From 8c8fb8b83a78870c2555acc33ec4ed91183bcacd Mon Sep 17 00:00:00 2001 From: Andrew Jeffery Date: Thu, 27 Jan 2022 10:19:17 +1030 Subject: meta-ibm: p10bmc: Add otptool configuration Some addition development details must be managed in this bbappend due to co-development of the AST2600 and IBM p10bmc designs. IBM did bringup of secure-boot on pre-production AST2600 silicon and this shaped how the platform's OTP was configured. The PEM files represent the public portion of the IBM signing key-pairs for p10bmc systems. These are included to provide a canonical location for the production OTP image artifact. Change-Id: I7caa6cfd5848b1d671ef95f8031b76088673900a Signed-off-by: Andrew Jeffery --- .../u-boot/u-boot-aspeed-sdk/p10bmc/a3.json | 126 +++++++++++++++++++++ .../p10bmc/keys/P10BMCAspeedSBPubKey_1.pem | 14 +++ .../p10bmc/keys/P10BMCAspeedSBPubKey_2.pem | 14 +++ .../p10bmc/keys/P10BMCAspeedSBPubKey_3.pem | 14 +++ .../u-boot/u-boot-aspeed-sdk_2019.04.bbappend | 20 ++++ 5 files changed, 188 insertions(+) create mode 100644 meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/a3.json create mode 100644 meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/keys/P10BMCAspeedSBPubKey_1.pem create mode 100644 meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/keys/P10BMCAspeedSBPubKey_2.pem create mode 100644 meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/keys/P10BMCAspeedSBPubKey_3.pem create mode 100644 meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk_2019.04.bbappend (limited to 'meta-ibm/recipes-bsp') diff --git a/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/a3.json b/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/a3.json new file mode 100644 index 0000000000..fdcfd5d81e --- /dev/null +++ b/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/a3.json @@ -0,0 +1,126 @@ +{ + "name": "rainier", + "version": "A3", + "data_region": { + "ecc_region": true, + "key": [ + { + "types": "rsa_pub_oem", + "key_pem": "rsa_pub_oem_dss_key.pem", + "offset": "0x40", + "number_id": 0, + "sha_mode": "SHA512" + }, + { + "types": "rsa_pub_oem", + "key_pem": "P10BMCAspeedSBPubKey_1.pem", + "offset": "0x240", + "number_id": 1, + "sha_mode": "SHA512" + }, + { + "types": "rsa_pub_oem", + "key_pem": "P10BMCAspeedSBPubKey_2.pem", + "offset": "0x440", + "number_id": 2, + "sha_mode": "SHA512" + }, + { + "types": "rsa_pub_oem", + "key_pem": "P10BMCAspeedSBPubKey_3.pem", + "offset": "0x640", + "number_id": 3, + "sha_mode": "SHA512" + } + ] + }, + "config_region": { + "Disable OTP Memory BIST Mode": true, + "Enable Secure Boot": false, + "User region ECC enable": true, + "Secure Region ECC enable": false, + "Disable low security key": false, + "Ignore Secure Boot hardware strap": false, + "Secure Boot Mode": "Mode_2", + "Disable Uart Message of ROM code": false, + "Secure crypto RSA length": "RSA4096", + "Hash mode": "SHA512", + "Disable patch code": true, + "Disable Boot from Uart": false, + "Secure Region size": "0x0", + "Write Protect: Secure Region": true, + "Write Protect: User region": true, + "Write Protect: Configure region": true, + "Write Protect: OTP strap region": true, + "Copy Boot Image to Internal SRAM": true, + "Enable image encryption": false, + "Enable write Protect of OTP key retire bits": false, + "Disable Auto Boot from UART or VUART": false, + "OTP memory lock enable": false, + "Key Revision": "0x0", + "Secure boot header offset": "0x0", + "Boot From UART Port Selection": "UART5", + "Disable Auto Boot from UART": false, + "Disable Auto Boot from VUART2 over PCIE": true, + "Disable Auto Boot from VUART2 over LPC": true, + "Disable ROM code based programming control": true, + "Rollback prevention shift bit number": "0x0", + "Extra Data Write Protection Region Size": "0x0", + "Erase signature data after secure boot check": false, + "Erase RSA public key after secure boot check": false, + "Keys Retire ID": 0, + "User define data: random number low": "0x0", + "User define data: random number high": "0x0", + "Manifest ID": "0x0", + "Patch code location": "0x0", + "Patch code size": "0x0" + }, + "otp_strap": { + "Enable secure boot": { "value": false }, + "Enable boot from eMMC": { "value": true }, + "Boot from debug SPI": { "value": false }, + "Disable ARM CM3": { "value": true }, + "Enable dedicated VGA BIOS ROM": { "value": false }, + "MAC 1 RMII mode": { "value": "RMII/NCSI" }, + "MAC 2 RMII mode": { "value": "RMII/NCSI" }, + "CPU frequency": { "value": "1.2GHz" }, + "HCLK ratio": { "value": "default" }, + "VGA memory size": { "value": "16MB" }, + "CPU/AXI clock ratio": { "value": "2:1" }, + "Disable ARM JTAG debug": { "value": true }, + "VGA class code": { "value": "vga_device" }, + "Disable debug 0": { "value": false }, + "Boot from eMMC speed mode": { "value": "normal" }, + "Enable PCIe EHCI": { "value": false }, + "Disable ARM JTAG trust world debug": { "value": true }, + "Disable dedicated BMC function": { "value": false }, + "Enable dedicate PCIe RC reset": { "value": false }, + "Disable watchdog to reset full chip": { "value": false }, + "Internal bridge speed selection": { "value": "1x" }, + "Disable RVAS function": { "value": false }, + "MAC 3 RMII mode": { "value": "RMII/NCSI" }, + "MAC 4 RMII mode": { "value": "RMII/NCSI" }, + "SuperIO configuration address selection": { "value": "0x2e" }, + "Disable LPC to decode SuperIO": { "value": true }, + "Disable debug 1": { "value": false }, + "Enable ACPI": { "value": false }, + "Select LPC/eSPI": { "value": "LPC" }, + "Enable SAFS": { "value": false }, + "Enable boot from uart5": { "value": false }, + "Enable boot SPI 3B address mode auto-clear": { "value": false }, + "Enable SPI 3B/4B address mode auto detection": { "value": false }, + "Enable boot SPI or eMMC ABR": { "value": true }, + "Boot SPI ABR Mode": { "value": "dual" }, + "Boot SPI flash size": { "value": "0" }, + "Enable host SPI ABR": { "value": false }, + "Enable host SPI ABR mode select pin": { "value": false }, + "Host SPI ABR Mode": { "value": "dual" }, + "Host SPI flash size": { "value": "0" }, + "Enable boot SPI auxiliary control pins": { "value": false }, + "Boot SPI CRTM size": { "value": "0" }, + "Host SPI CRTM size": { "value": "0" }, + "Enable host SPI auxiliary control pins": { "value": false }, + "Enable GPIO Pass Through": { "value": false }, + "Enable Dedicate GPIO Strap Pins": { "value": false } + } +} diff --git a/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/keys/P10BMCAspeedSBPubKey_1.pem b/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/keys/P10BMCAspeedSBPubKey_1.pem new file mode 100644 index 0000000000..eeba16b640 --- /dev/null +++ b/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/keys/P10BMCAspeedSBPubKey_1.pem @@ -0,0 +1,14 @@ +-----BEGIN PUBLIC KEY----- +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtgJW7ar+qtAM3YSYRZBu +5CNlrZeK//2p45Uwme9bjaFT1T95yvHiK2hwostp0g0Gwa40H2NlRw9V7fEcH+2z +zpRvyPorgP6rN6gcdvpdkhlrM7ntYoZpqKqstAmsT9xlOL9aYlWZ1mqb31j9WlIz +wphuWNYKvrS2OvPNFSSWhIXJhekMQCl/b22poydHVslScQDCmUNl4TQXBLpaeVd5 +LqN80JaQEBDZABwBwAfVLbpfgPI5BG0JEiNd77r3AnAp1N7A2oKUBjQK+4ClkqR0 +3zPZ572nEBaXfVRZQsGV0mxwP021I/lncYrlWZrwBxK0fP+VDuIKYcAEmOJ6kEdg +FfuAgEFJQvlgH45dfHJ6KcN1K4wEU1RHZxho0XnIwrI5GtctTdLl33AfajG0dYKf +mHUmeli4AS//bjRfR7O2K4mdCMsj06mzXNoTv2wgb/QSkjMUqGLniiaRueuDSiZ0 +/mJfZLCFpZtiVF+wE1meympZqFk+T6j8C5kwCuxB4OqKC7Ec0N6G/NNwQ8m96cFS +A4SUNAIQGjoSpziqF7N9UNl4rI+kEV/FstXLs7I0eYNpXEts2PDuY+PN+p7wKVrB +Fet8LI13EAVrJJaKKvF41YXvNlwBxBZ2WBZhhiA/6F0dYcI16mRmnRs+hL7A6adO +M1JIVupxDJzhQ4+S06VQbSsCAwEAAQ== +-----END PUBLIC KEY----- diff --git a/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/keys/P10BMCAspeedSBPubKey_2.pem b/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/keys/P10BMCAspeedSBPubKey_2.pem new file mode 100644 index 0000000000..6247058a52 --- /dev/null +++ b/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/keys/P10BMCAspeedSBPubKey_2.pem @@ -0,0 +1,14 @@ +-----BEGIN PUBLIC KEY----- +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAn+83VQasyV9G1KSRyABB +6B0hR5mjnlVcGju4i6xrPF9o7RpT2XzRv6gz9qB/+unLj/XFvXJXQNYRoyXF7wPr +97mAVF7IANeLyFmkl/wpCrz1mHPgDZw971FPd3/W1Ufp/6KZ1EEJFHHfE9V2/6n/ +6MAIHGkvJwz8H0pDF5pBHkf7dSYJqyrc0aCvBID+o+UkiKK8sxSm4LVmySREIEZP +YtJxwTYfKXdLIUvXXUOkiZnxKhAtgDYy8QfIOKcVVdSdvRzw7byNwVBln0ndGIwq +SS6VXxV+ZDjffUbytGz6c5U191DCod81YYK3I2CYrrz7+dojeEWrh4HZ7/4hcy6V +n4+BO11DwdCYgezkIzNSDyoGUNOc9AC1rXYByqtE5mPtnB+E6Asp5U9g63UE3USz +6ZxuDMrKRYM8YdkYDjud8xK+qUKYabRceUJ0klh1dlETogjiufqKbemhx4ZMactT +ggePDjCKChTguqwZXD/MurzTQETesor51g+tbeQkCkMDgFbrmQlPhaKULJJqUlrR +qpPN7edYYuJa79KAWsSDa6KBxZvraRcCkoCG57cgZNGmk33gYwjghscB3cfd2cNK +NzSrR5pkOWC2i3lTsXbwTpWmdA/qk3LcmrKS8hRYiZnj+4jS40O/UJedsSrAFl4x +HG+HZfIDkS3Pf25OiDuGE2sCAwEAAQ== +-----END PUBLIC KEY----- diff --git a/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/keys/P10BMCAspeedSBPubKey_3.pem b/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/keys/P10BMCAspeedSBPubKey_3.pem new file mode 100644 index 0000000000..062be04af4 --- /dev/null +++ b/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/keys/P10BMCAspeedSBPubKey_3.pem @@ -0,0 +1,14 @@ +-----BEGIN PUBLIC KEY----- +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApphrqg9MfkIiDEyMsk0O +TZptjlpoL9PmZOTPY1kSumUSPhxnTT9b5fVb/yvmPDqiyau56zlDhzRnccnrrnx5 +UN5ciRnjoALxa8ScMWoOHCQV19IjmFd3ir87koL5JwkmblxGFR34ZebcLOwyTn2U +9pq8jWHFkFpVhrfHkTaV9WO/rrGy0OpuuvQawrdnVUkE3lz+Sye8st+fCw+9clB+ +eGNwz+aYm4mWxhqfCuk5MGpovqinD89U6DWxFLPZ9tEH5L1ukT5Xwa5P1qrhWw3B +8se2UQarFQzgTrMBME9jcsHtNkiXL5EzSFImxE2/9kF7tgiuJoGBsEMiTABdjHe6 +0vVD8aHgPxK5JeNQgzOWL4lVMbcVPnwae3C4weniizqRDmSKUWmkza44JGrVwKId +B2KR1WWHf81IICqQwCzg9M/Ta2JUWpqz6moer18RhzdRAPV5OEvdoS2QtbbDTVqk +EazfTrbO5qPTmwLAqli6rKwBlTGb68hAeWAnC7yQawmv2tgrP7M2KO/0VMXmB9O/ +oUwRgra3gSfVEm41lo4aZfKRCXJ5H9ZK/tj4m0vE/Epf7vb9CGBYILgXkW77bImp +8Q5zyrks9qELi4gx2LPkHyy6WXBwOexFMlnjEnfI0Xmdr1GEwcpAeZ+BsZlN7qeN +QnQ71WcCvRXZ307N2chwLi0CAwEAAQ== +-----END PUBLIC KEY----- diff --git a/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk_2019.04.bbappend b/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk_2019.04.bbappend new file mode 100644 index 0000000000..2a99328e38 --- /dev/null +++ b/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk_2019.04.bbappend @@ -0,0 +1,20 @@ +FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" + +SRC_URI:append:p10bmc = " file://a3.json file://keys/" + +OTPTOOL_CONFIG:p10bmc = "${WORKDIR}/a3.json" +OTPTOOL_KEY_DIR:p10bmc = "${WORKDIR}/keys/" + +# !!! Do not copy p10bmc's use of little-endian key ordering !!! +# +# The prefered order for production silicon is big-endian. Little-endian is necessary for p10bmc +# platforms due to development history involving pre-production AST2600 silicon. More discussion +# here: +# +# https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/50716 +SOCSEC_SIGN_EXTRA_OPTS = "--rsa_key_order=little" + +do_deploy:prepend:p10bmc() { + # otptool needs access to the public and private socsec signing keys in the keys/ directory + openssl rsa -in ${SOCSEC_SIGN_KEY} -pubout > ${WORKDIR}/keys/rsa_pub_oem_dss_key.pem +} -- cgit v1.2.3