Attention is currently required from: Arthur Heymans, Elyes Haouas, Sergii Dmytruk.
Krystian Hebel has posted comments on this change by Sergii Dmytruk. ( https://review.coreboot.org/c/coreboot/+/67065?usp=email )
Change subject: 3rdparty/open-power-signing-utils: add SecureBoot utility for OpenPOWER ......................................................................
Patch Set 38: -Code-Review
(1 comment)
Patchset:
PS38:
Sorry, yes, I meant SW key. I've built the image after basically repeating […]
Unfortunately, this is not enough, booting fails early with very little useful information. I presume this is a checkstop caused by lack of SecureROM (12K block of code with SHA and other verification functions) at the end of HBBL partition, which in case of coreboot is bootblock. We can't just append it because bootblock is slightly too big currently, we would have to get rid of printing or enable LTO to make it fit.
It does boot when secure boot is disabled by a jumper, to some point (coreboot complains about MEMD format in 2.10, perhaps it has changed, but this isn't related to secure boot).
Fully enabling secure boot doesn't seem to be trivial and will most likely need follow-up patches. Still, since the container is required even with secure boot disabled, it makes sense to creating those signatures as they should be created, with all signatures filled in. We can worry about the rest later, but the fact that this isn't complete solution deserves mentioning at least in the commit message.