meta-ibm: p10bmc: Assert that we want the SPL signed by socsec

Configure the SOCSEC_SIGN_* variables to sign the SPL and exploit the AST2600 hardware root-of-trust. Note that this doesn't require that secure-boot is enabled on the system, the SoC will bootstrap just fine with the signature in place while secure-boot is disabled. Signing the SPL allows us to switch the systems over to secure-boot at our leisure. Change-Id: I07b5c4afb7bacc040cbdce6c82a0fb3a57d0f7f8 Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
author: Andrew Jeffery <andrew@aj.id.au> 2021-08-04 06:22:47 +0300
committer: Andrew Jeffery <andrew@aj.id.au> 2021-08-17 09:28:27 +0300
commit: 6991461283887ae62af4107a19b95edeca7abf9c (patch)
tree: fe0c0e91082be8edff9bd9f5417eb495bd55dbb9 /meta-ibm
parent: f77919abfe6505a3b29db1efab49b077c10afe4d (diff)
download: openbmc-6991461283887ae62af4107a19b95edeca7abf9c.tar.xz
1 files changed, 2 insertions, 0 deletions
diff --git a/meta-ibm/conf/machine/p10bmc.conf b/meta-ibm/conf/machine/p10bmc.conf
index 2b7463e28..19de5eec8 100644
--- a/meta-ibm/conf/machine/p10bmc.conf
+++ b/meta-ibm/conf/machine/p10bmc.conf
@@ -55,5 +55,7 @@ SPL_SIGN_KEYNAME = "rsa_oem_fitimage_key"
 UBOOT_SIGN_KEYDIR = "${WORKDIR}"
 SPL_SIGN_KEYDIR = "${WORKDIR}"
 
+SOCSEC_SIGN_ENABLE = "1"
+
 DEBUG_TRIGGERS = "kcs2"
 PACKAGECONFIG:append:pn-debug-trigger = " triggers"
author	Andrew Jeffery <andrew@aj.id.au>	2021-08-04 06:22:47 +0300
committer	Andrew Jeffery <andrew@aj.id.au>	2021-08-17 09:28:27 +0300
commit	6991461283887ae62af4107a19b95edeca7abf9c (patch)
tree	fe0c0e91082be8edff9bd9f5417eb495bd55dbb9 /meta-ibm
parent	f77919abfe6505a3b29db1efab49b077c10afe4d (diff)
download	openbmc-6991461283887ae62af4107a19b95edeca7abf9c.tar.xz