meta-hpe: add new meta layer for rl300-g11

Signed-off-by: Charles Kearney <charles.kearney@hpe.com>
Change-Id: I650f926349ef2a57c352aac36a801b07fb4001ca

1 files changed, 117 insertions, 27 deletions

diff --git a/meta-hpe/meta-common/recipes-phosphor/image/obmc-phosphor-image.bbappend b/meta-hpe/meta-common/recipes-phosphor/image/obmc-phosphor-image.bbappend
index 5cc1192f97..0eb006948b 100644
--- a/meta-hpe/meta-common/recipes-phosphor/image/obmc-phosphor-image.bbappend
+++ b/meta-hpe/meta-common/recipes-phosphor/image/obmc-phosphor-image.bbappend
@@ -10,7 +10,7 @@ def do_get_version(d):
     import io
     path = d.getVar('STAGING_DIR_TARGET', True) + d.getVar('sysconfdir', True)
     path = os.path.join(path, 'os-release')
-    parser = configparser.ConfigParser(strict=False)
+    parser = configparser.SafeConfigParser(strict=False)
     parser.optionxform = str
     version = ''
     try:
@@ -27,32 +27,57 @@ def do_get_version(d):
         pass
     return version
 
+CUSTOMER_KEY_BLOCK ?= "customer-key-block"
 HPE_GXP_BOOTBLOCK_IMAGE ?= "gxp-bootblock.bin"
 HPE_UBOOT_SIGNING_HEADER ?= "hpe-uboot-header.section"
+HPE_UBOOT_SIGNING_HEADER_512 ?= "hpe-uboot-header-512.section"
 HPE_UBOOT_SIGNING_KEY ?= "hpe-uboot-signing-key.pem"
 
+# Offsets that are the same for the standard image and secure boot image
 FLASH_SIZE = "31552"
 FLASH_UBOOT_OFFSET = "0"
+UBOOT_IMG_SIZE = "393216"
 FLASH_KERNEL_OFFSET = "512"
 FLASH_ROFS_OFFSET = "5376"
 FLASH_RWFS_OFFSET = "29184"
-FLASH_SECTION_OFFSET = "31552"
+
+# Standard image offsets
+FLASH_STANDARD_SECTION_OFFSET = "31552"
+FLASH_STANDARD_SECTION_END = "32768"
+
+# Secure boot offsets
+# offset at 0x01f7_0000 / 1024 = 32192
+FLASH_SECTION_OFFSET = "32192"
+# end is offset + 576
 FLASH_SECTION_END = "32768"
 
-UBOOT_IMG_SIZE = "393216"
+# offset at 0x01ee_0000 / 1024 = 31616
+FLASH_SECTION2_OFFSET = "31616"
+FLASH_SECTION2_END = "32192"
+
+# offset at 0x01c0_0000 / 1024 = 28672
+FLASH_UBOOT2_OFFSET = "28672"
 
 do_generate_static[depends] += " \
-   		  gxp-bootblock:do_deploy \
+        gxp-bootblock:do_deploy \
         gxp-bootblock:do_populate_sysroot \
         "
-
-
 make_image_links:append() {
     ln -sf ${DEPLOY_DIR_IMAGE}/hpe-section image-section
+
+    if  [ -f ${DEPLOY_DIR_IMAGE}/hpe-section2 ]
+    then
+        ln -sf ${DEPLOY_DIR_IMAGE}/hpe-section2 image-section2
+    fi
 }
 
 do_mk_static_symlinks:append() {
     ln -sf hpe-section image-section
+
+    if [ -f ${DEPLOY_DIR_IMAGE}/hpe-section2 ]
+    then
+        ln -sf hpe-section2 image-section2
+    fi
 }
 
 do_generate_static:prepend() {
@@ -60,12 +85,27 @@ do_generate_static:prepend() {
 }
 
 do_generate_static:append() {
-    _append_image(os.path.join(d.getVar('DEPLOY_DIR_IMAGE', True),
-                               'hpe-section'),
-                  int(d.getVar('FLASH_SECTION_OFFSET', True)),
-                  int(d.getVar('FLASH_SECTION_END', True))) 
+    # hpe-section2 and u-boot2 only exist in the secure boot image.
+    # If hpe-section2 exists, then this is secure boot.
+    if os.path.exists(os.path.join(d.getVar('DEPLOY_DIR_IMAGE', True), 'hpe-section2')):
+        _append_image(os.path.join(d.getVar('DEPLOY_DIR_IMAGE', True), 'hpe-section'),
+                      int(d.getVar('FLASH_SECTION_OFFSET', True)),
+                      int(d.getVar('FLASH_SECTION_END', True))) 
+
+        _append_image(os.path.join(d.getVar('DEPLOY_DIR_IMAGE', True), 'hpe-section2'),
+                      int(d.getVar('FLASH_SECTION2_OFFSET', True)),
+                      int(d.getVar('FLASH_SECTION2_END', True)))
+
+        _append_image(os.path.join(d.getVar('DEPLOY_DIR_IMAGE', True), 'u-boot.%s' % d.getVar('UBOOT_SUFFIX',True)),
+                      int(d.getVar('FLASH_UBOOT2_OFFSET', True)),
+                      int(d.getVar('FLASH_RWFS_OFFSET', True)))
+    else:
+        _append_image(os.path.join(d.getVar('DEPLOY_DIR_IMAGE', True), 'hpe-section'),
+                      int(d.getVar('FLASH_STANDARD_SECTION_OFFSET', True)),
+                      int(d.getVar('FLASH_STANDARD_SECTION_END', True))) 
 }
 
+# Generate the secure boot image by default
 do_generate_hpe_image() {
     # Extract uboot 256K
     dd if=/dev/zero bs=1k count=256 > ${DEPLOY_DIR_IMAGE}/u-boot-tmp.${UBOOT_SUFFIX}
@@ -73,38 +113,75 @@ do_generate_hpe_image() {
             if=${DEPLOY_DIR_IMAGE}/u-boot.${UBOOT_SUFFIX} \
             of=${DEPLOY_DIR_IMAGE}/u-boot-tmp.${UBOOT_SUFFIX}
 
-    # Sign uboot 256K
-    openssl sha256 -sign ${DEPLOY_DIR_IMAGE}/${HPE_UBOOT_SIGNING_KEY} -out ${DEPLOY_DIR_IMAGE}/gxp_tmp.sig \
+    keyblockver="$(expr `grep -c -i 'CustomerKeyBlockVersion\$2.0' "${DEPLOY_DIR_IMAGE}/${CUSTOMER_KEY_BLOCK}"` + 1)"
+
+    # TODO - replace this openssl signing command line with whatever command you need to create a
+    # digital signature of ${DEPLOY_DIR_IMAGE}/u-boot-tmp.${UBOOT_SUFFIX}
+    if [ ${keyblockver} -eq 1 ]
+    then
+        openssl sha256 -sign ${DEPLOY_DIR_IMAGE}/${HPE_UBOOT_SIGNING_KEY} -out ${DEPLOY_DIR_IMAGE}/gxp_tmp.sig \
             ${DEPLOY_DIR_IMAGE}/u-boot-tmp.${UBOOT_SUFFIX}
 
-    # Expand (header+signature) to 4K
-    cat ${DEPLOY_DIR_IMAGE}/${HPE_UBOOT_SIGNING_HEADER} ${DEPLOY_DIR_IMAGE}/gxp_tmp.sig \
-         > ${DEPLOY_DIR_IMAGE}/gxp.sig
+        # Cat U-Boot header+signature
+        cat ${DEPLOY_DIR_IMAGE}/${HPE_UBOOT_SIGNING_HEADER} ${DEPLOY_DIR_IMAGE}/gxp_tmp.sig \
+            > ${DEPLOY_DIR_IMAGE}/gxp-uboot.sig
+    elif [ ${keyblockver} -eq 2 ]
+    then
+        openssl sha384 -sign ${DEPLOY_DIR_IMAGE}/${HPE_UBOOT_SIGNING_KEY} -out ${DEPLOY_DIR_IMAGE}/gxp_tmp.sig \
+            ${DEPLOY_DIR_IMAGE}/u-boot-tmp.${UBOOT_SUFFIX}
 
-    # Add Header and Signature to hpe-section (from 60K)
-    dd bs=1k conv=notrunc seek=60 \
-          if=${DEPLOY_DIR_IMAGE}/gxp.sig \
-          of=${DEPLOY_DIR_IMAGE}/hpe-section
+        # Cat U-Boot header+signature
+        cat ${DEPLOY_DIR_IMAGE}/${HPE_UBOOT_SIGNING_HEADER_512} ${DEPLOY_DIR_IMAGE}/gxp_tmp.sig \
+            > ${DEPLOY_DIR_IMAGE}/gxp-uboot.sig
+    fi
 
-    # Add ubb to hpe-section
+    # Create hpe-section
+    dd if=/dev/zero bs=1k count=576 > ${DEPLOY_DIR_IMAGE}/hpe-section
+
+    # Add U-Boot Header and Signature to hpe-section
+    dd bs=1k conv=notrunc seek=0 \
+        if=${DEPLOY_DIR_IMAGE}/gxp-uboot.sig \
+        of=${DEPLOY_DIR_IMAGE}/hpe-section
+
+    # Add gxp-bootblock to hpe-section
     dd bs=1k conv=notrunc seek=64 \
-          if=${DEPLOY_DIR_IMAGE}/${HPE_GXP_BOOTBLOCK_IMAGE} \
-          of=${DEPLOY_DIR_IMAGE}/hpe-section
+        if=${DEPLOY_DIR_IMAGE}/${HPE_GXP_BOOTBLOCK_IMAGE} \
+        of=${DEPLOY_DIR_IMAGE}/hpe-section
+
+    # hpe-section2 is the same as hpe-section up to this point
+    cp ${DEPLOY_DIR_IMAGE}/hpe-section ${DEPLOY_DIR_IMAGE}/hpe-section2
+
+    # Expand the customer-key-block to 64 KB
+    dd if=/dev/zero bs=1k count=64 > ${DEPLOY_DIR_IMAGE}/${CUSTOMER_KEY_BLOCK}.tmp
+    dd bs=1k conv=notrunc seek=0 count=64 \
+        if=${DEPLOY_DIR_IMAGE}/${CUSTOMER_KEY_BLOCK} \
+        of=${DEPLOY_DIR_IMAGE}/${CUSTOMER_KEY_BLOCK}.tmp
+
+    # Add the customer-key-block to hpe-section
+    dd bs=1k conv=notrunc seek=320 count=64 \
+        if=${DEPLOY_DIR_IMAGE}/${CUSTOMER_KEY_BLOCK}.tmp \
+        of=${DEPLOY_DIR_IMAGE}/hpe-section
+
+    # Add a second copy of the customer-key-block to hpe-section
+    dd bs=1k conv=notrunc seek=384 count=64 \
+        if=${DEPLOY_DIR_IMAGE}/${CUSTOMER_KEY_BLOCK}.tmp \
+        of=${DEPLOY_DIR_IMAGE}/hpe-section
 
     # Expand uboot to 384K
     dd if=/dev/zero bs=1k count=384 > ${DEPLOY_DIR_IMAGE}/u-boot-tmp.${UBOOT_SUFFIX}
-    dd bs=1k conv=notrunc seek=0 count=384\
+    dd bs=1k conv=notrunc seek=0 count=384 \
             if=${DEPLOY_DIR_IMAGE}/u-boot.${UBOOT_SUFFIX} \
             of=${DEPLOY_DIR_IMAGE}/u-boot-tmp.${UBOOT_SUFFIX}
 
     # Remove unnecessary files
     rm ${DEPLOY_DIR_IMAGE}/u-boot.${UBOOT_SUFFIX} \
        ${DEPLOY_DIR_IMAGE}/gxp_tmp.sig \
-       ${DEPLOY_DIR_IMAGE}/gxp.sig
+       ${DEPLOY_DIR_IMAGE}/gxp-uboot.sig \
+       ${DEPLOY_DIR_IMAGE}/${CUSTOMER_KEY_BLOCK}.tmp
 
     mv ${DEPLOY_DIR_IMAGE}/u-boot-tmp.${UBOOT_SUFFIX} ${DEPLOY_DIR_IMAGE}/u-boot.${UBOOT_SUFFIX}
 
-    # Check uboot image size equals to 384K
+   # Check uboot image size equals to 384K
     size="$(wc -c < "${DEPLOY_DIR_IMAGE}/u-boot.${UBOOT_SUFFIX}")"
     if [ ${size} -ne ${UBOOT_IMG_SIZE} ]
     then
@@ -120,10 +197,16 @@ make_tar_of_images() {
 
   # Create the tar archive
   tar -h -cvf ${IMGDEPLOYDIR}/${IMAGE_NAME}.$type.mtd.tar \
-    image-u-boot image-kernel image-rofs image-rwfs image-section $extra_files
+    image-u-boot image-kernel image-rofs image-rwfs image-section* $extra_files
+
+  # Create the min tar archive
+  tar -h -cvf ${IMGDEPLOYDIR}/${IMAGE_NAME}.$type.mtd.min.tar \
+    image-kernel image-rofs image-rwfs MANIFEST \
+    image-kernel.sig image-rofs.sig image-rwfs.sig MANIFEST.sig publickey
 
   cd ${IMGDEPLOYDIR}
   ln -sf ${IMAGE_NAME}.$type.mtd.tar ${IMGDEPLOYDIR}/${IMAGE_LINK_NAME}.$type.mtd.tar
+  ln -sf ${IMAGE_NAME}.$type.mtd.min.tar ${IMGDEPLOYDIR}/${IMAGE_LINK_NAME}.$type.mtd.min.tar
 }
 
 do_generate_static_tar[depends] += " obmc-phosphor-image:do_generate_static"
@@ -142,10 +225,17 @@ do_generate_static_tar() {
     exit 1
   fi
 
-  make_signatures image-u-boot image-kernel image-rofs image-rwfs image-section MANIFEST publickey
+  if [ -f image-section2 ]
+  then
+    make_signatures image-u-boot image-kernel image-rofs image-rwfs image-section image-section2 MANIFEST publickey
+  else
+    make_signatures image-u-boot image-kernel image-rofs image-rwfs image-section MANIFEST publickey
+  fi
+
   make_tar_of_images static MANIFEST publickey ${signature_files}
 
   # Maintain non-standard legacy link.
   cd ${IMGDEPLOYDIR}
   ln -sf ${IMAGE_NAME}.static.mtd.tar ${IMGDEPLOYDIR}/${MACHINE}-${DATETIME}.tar
+  ln -sf ${IMAGE_NAME}.static.mtd.min.tar ${IMGDEPLOYDIR}/${MACHINE}-${DATETIME}.min.tar
 }