3rdparty/open-power-signing-utils: add SecureBoot utility for OpenPOWER

Signing is performed with test keys by default, set
CONFIG_SIGNING_KEYS_DIR to a non-empty value to use other keys.

Depending on the version of the Talos II firmware this alone might not
allow booting because coreboot replaces only part of the stock firmware
and its newer versions enable secure boot by default (not to be confused
with SecureBoot in EFI).  The signing performed in this commit is still
a prerequisite and might as well be done on its own.  Fixing operation
with newer stock firmware will be done in a follow-up change.

Change-Id: Id88baef5ecb1f8ffd74a7f464bbbaaaea0ca643d
Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/67065
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Krystian Hebel <krystian.hebel@3mdeb.com>

.gitmodules

@@ -65,3 +65,6 @@
 [submodule "src/vendorcode/amd/opensil/genoa_poc/opensil"]
 	path = src/vendorcode/amd/opensil/genoa_poc/opensil
 	url = https://review.coreboot.org/opensil_genoa_poc.git
+[submodule "3rdparty/open-power-signing-utils"]
+	path = 3rdparty/open-power-signing-utils
+	url = https://review.coreboot.org/open-power-signing-utils.git

3rdparty/open-power-signing-utils

@@ -0,0 +1 @@
+Subproject commit 591c8f53482243626901e1cc8a4ae321f314040d

Makefile.mk

@@ -679,6 +679,7 @@ AMDCOMPRESS:=$(objutil)/cbfstool/amdcompress
 CSE_FPT:=$(objutil)/cbfstool/cse_fpt
 CSE_SERGER:=$(objutil)/cbfstool/cse_serger
 ECCTOOL:=$(objutil)/ffs/ecc/ecc
+CREATE_CONTAINER:=$(objutil)/open-power-signing-utils/create-container
 
 $(obj)/cbfstool: $(CBFSTOOL)
 	cp $< $@
@@ -726,6 +727,12 @@ $(ECCTOOL):
 	cd $(objutil)/ffs && autoreconf -i && ./configure
 	$(MAKE) -C $(objutil)/ffs
 
+$(CREATE_CONTAINER):
+	@printf "    Compile Open-Power SecureBoot Signing Utils\n"
+	cp -r $(top)/3rdparty/open-power-signing-utils $(objutil)
+	cd $(objutil)/open-power-signing-utils && autoreconf -i -Wno-unsupported && ./configure
+	$(MAKE) -C $(objutil)/open-power-signing-utils
+
 APCB_EDIT_TOOL:=$(top)/util/apcb/apcb_edit.py
 
 APCB_V3_EDIT_TOOL:=$(top)/util/apcb/apcb_v3_edit.py
@@ -836,7 +843,7 @@ install-git-commit-clangfmt:
 include util/crossgcc/Makefile.mk
 
 .PHONY: tools
-tools: $(objutil)/kconfig/conf $(objutil)/kconfig/toada $(CBFSTOOL) $(objutil)/cbfstool/cbfs-compression-tool $(FMAPTOOL) $(RMODTOOL) $(IFWITOOL) $(objutil)/nvramtool/nvramtool $(objutil)/sconfig/sconfig $(IFDTOOL) $(CBOOTIMAGE) $(AMDFWTOOL) $(AMDCOMPRESS) $(FUTILITY) $(BINCFG) $(IFITTOOL) $(objutil)/supermicro/smcbiosinfo $(CSE_FPT) $(CSE_SERGER) $(AMDFWREAD) $(ECCTOOL)
+tools: $(objutil)/kconfig/conf $(objutil)/kconfig/toada $(CBFSTOOL) $(objutil)/cbfstool/cbfs-compression-tool $(FMAPTOOL) $(RMODTOOL) $(IFWITOOL) $(objutil)/nvramtool/nvramtool $(objutil)/sconfig/sconfig $(IFDTOOL) $(CBOOTIMAGE) $(AMDFWTOOL) $(AMDCOMPRESS) $(FUTILITY) $(BINCFG) $(IFITTOOL) $(objutil)/supermicro/smcbiosinfo $(CSE_FPT) $(CSE_SERGER) $(AMDFWREAD) $(ECCTOOL) $(CREATE_CONTAINER)
 
 ###########################################################################
 # Common recipes for all stages

src/soc/ibm/power9/Kconfig

@@ -10,5 +10,14 @@ config SOC_IBM_POWER9
 	  This SoC is the minimal template working on POWER9 Talos II platform.
 
 if SOC_IBM_POWER9
-	# nothing here yet
+
+config SIGNING_KEYS_DIR
+	string "Directory with OpenPower signing keys"
+	default ""
+	help
+	  Specifies path to directory containing hw_key_{a,b,c}.key
+	  and sw_key_p.key files (all in PEM format).  Key name suffixes
+	  correspond to options of create-container from OpenPower
+	  Signing Utils.  By default, test keys are used.
+
 endif

src/soc/ibm/power9/Makefile.mk

@@ -14,9 +14,35 @@ ramstage-y += chip.c
 ramstage-y += rom_media.c
 ramstage-y += timer.c
 
-files_added:: $(obj)/coreboot.rom.ecc
+ifeq ($(CONFIG_SIGNING_KEYS_DIR),"")
+    KEYDIR = $(top)/3rdparty/open-power-signing-utils/test/keys
+else
+    KEYDIR = $(CONFIG_SIGNING_KEYS_DIR)
+endif
 
-$(obj)/coreboot.rom.ecc: $(obj)/coreboot.rom | $(ECCTOOL)
+PHONY += sign_and_add_ecc
-	$(ECCTOOL) --inject $< --output $@ --p8
+sign_and_add_ecc: $(obj)/coreboot.rom | $(ECCTOOL) $(CREATE_CONTAINER)
+ifeq ($(CONFIG_SIGNING_KEYS_DIR),"")
+	@printf "    NOTE: signing firmware with test keys\n"
+endif
+	@printf "    SBSIGN  $(subst $(obj)/,,$<)\n"
+	[ -e "$(KEYDIR)/hw_key_a.key" ] || ( echo "error: $(KEYDIR)/hw_key_a.key" is missing; exit 1 )
+	[ -e "$(KEYDIR)/hw_key_b.key" ] || ( echo "error: $(KEYDIR)/hw_key_b.key" is missing; exit 1 )
+	[ -e "$(KEYDIR)/hw_key_c.key" ] || ( echo "error: $(KEYDIR)/hw_key_c.key" is missing; exit 1 )
+	[ -e "$(KEYDIR)/sw_key_p.key" ] || ( echo "error: $(KEYDIR)/sw_key_p.key" is missing; exit 1 )
+	$(CREATE_CONTAINER) -a $(KEYDIR)/hw_key_a.key -b $(KEYDIR)/hw_key_b.key -c $(KEYDIR)/hw_key_c.key \
+	                    -p $(KEYDIR)/sw_key_p.key --payload $(objcbfs)/bootblock.bin \
+	                    --imagefile $(obj)/bootblock.signed
+	$(CREATE_CONTAINER) -a $(KEYDIR)/hw_key_a.key -b $(KEYDIR)/hw_key_b.key -c $(KEYDIR)/hw_key_c.key \
+	                    -p $(KEYDIR)/sw_key_p.key --payload $< --imagefile $<.signed
+	@printf "    ECC     $(subst $(obj)/,,$<)\n"
+	$(ECCTOOL) --inject $<.signed --output $<.signed.ecc --p8
+	$(ECCTOOL) --inject $< --output $<.ecc --p8
+	@printf "    ECC     bootblock\n"
+	dd if=$(obj)/bootblock.signed of=$(obj)/bootblock.signed.pad ibs=25486 conv=sync 2> /dev/null
+	$(ECCTOOL) --inject $(obj)/bootblock.signed.pad --output $(obj)/bootblock.signed.ecc --p8
+	rm $(obj)/bootblock.signed $(obj)/bootblock.signed.pad
+
+files_added:: sign_and_add_ecc
 
 endif