Merge pull request #1517 from op-jenkins/op-build-update_043_10-4-2017
op-build update 10-4-2017
diff --git a/openpower/package/Config.in b/openpower/package/Config.in
index 68699e0..aed88b6 100755
--- a/openpower/package/Config.in
+++ b/openpower/package/Config.in
@@ -17,4 +17,5 @@
source "$BR2_EXTERNAL_OP_BUILD_PATH/package/ima-catalog/Config.in"
source "$BR2_EXTERNAL_OP_BUILD_PATH/package/sbe/Config.in"
source "$BR2_EXTERNAL_OP_BUILD_PATH/package/sb-signing-utils/Config.in"
+source "$BR2_EXTERNAL_OP_BUILD_PATH/package/sb-signing-framework/Config.in"
diff --git a/openpower/package/openpower-pnor/Config.in b/openpower/package/openpower-pnor/Config.in
index 644d281..37c4470 100644
--- a/openpower/package/openpower-pnor/Config.in
+++ b/openpower/package/openpower-pnor/Config.in
@@ -39,6 +39,7 @@
config BR2_OPENPOWER_SECUREBOOT_SIGN_MODE
string "Secureboot signing mode"
+ default "development"
help
Available options [development | production]
Indicates the signing mode when generating the PNOR image. Only
diff --git a/openpower/package/pkg-versions.mk b/openpower/package/pkg-versions.mk
index 9a37bbb..be50245 100644
--- a/openpower/package/pkg-versions.mk
+++ b/openpower/package/pkg-versions.mk
@@ -134,7 +134,7 @@
UPPER_CASE_PKG = $(call UPPERCASE,$(1))
$$(UPPER_CASE_PKG)_VERSION_FILE = $$(OPENPOWER_VERSION_DIR)/$(1).version.txt
-
+UPPER_CASE_SIGN_MODE = $(call UPPERCASE,$$(BR2_OPENPOWER_SECUREBOOT_SIGN_MODE))
$$(eval $$(foreach pkg,$$(OPENPOWER_VERSIONED_SUBPACKAGES), \
$$(call OPENPOWER_SUBPACKAGE_VERSION,$$(pkg),$$(call UPPERCASE,$$(pkg)))))
@@ -168,6 +168,11 @@
>> $$($$(UPPER_CASE_PKG)_VERSION_FILE); \
fi
+# Flag whether op-build is production signed
+if [ "$$(UPPER_CASE_SIGN_MODE)" == 'PRODUCTION' ]; then \
+ echo -n "-prod" >> $$($$(UPPER_CASE_PKG)_VERSION_FILE); \
+fi
+
# Add new line to $$($$(UPPER_CASE_PKG)_VERSION_FILE)
echo "" >> $$($$(UPPER_CASE_PKG)_VERSION_FILE);
diff --git a/openpower/package/sb-signing-framework/Config.in b/openpower/package/sb-signing-framework/Config.in
new file mode 100644
index 0000000..7ac3848
--- /dev/null
+++ b/openpower/package/sb-signing-framework/Config.in
@@ -0,0 +1,5 @@
+config BR2_PACKAGE_HOST_SB_SIGNING_FRAMEWORK
+ bool "OpenPOWER secureboot signing server interface"
+ default y if BR2_OPENPOWER_PLATFORM && ((BR2_OPENPOWER_SECUREBOOT_SIGN_MODE = "production") || (BR2_OPENPOWER_SECUREBOOT_KEY_TRANSITION_TO_PROD) )
+ help
+ Client interface to signing server for signing OpenPOWER firmware images
diff --git a/openpower/package/sb-signing-framework/sb-signing-framework.mk b/openpower/package/sb-signing-framework/sb-signing-framework.mk
new file mode 100644
index 0000000..6338ae0
--- /dev/null
+++ b/openpower/package/sb-signing-framework/sb-signing-framework.mk
@@ -0,0 +1,27 @@
+################################################################################
+#
+# sb-signing-framework
+#
+################################################################################
+
+SB_SIGNING_FRAMEWORK_SITE ?= $(call github,open-power,sb-signing-framework,$(SB_SIGNING_FRAMEWORK_VERSION))
+
+SB_SIGNING_FRAMEWORK_LICENSE = Apache-2.0
+SB_SIGNING_FRAMEWORK_LICENSE_FILES = LICENSE
+SB_SIGNING_FRAMEWORK_VERSION ?= 02ed29aa11136a6d9a6e1f075772532c43cb7289
+
+HOST_SB_SIGNING_FRAMEWORK_DEPENDENCIES = host-openssl
+
+define HOST_SB_SIGNING_FRAMEWORK_BUILD_CMDS
+ CFLAGS="-I $(HOST_DIR)/usr/include -Wl,-rpath -Wl,$(HOST_DIR)/usr/lib" \
+ $(HOST_MAKE_ENV) $(MAKE) -C $(@D)/src/client/
+endef
+
+define HOST_SB_SIGNING_FRAMEWORK_COPY_FILES
+ $(INSTALL) -m 0755 $(@D)/src/client/sf_client $(HOST_DIR)/usr/bin/
+endef
+
+HOST_SB_SIGNING_FRAMEWORK_POST_INSTALL_HOOKS += HOST_SB_SIGNING_FRAMEWORK_COPY_FILES
+
+$(eval $(host-generic-package))
+
diff --git a/openpower/package/sb-signing-utils/Config.in b/openpower/package/sb-signing-utils/Config.in
index 87df6f3..b834f46 100644
--- a/openpower/package/sb-signing-utils/Config.in
+++ b/openpower/package/sb-signing-utils/Config.in
@@ -1,5 +1,5 @@
config BR2_PACKAGE_HOST_SB_SIGNING_UTILS
bool "OpenPOWER secureboot signing utilities"
- default y if (BR2_OPENPOWER_PLATFORM && BR2_OPENPOWER_SECUREBOOT_ENABLED)
+ default y if (BR2_OPENPOWER_PLATFORM)
help
Secureboot utilities for signing OpenPOWER firmware images
diff --git a/openpower/package/sb-signing-utils/sb-signing-utils.mk b/openpower/package/sb-signing-utils/sb-signing-utils.mk
index de8b5eb..0dbb4d0 100644
--- a/openpower/package/sb-signing-utils/sb-signing-utils.mk
+++ b/openpower/package/sb-signing-utils/sb-signing-utils.mk
@@ -12,6 +12,12 @@
HOST_SB_SIGNING_UTILS_DEPENDENCIES = host-openssl
+ifeq ($(BR2_OPENPOWER_SECUREBOOT_SIGN_MODE),production)
+HOST_SB_SIGNING_UTILS_DEPENDENCIES += host-sb-signing-framework
+else ifeq ($(BR2_OPENPOWER_SECUREBOOT_KEY_TRANSITION_TO_PROD),y)
+HOST_SB_SIGNING_UTILS_DEPENDENCIES += host-sb-signing-framework
+endif
+
HOST_SB_SIGNING_UTILS_AUTORECONF = YES
HOST_SB_SIGNING_UTILS_AUTORECONF_OPTS = -i