diff options
author | Patrick Rudolph <patrick.rudolph@9elements.com> | 2019-07-25 11:55:30 +0200 |
---|---|---|
committer | Philipp Deppenwiese <zaolin.daisuki@gmail.com> | 2019-09-02 04:52:04 +0000 |
commit | 5fffb5e30d0d0caa5bd3256fdce3f337bbef1d0f (patch) | |
tree | 56a59b351e3fab3fc50843a753d8fcda635559af | |
parent | d947c691bc9bf30ee7276e96b60a727b6bbf06ff (diff) |
security/intel: Add TXT infrastructure
* Add Kconfig to enable TXT
* Add possibility to add BIOS and SINIT ACMs
* Set default BIOS ACM alignment
* Increase FIT space if TXT is enabled
The following commits depend on the basic Kconfig infrastructure.
Intel TXT isn't supported until all following commits are merged.
Change-Id: I5f0f956d2b7ba43d4e7e0062803c6d8ba569a052
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34585
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: David Hendricks <david.hendricks@gmail.com>
-rw-r--r-- | Documentation/security/intel/txt.md | 6 | ||||
-rw-r--r-- | src/cpu/intel/fit/Kconfig | 1 | ||||
-rw-r--r-- | src/security/Kconfig | 1 | ||||
-rw-r--r-- | src/security/Makefile.inc | 1 | ||||
-rw-r--r-- | src/security/intel/Kconfig | 20 | ||||
-rw-r--r-- | src/security/intel/Makefile.inc | 1 | ||||
-rw-r--r-- | src/security/intel/txt/Kconfig | 54 | ||||
-rw-r--r-- | src/security/intel/txt/Makefile.inc | 20 | ||||
-rw-r--r-- | src/soc/intel/cannonlake/Kconfig | 4 | ||||
-rw-r--r-- | src/soc/intel/skylake/Kconfig | 4 |
10 files changed, 109 insertions, 3 deletions
diff --git a/Documentation/security/intel/txt.md b/Documentation/security/intel/txt.md index f67b63942e..f80a731e81 100644 --- a/Documentation/security/intel/txt.md +++ b/Documentation/security/intel/txt.md @@ -90,11 +90,11 @@ correct state. If it's not the SINIT ACM will reset the platform. ## For developers ### Configuring Intel TXT in Kconfig -Enable ``TEE_INTEL_TXT`` and set the following: +Enable ``INTEL_TXT`` and set the following: -``TEE_INTEL_TXT_BIOSACM_FILE`` to the path of the BIOS ACM provided by Intel +``INTEL_TXT_BIOSACM_FILE`` to the path of the BIOS ACM provided by Intel -``TEE_INTEL_TXT_SINITACM_FILE`` to the path of the SINIT ACM provided by Intel +``INTEL_TXT_SINITACM_FILE`` to the path of the SINIT ACM provided by Intel ### Print TXT status as early as possible Add platform code to print the TXT status as early as possible, as the register is cleared on cold reset. diff --git a/src/cpu/intel/fit/Kconfig b/src/cpu/intel/fit/Kconfig index e48dca9f70..fa10802926 100644 --- a/src/cpu/intel/fit/Kconfig +++ b/src/cpu/intel/fit/Kconfig @@ -5,6 +5,7 @@ config CPU_INTEL_FIRMWARE_INTERFACE_TABLE config CPU_INTEL_NUM_FIT_ENTRIES int + default 16 if INTEL_TXT default 4 depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE help diff --git a/src/security/Kconfig b/src/security/Kconfig index 8a1531a08d..4e08bbd883 100644 --- a/src/security/Kconfig +++ b/src/security/Kconfig @@ -15,3 +15,4 @@ source "src/security/vboot/Kconfig" source "src/security/tpm/Kconfig" source "src/security/memory/Kconfig" +source "src/security/intel/Kconfig" diff --git a/src/security/Makefile.inc b/src/security/Makefile.inc index f62413e059..fd784385e6 100644 --- a/src/security/Makefile.inc +++ b/src/security/Makefile.inc @@ -1,3 +1,4 @@ subdirs-y += vboot subdirs-y += tpm subdirs-y += memory +subdirs-y += intel diff --git a/src/security/intel/Kconfig b/src/security/intel/Kconfig new file mode 100644 index 0000000000..333e3857ac --- /dev/null +++ b/src/security/intel/Kconfig @@ -0,0 +1,20 @@ +## This file is part of the coreboot project. +## +## Copyright (C) 2019 9elements Agency GmbH +## Copyright (C) 2019 Facebook Inc. +## +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; version 2 of the License. +## +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. +## + +menu "Intel" + +source "src/security/intel/txt/Kconfig" + +endmenu # Intel diff --git a/src/security/intel/Makefile.inc b/src/security/intel/Makefile.inc new file mode 100644 index 0000000000..9388d3f798 --- /dev/null +++ b/src/security/intel/Makefile.inc @@ -0,0 +1 @@ +subdirs-y += txt diff --git a/src/security/intel/txt/Kconfig b/src/security/intel/txt/Kconfig new file mode 100644 index 0000000000..011a41cdc3 --- /dev/null +++ b/src/security/intel/txt/Kconfig @@ -0,0 +1,54 @@ +## This file is part of the coreboot project. +## +## Copyright (C) 2019 9elements Agency GmbH +## Copyright (C) 2019 Facebook Inc. +## +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; version 2 of the License. +## +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. +## + +config INTEL_TXT + bool "Intel TXT support" + default n + select MRC_SETTINGS_PROTECT if CACHE_MRC_SETTINGS + select ENABLE_VMX if CPU_INTEL_COMMON + select AP_IN_SIPI_WAIT + depends on (TPM1 || TPM2) + depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE + depends on PLATFORM_HAS_DRAM_CLEAR + depends on SOC_INTEL_FSP_BROADWELL_DE || SOC_INTEL_COMMON_BLOCK_SA + +if INTEL_TXT + +config INTEL_TXT_BIOSACM_FILE + string "BIOS ACM file" + default "3rdparty/blobs/soc/intel/fsp_broadwell_de/biosacm.bin" if SOC_INTEL_FSP_BROADWELL_DE + default "3rdparty/blobs/soc/intel/skylake/biosacm.bin" if SOC_INTEL_COMMON_SKYLAKE_BASE + help + Intel TXT BIOS ACM file. This file can be obtained by privileged + access to Intel resources. Or for some platforms found inside the + blob repository. + +config INTEL_TXT_SINITACM_FILE + string "SINIT ACM file" + default "3rdparty/blobs/soc/intel/fsp_broadwell_de/sinitacm.bin" if SOC_INTEL_FSP_BROADWELL_DE + default "3rdparty/blobs/soc/intel/skylake/sinitacm.bin" if SOC_INTEL_COMMON_SKYLAKE_BASE + help + Intel TXT SINIT ACM file. This file can be obtained by privileged + access to Intel resources. Or for some platforms found inside the + blob repository. + +config INTEL_TXT_BIOSACM_ALIGNMENT + hex + default 0x20000 # 128KB + help + Exceptions are Ivy- and Sandy Bridge with 64KB and Purely with 256KB + alignment size. Please overwrite it SoC specific. + +endif diff --git a/src/security/intel/txt/Makefile.inc b/src/security/intel/txt/Makefile.inc new file mode 100644 index 0000000000..d24026ae62 --- /dev/null +++ b/src/security/intel/txt/Makefile.inc @@ -0,0 +1,20 @@ +ifeq ($(CONFIG_INTEL_TXT),y) + +cbfs-files-y += txt_bios_acm.bin +txt_bios_acm.bin-file := $(CONFIG_INTEL_TXT_BIOSACM_FILE) +txt_bios_acm.bin-type := raw +txt_bios_acm.bin-align := $(CONFIG_INTEL_TXT_BIOSACM_ALIGNMENT) + +ifneq ($(CONFIG_INTEL_TXT_SINITACM_FILE),"") +cbfs-files-y += txt_sinit_acm.bin +txt_sinit_acm.bin-file := $(CONFIG_INTEL_TXT_SINITACM_FILE) +txt_sinit_acm.bin-type := raw +txt_sinit_acm.bin-align := 0x10 +txt_sinit_acm.bin-compression := lzma +endif + +INTERMEDIATE+=add_acm_fit +add_acm_fit: $(obj)/coreboot.pre $(IFITTOOL) + $(IFITTOOL) -r COREBOOT -a -n txt_bios_acm.bin -t 2 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $< + +endif diff --git a/src/soc/intel/cannonlake/Kconfig b/src/soc/intel/cannonlake/Kconfig index a0107d5763..d949fffc79 100644 --- a/src/soc/intel/cannonlake/Kconfig +++ b/src/soc/intel/cannonlake/Kconfig @@ -318,4 +318,8 @@ config PRERAM_CBMEM_CONSOLE_SIZE hex default 0xe00 +config INTEL_TXT_BIOSACM_ALIGNMENT + hex + default 0x40000 # 256KB + endif diff --git a/src/soc/intel/skylake/Kconfig b/src/soc/intel/skylake/Kconfig index 13c15173b5..9cb8d450a3 100644 --- a/src/soc/intel/skylake/Kconfig +++ b/src/soc/intel/skylake/Kconfig @@ -302,4 +302,8 @@ config IFD_CHIPSET string default "sklkbl" +config INTEL_TXT_BIOSACM_ALIGNMENT + hex + default 0x40000 # 256KB + endif |