commit 54decebd1937dd609777edd3575a93307d8050bc
author Nick Bofferding <bofferdn@us.ibm.com> Wed Jun 28 23:07:35 2017 -0500
committer Nick Bofferding <bofferdn@us.ibm.com> Fri Aug 11 01:16:57 2017 -0500
tree bf67c3973b252031fbfb49825e18e7b038f86dad
parent 5c8aa950e251eedcc283db809b7e8561a6c200fb

Secure Boot: Add machine-xml and PNOR support for signing

- For Secure Boot compile, export protected/unprotected targeting binaries
- Add Secure Boot policies to PNOR package
- Pass Secure Boot policies to PNOR packaging tools
- Opportunistically move targeting protected/unprotected sections
- Remove bad secureboot config options from WS hostboot config
- Point to PNOR commit that supports secureboot signing
- Support key transitioning to development keys

Signed-off-by: Nick Bofferding <bofferdn@us.ibm.com>

openpower/package/openpower-pnor/openpower-pnor.mk

diff --git a/openpower/package/openpower-pnor/openpower-pnor.mk b/openpower/package/openpower-pnor/openpower-pnor.mk
index 94e0b6d..dd08018 100644
--- a/openpower/package/openpower-pnor/openpower-pnor.mk
+++ b/openpower/package/openpower-pnor/openpower-pnor.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-OPENPOWER_PNOR_VERSION ?= 1f584629255276586149a6cfe65e4680f99dd773
+OPENPOWER_PNOR_VERSION ?= d73af7e470ff65f7702e602a38f19c0c7a7d3c75
 OPENPOWER_PNOR_SITE ?= $(call github,open-power,pnor,$(OPENPOWER_PNOR_VERSION))
 
 OPENPOWER_PNOR_LICENSE = Apache-2.0
@@ -27,6 +27,19 @@
 
 ifeq ($(BR2_OPENPOWER_PNOR_XZ_ENABLED),y)
 OPENPOWER_PNOR_DEPENDENCIES += host-xz
+XZ_ARG=-xz_compression
+endif
+
+OPENPOWER_PNOR_DEPENDENCIES += host-sb-signing-utils
+
+ifeq ($(BR2_OPENPOWER_SECUREBOOT_KEY_TRANSITION_TO_DEV),y)
+KEY_TRANSITION_ARG=-key_transition imprint
+else ifeq ($(BR2_OPENPOWER_SECUREBOOT_KEY_TRANSITION_TO_PROD),y)
+KEY_TRANSITION_ARG=-key_transition production
+endif
+
+ifneq ($(BR2_OPENPOWER_SECUREBOOT_SIGN_MODE),"")
+SIGN_MODE_ARG=-sign_mode $(BR2_OPENPOWER_SECUREBOOT_SIGN_MODE)
 endif
 
 ifeq ($(BR2_OPENPOWER_POWER9),y)
@@ -77,7 +90,11 @@
             -wof_binary_filename $(OPENPOWER_MRW_SCRATCH_DIR)/$(BR2_WOFDATA_FILENAME) \
             -memd_binary_filename $(OPENPOWER_MRW_SCRATCH_DIR)/$(BR2_MEMDDATA_FILENAME) \
             -payload $(BINARIES_DIR)/$(BR2_SKIBOOT_LID_NAME) \
-            $(if ($(BR2_OPENPOWER_PNOR_XZ_ENABLED),y),-xz_compression)
+            -payload_filename $(BR2_SKIBOOT_LID_XZ_NAME) \
+            -binary_dir $(BINARIES_DIR) \
+            -bootkernel_filename $(LINUX_IMAGE_NAME) \
+            -pnor_layout $(@D)/"$(OPENPOWER_RELEASE)"Layouts/$(BR2_OPENPOWER_PNOR_XML_LAYOUT_FILENAME) \
+            $(XZ_ARG) $(KEY_TRANSITION_ARG) $(SIGN_MODE_ARG) \
 
         mkdir -p $(STAGING_DIR)/pnor/
         $(TARGET_MAKE_ENV) $(@D)/create_pnor_image.pl \
@@ -87,8 +104,8 @@
             -hb_image_dir $(HOSTBOOT_IMAGE_DIR) \
             -scratch_dir $(OPENPOWER_PNOR_SCRATCH_DIR) \
             -outdir $(STAGING_DIR)/pnor/ \
-            -payload $(BINARIES_DIR)/$(BR2_SKIBOOT_LID_XZ_NAME) \
-            -bootkernel $(BINARIES_DIR)/$(LINUX_IMAGE_NAME) \
+            -payload $(OPENPOWER_PNOR_SCRATCH_DIR)/$(BR2_SKIBOOT_LID_XZ_NAME) \
+            -bootkernel $(OPENPOWER_PNOR_SCRATCH_DIR)/$(LINUX_IMAGE_NAME) \
             -sbe_binary_filename $(BR2_HOSTBOOT_BINARY_SBE_FILENAME) \
             -sbec_binary_filename $(BR2_HOSTBOOT_BINARY_SBEC_FILENAME) \
             -wink_binary_filename $(BR2_HOSTBOOT_BINARY_WINK_FILENAME) \