPOWER_SECUREBOOT_SIGN_MODE
+ string "Secureboot signing mode"
+ help
+ Available options [development | production]
+ Indicates the signing mode when generating the PNOR image. Only
+ applicable when hostboot is compiled with SECUREBOOT compile flag.
+ Default mode is development.
+
config BR2_OPENPOWER_PNOR_XML_LAYOUT_FILENAME
string "Name of Openpower pnor xml layout file"
help