[Skiboot] [PATCH] stb: Put correct label (for skiboot) into container
Stewart Smith
stewart at linux.vnet.ibm.com
Fri Feb 9 17:32:39 AEDT 2018
Hostboot will expect the label field of the stb header to contain
"PAYLOAD" for skiboot or it will fail to load and run skiboot.
The failure looks something like this:
53.40896|ISTEP 20. 1 - host_load_payload
53.65840|secure|Secureboot Failure plid = 0x90000755, rc = 0x1E07
53.65881|System shutting down with error status 0x1E07
53.67547|================================================
53.67954|Error reported by secure (0x1E00) PLID 0x90000755
53.67560| Container's component ID does not match expected component ID
53.67561| ModuleId 0x09 SECUREBOOT::MOD_SECURE_VERIFY_COMPONENT
53.67845| ReasonCode 0x1e07 SECUREBOOT::RC_ROM_VERIFY
53.67998| UserData1 : 0x0000000000000000
53.67999| UserData2 : 0x0000000000000000
53.67999|------------------------------------------------
53.68000| Callout type : Procedure Callout
53.68000| Procedure : EPUB_PRC_HB_CODE
53.68001| Priority : SRCI_PRIORITY_HIGH
53.68001|------------------------------------------------
53.68002| Callout type : Procedure Callout
53.68003| Procedure : EPUB_PRC_FW_VERIFICATION_ERR
53.68003| Priority : SRCI_PRIORITY_HIGH
53.68004|------------------------------------------------
Reported-by: Pridhiviraj Paidipeddi <ppaidipe at linux.vnet.ibm.com>
Tested-by: Pridhiviraj Paidipeddi <ppaidipe at linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart at linux.vnet.ibm.com>
---
Makefile.main | 4 ++--
libstb/sign-with-local-keys.sh | 10 ++++++++--
2 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/Makefile.main b/Makefile.main
index 516afdd6a75b..46ad3b0c5842 100644
--- a/Makefile.main
+++ b/Makefile.main
@@ -223,10 +223,10 @@ $(TARGET).lid: $(TARGET).elf
$(call Q,OBJCOPY, $(OBJCOPY) -O binary -S $^ $@, $@)
$(TARGET).lid.stb: $(TARGET).lid libstb/create-container
- $(call Q,STB-DEVELOPMENT-SIGNED-CONTAINER,$(SRC)/libstb/sign-with-local-keys.sh $< $@ $(SRC)/libstb/keys/,$@)
+ $(call Q,STB-DEVELOPMENT-SIGNED-CONTAINER,$(SRC)/libstb/sign-with-local-keys.sh $< $@ $(SRC)/libstb/keys/ PAYLOAD,$@)
$(TARGET).lid.xz.stb: $(TARGET).lid.xz libstb/create-container
- $(call Q,STB-DEVELOPMENT-SIGNED-CONTAINER,$(SRC)/libstb/sign-with-local-keys.sh $< $@ $(SRC)/libstb/keys/,$@)
+ $(call Q,STB-DEVELOPMENT-SIGNED-CONTAINER,$(SRC)/libstb/sign-with-local-keys.sh $< $@ $(SRC)/libstb/keys/ PAYLOAD,$@)
$(TARGET).tmp.elf: $(ALL_OBJS_1) $(TARGET).lds $(KERNEL)
$(call Q,LD, $(CC) $(LDFLAGS) -T $(TARGET).lds $(ALL_OBJS_1) -o $@, $@)
diff --git a/libstb/sign-with-local-keys.sh b/libstb/sign-with-local-keys.sh
index edd2757f5253..efddabffef8d 100755
--- a/libstb/sign-with-local-keys.sh
+++ b/libstb/sign-with-local-keys.sh
@@ -9,13 +9,19 @@ if [ ! -f $PAYLOAD ]; then
fi
KEYLOC=$3
+LABEL=$4
+
T=`mktemp -d`
+LABEL_ARG=""
+if [ ! -z "$LABEL" ]; then
+ LABEL_ARG="-L $LABEL"
+fi
# Build enough of the container to create the Prefix and Software headers.
# (reuse HW key for SW key P)
./libstb/create-container -a $KEYLOC/hw_key_a.key -b $KEYLOC/hw_key_b.key -c $KEYLOC/hw_key_c.key \
-p $KEYLOC/hw_key_a.key \
- --payload $PAYLOAD --imagefile $OUTPUT \
+ --payload $PAYLOAD --imagefile $OUTPUT $LABEL_ARG \
--dumpPrefixHdr $T/prefix_hdr --dumpSwHdr $T/software_hdr
# Sign the Prefix header.
@@ -28,7 +34,7 @@ openssl dgst -SHA512 -sign $KEYLOC/hw_key_a.key $T/software_hdr > $T/sw_key_p.si
# Build the full container with signatures.
./libstb/create-container -a $KEYLOC/hw_key_a.key -b $KEYLOC/hw_key_b.key -c $KEYLOC/hw_key_c.key \
- -p $KEYLOC/hw_key_a.key \
+ -p $KEYLOC/hw_key_a.key $LABEL_ARG \
-A $T/hw_key_a.sig -B $T/hw_key_b.sig -C $T/hw_key_c.sig \
-P $T/sw_key_p.sig \
--payload $PAYLOAD --imagefile $OUTPUT
--
2.14.3
More information about the Skiboot
mailing list