diff options
| author | Charles Kearney <charles.kearney@hpe.com> | 2023-06-08 22:57:32 +0300 |
|---|---|---|
| committer | Jean-Marie Verdun <jean-marie.verdun@hpe.com> | 2023-06-26 23:42:39 +0300 |
| commit | 80ae01a94cca679cd0d1e6881a25de24a7cc5a92 (patch) | |
| tree | 8422a99b9d8095498b7785a8fc8e02e56e831e2c /meta-hpe | |
| parent | 0810635dfa62760c24b00382f1ad7b2c816a85ac (diff) | |
| download | openbmc-80ae01a94cca679cd0d1e6881a25de24a7cc5a92.tar.xz | |
meta-hpe: remove customer key block file requirement
The customer key block HPE signed key is no longer required for machines that have been through the transfer of ownership process.
Change-Id: Idfc94033dec64c62fa773c5511f9d0a17518a1cf
Signed-off-by: Charles Kearney <charles.kearney@hpe.com>
Diffstat (limited to 'meta-hpe')
| -rw-r--r-- | meta-hpe/meta-common/recipes-phosphor/image/obmc-phosphor-image.bbappend | 43 | ||||
| -rw-r--r-- | meta-hpe/meta-gxp/classes/gxp2-bootblock-n.bbclass | 4 |
2 files changed, 9 insertions, 38 deletions
diff --git a/meta-hpe/meta-common/recipes-phosphor/image/obmc-phosphor-image.bbappend b/meta-hpe/meta-common/recipes-phosphor/image/obmc-phosphor-image.bbappend index 0eb006948b..2175ba28cd 100644 --- a/meta-hpe/meta-common/recipes-phosphor/image/obmc-phosphor-image.bbappend +++ b/meta-hpe/meta-common/recipes-phosphor/image/obmc-phosphor-image.bbappend @@ -27,7 +27,6 @@ def do_get_version(d): pass return version -CUSTOMER_KEY_BLOCK ?= "customer-key-block" HPE_GXP_BOOTBLOCK_IMAGE ?= "gxp-bootblock.bin" HPE_UBOOT_SIGNING_HEADER ?= "hpe-uboot-header.section" HPE_UBOOT_SIGNING_HEADER_512 ?= "hpe-uboot-header-512.section" @@ -113,27 +112,17 @@ do_generate_hpe_image() { if=${DEPLOY_DIR_IMAGE}/u-boot.${UBOOT_SUFFIX} \ of=${DEPLOY_DIR_IMAGE}/u-boot-tmp.${UBOOT_SUFFIX} - keyblockver="$(expr `grep -c -i 'CustomerKeyBlockVersion\$2.0' "${DEPLOY_DIR_IMAGE}/${CUSTOMER_KEY_BLOCK}"` + 1)" - + # TODO - replace this openssl signing command line with whatever command you need to create a # digital signature of ${DEPLOY_DIR_IMAGE}/u-boot-tmp.${UBOOT_SUFFIX} - if [ ${keyblockver} -eq 1 ] - then - openssl sha256 -sign ${DEPLOY_DIR_IMAGE}/${HPE_UBOOT_SIGNING_KEY} -out ${DEPLOY_DIR_IMAGE}/gxp_tmp.sig \ - ${DEPLOY_DIR_IMAGE}/u-boot-tmp.${UBOOT_SUFFIX} - # Cat U-Boot header+signature - cat ${DEPLOY_DIR_IMAGE}/${HPE_UBOOT_SIGNING_HEADER} ${DEPLOY_DIR_IMAGE}/gxp_tmp.sig \ - > ${DEPLOY_DIR_IMAGE}/gxp-uboot.sig - elif [ ${keyblockver} -eq 2 ] - then - openssl sha384 -sign ${DEPLOY_DIR_IMAGE}/${HPE_UBOOT_SIGNING_KEY} -out ${DEPLOY_DIR_IMAGE}/gxp_tmp.sig \ - ${DEPLOY_DIR_IMAGE}/u-boot-tmp.${UBOOT_SUFFIX} + openssl sha384 -sign ${DEPLOY_DIR_IMAGE}/${HPE_UBOOT_SIGNING_KEY} -out ${DEPLOY_DIR_IMAGE}/gxp_tmp.sig \ + ${DEPLOY_DIR_IMAGE}/u-boot-tmp.${UBOOT_SUFFIX} + + # Cat U-Boot header+signature + cat ${DEPLOY_DIR_IMAGE}/${HPE_UBOOT_SIGNING_HEADER_512} ${DEPLOY_DIR_IMAGE}/gxp_tmp.sig \ + > ${DEPLOY_DIR_IMAGE}/gxp-uboot.sig - # Cat U-Boot header+signature - cat ${DEPLOY_DIR_IMAGE}/${HPE_UBOOT_SIGNING_HEADER_512} ${DEPLOY_DIR_IMAGE}/gxp_tmp.sig \ - > ${DEPLOY_DIR_IMAGE}/gxp-uboot.sig - fi # Create hpe-section dd if=/dev/zero bs=1k count=576 > ${DEPLOY_DIR_IMAGE}/hpe-section @@ -151,21 +140,6 @@ do_generate_hpe_image() { # hpe-section2 is the same as hpe-section up to this point cp ${DEPLOY_DIR_IMAGE}/hpe-section ${DEPLOY_DIR_IMAGE}/hpe-section2 - # Expand the customer-key-block to 64 KB - dd if=/dev/zero bs=1k count=64 > ${DEPLOY_DIR_IMAGE}/${CUSTOMER_KEY_BLOCK}.tmp - dd bs=1k conv=notrunc seek=0 count=64 \ - if=${DEPLOY_DIR_IMAGE}/${CUSTOMER_KEY_BLOCK} \ - of=${DEPLOY_DIR_IMAGE}/${CUSTOMER_KEY_BLOCK}.tmp - - # Add the customer-key-block to hpe-section - dd bs=1k conv=notrunc seek=320 count=64 \ - if=${DEPLOY_DIR_IMAGE}/${CUSTOMER_KEY_BLOCK}.tmp \ - of=${DEPLOY_DIR_IMAGE}/hpe-section - - # Add a second copy of the customer-key-block to hpe-section - dd bs=1k conv=notrunc seek=384 count=64 \ - if=${DEPLOY_DIR_IMAGE}/${CUSTOMER_KEY_BLOCK}.tmp \ - of=${DEPLOY_DIR_IMAGE}/hpe-section # Expand uboot to 384K dd if=/dev/zero bs=1k count=384 > ${DEPLOY_DIR_IMAGE}/u-boot-tmp.${UBOOT_SUFFIX} @@ -176,8 +150,7 @@ do_generate_hpe_image() { # Remove unnecessary files rm ${DEPLOY_DIR_IMAGE}/u-boot.${UBOOT_SUFFIX} \ ${DEPLOY_DIR_IMAGE}/gxp_tmp.sig \ - ${DEPLOY_DIR_IMAGE}/gxp-uboot.sig \ - ${DEPLOY_DIR_IMAGE}/${CUSTOMER_KEY_BLOCK}.tmp + ${DEPLOY_DIR_IMAGE}/gxp-uboot.sig mv ${DEPLOY_DIR_IMAGE}/u-boot-tmp.${UBOOT_SUFFIX} ${DEPLOY_DIR_IMAGE}/u-boot.${UBOOT_SUFFIX} diff --git a/meta-hpe/meta-gxp/classes/gxp2-bootblock-n.bbclass b/meta-hpe/meta-gxp/classes/gxp2-bootblock-n.bbclass index 3ee93ffe58..33e23a6b30 100644 --- a/meta-hpe/meta-gxp/classes/gxp2-bootblock-n.bbclass +++ b/meta-hpe/meta-gxp/classes/gxp2-bootblock-n.bbclass @@ -1,4 +1,4 @@ -# TODO: Manually copy the U-Boot signing key and customer-key-block here: +# TODO: Manually copy the U-Boot signing key here: HPE_GXP_KEY_FILES_DIR = "${COREBASE}/meta-hpe/meta-gxp/recipes-bsp/image/files" inherit deploy @@ -16,6 +16,4 @@ do_deploy () { # Copy in the U-Boot signing key install -m 644 ${HPE_GXP_KEY_FILES_DIR}/customer_private_key.pem ${DEPLOYDIR}/hpe-uboot-signing-key.pem - # Copy in the customer keyblock - install -m 644 ${HPE_GXP_KEY_FILES_DIR}/customer-key-block ${DEPLOYDIR}/customer-key-block } |