This patch enables usage of key id for private keys
in slimboot repo. Key ids are configured in
BuildLoader and platform BoardConfig files.
SLIMBOOT_KEY_DIR is set to default folder outside
sblopen.
Generation of extrenal Keyhash OS key hash to be configured
for QEMU/CGL/APL with appropriate keys.
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
TestSigningPrivateKey is defaulted for container
creation in non-layout form and key dir is used.
In CfgDataStitch also TestSigningPrivateKey is
defaulted when key dir is specified.
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
PcdVerifiedBootHashMask is no longer used while
verification except for stage1B. Remove Hash mask and
added PcdVerifiedBootStage1B for stage1B verification.
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
Added an build config _SIGNING_SCHEME for
selection of signing schmemes. Updated tools
with param for selecting the signing scheme when
they are run in stand alone mode. Authtypes in
container are updated.
Supported Signing schemes - RSA_PCKS_1_5, RSA_PSS
Intel Crypto recommends PSS and same defaulted in
SlimBoot.
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
This patch added following enhancement to GenContainer script:
- Fixed python3 errors in some specific condition
- Added more error handling to notifce the user on failure
- Removed -od option and use directory of -o option instead
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
In GenContainer tool auth definitions for RSA cases were
updated to include hash alg used. In current implementation
auth type is generated from hash type and private key while
container created. This patch removes hash type param
and auth type is used for hash alg generation.
Platform code to be updated as per updated auth definitions
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
If running GenContainer tool with python3, 'view' sub-command will
throw out errors. This patch fixed it.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
In Python 3 built-in function next() is used to get the next
result from an iterator. next method causes post build failure.
Fixed an issue in GenContainer for byte array comparison.
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
This patch introduces support for RSA3K and SHA384 signing
And verifications support to Slimbootloader. Component hash
verification is done using PcdCompSignHashAlg.
To enable RSA3072 and SHA384,
- Signing hash algorithm SIGN_HASH_TYPE should be set to SHA2_384
- RSA3K private keys should be configured in platform board configs.
- Set IPP_CRYPTO_ALG_MASK to include SHA2_384
- Enable required IPP_CRYPTO_OPTIMIZATION_MASK
- Default siging hash type is set to SHA2_256. Use hash type option
while using the tools as Gencontainer, CfgDataTool in standalone
mode.
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
This patch add pubkey and signature header updates to storage.
Data reversal for hash computation is not being performed.
Only RSA2048 and SHA256 changes were updated with this patch.
Signed-off-by: Subash Lakkimsetti <subashx.lakkimsetti@intel.com>
This will fully support PatchCheck.py.
- Remove all trailing whitespace
- Convert LF to CRLF by default
- Update EFI_D_* to DEBUG_*
- Re-enable CRLF check in PatchCheck.py
Signed-off-by: Aiden Park <aiden.park@intel.com>
sigining hash type parameter added with command line
args for create, replace and sign component image.
Signed-off-by: Subash Lakkimsetti <subashx.lakkimsetti@intel.com>
hash_type parameter added to build tool API's as required and
current supported hash in tools is for SHA2_256.
Added functionality for retriving RSA private key type.
Signed-off-by: Subash Lakkimsetti <subashx.lakkimsetti@intel.com>
Container parse logic cannot handle NORMAL (default) case
currently. So, if -t option is not used while generating a
Container, unsupported image type is reported during runtime.
Change the default type to CLASSIC, and end-user can use
-t option to switch to MULTIBOOT if needed.
Signed-off-by: Sai Talamudupula <sai.kiran.talamudupula@intel.com>
Container type can be input from command line
from a list of [NORMAL, CLASSIC, MULTIBOOT] while
generating a container using GenContainer.py.
Setting default as NORMAL.
Revert varnames of out dir and key dir for commands
other than create container, as this is breaking stitch.
Signed-off-by: Sai Talamudupula <sai.kiran.talamudupula@intel.com>
Add support to load the boot image from container.
Container must be signed using the same private key
as the key used to sign IAS (i.e. IAS_PRIVATE_KEY).
Signed-off-by: Sai Talamudupula <sai.kiran.talamudupula@intel.com>
GenContainer.py tool can be used to create a container
with the boot files as follows:
python %SBL_ROOT%\BootloaderCorePkg\Tools\GenContainer.py create
-cl CMDL:<cmdline.txt> KRNL:<vmlinuz> INRD:<initrd>
-o <Out> -k <Key>
<cmdline.txt> = command line file
<vmlinuz> = kernel image
<initrd> = initrd image
<Out> = dir/file where final Pods Image is copied
<Key> = Private signing key file/dir path
Signed-off-by: Sai Talamudupula <sai.kiran.talamudupula@intel.com>
EDK II build has enabled python3 support. Since SBL has its own scripts,
it is required to port them accordingly to support python3. This patch
added python3 build support for SBL.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
This patch added GenContainer.py script to create, extrace, replace,
sign and display a container image. If platform provides
GetContainerList() in BoardConfig.py, the build process will consume
it to create container images.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
Subash Lakkimsetti