summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPatrick Rudolph <patrick.rudolph@9elements.com>2019-07-25 11:55:30 +0200
committerPhilipp Deppenwiese <zaolin.daisuki@gmail.com>2019-09-02 04:52:04 +0000
commit5fffb5e30d0d0caa5bd3256fdce3f337bbef1d0f (patch)
tree56a59b351e3fab3fc50843a753d8fcda635559af
parentd947c691bc9bf30ee7276e96b60a727b6bbf06ff (diff)
security/intel: Add TXT infrastructure
* Add Kconfig to enable TXT * Add possibility to add BIOS and SINIT ACMs * Set default BIOS ACM alignment * Increase FIT space if TXT is enabled The following commits depend on the basic Kconfig infrastructure. Intel TXT isn't supported until all following commits are merged. Change-Id: I5f0f956d2b7ba43d4e7e0062803c6d8ba569a052 Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/34585 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: David Hendricks <david.hendricks@gmail.com>
-rw-r--r--Documentation/security/intel/txt.md6
-rw-r--r--src/cpu/intel/fit/Kconfig1
-rw-r--r--src/security/Kconfig1
-rw-r--r--src/security/Makefile.inc1
-rw-r--r--src/security/intel/Kconfig20
-rw-r--r--src/security/intel/Makefile.inc1
-rw-r--r--src/security/intel/txt/Kconfig54
-rw-r--r--src/security/intel/txt/Makefile.inc20
-rw-r--r--src/soc/intel/cannonlake/Kconfig4
-rw-r--r--src/soc/intel/skylake/Kconfig4
10 files changed, 109 insertions, 3 deletions
diff --git a/Documentation/security/intel/txt.md b/Documentation/security/intel/txt.md
index f67b63942e..f80a731e81 100644
--- a/Documentation/security/intel/txt.md
+++ b/Documentation/security/intel/txt.md
@@ -90,11 +90,11 @@ correct state. If it's not the SINIT ACM will reset the platform.
## For developers
### Configuring Intel TXT in Kconfig
-Enable ``TEE_INTEL_TXT`` and set the following:
+Enable ``INTEL_TXT`` and set the following:
-``TEE_INTEL_TXT_BIOSACM_FILE`` to the path of the BIOS ACM provided by Intel
+``INTEL_TXT_BIOSACM_FILE`` to the path of the BIOS ACM provided by Intel
-``TEE_INTEL_TXT_SINITACM_FILE`` to the path of the SINIT ACM provided by Intel
+``INTEL_TXT_SINITACM_FILE`` to the path of the SINIT ACM provided by Intel
### Print TXT status as early as possible
Add platform code to print the TXT status as early as possible, as the register
is cleared on cold reset.
diff --git a/src/cpu/intel/fit/Kconfig b/src/cpu/intel/fit/Kconfig
index e48dca9f70..fa10802926 100644
--- a/src/cpu/intel/fit/Kconfig
+++ b/src/cpu/intel/fit/Kconfig
@@ -5,6 +5,7 @@ config CPU_INTEL_FIRMWARE_INTERFACE_TABLE
config CPU_INTEL_NUM_FIT_ENTRIES
int
+ default 16 if INTEL_TXT
default 4
depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE
help
diff --git a/src/security/Kconfig b/src/security/Kconfig
index 8a1531a08d..4e08bbd883 100644
--- a/src/security/Kconfig
+++ b/src/security/Kconfig
@@ -15,3 +15,4 @@
source "src/security/vboot/Kconfig"
source "src/security/tpm/Kconfig"
source "src/security/memory/Kconfig"
+source "src/security/intel/Kconfig"
diff --git a/src/security/Makefile.inc b/src/security/Makefile.inc
index f62413e059..fd784385e6 100644
--- a/src/security/Makefile.inc
+++ b/src/security/Makefile.inc
@@ -1,3 +1,4 @@
subdirs-y += vboot
subdirs-y += tpm
subdirs-y += memory
+subdirs-y += intel
diff --git a/src/security/intel/Kconfig b/src/security/intel/Kconfig
new file mode 100644
index 0000000000..333e3857ac
--- /dev/null
+++ b/src/security/intel/Kconfig
@@ -0,0 +1,20 @@
+## This file is part of the coreboot project.
+##
+## Copyright (C) 2019 9elements Agency GmbH
+## Copyright (C) 2019 Facebook Inc.
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; version 2 of the License.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+## GNU General Public License for more details.
+##
+
+menu "Intel"
+
+source "src/security/intel/txt/Kconfig"
+
+endmenu # Intel
diff --git a/src/security/intel/Makefile.inc b/src/security/intel/Makefile.inc
new file mode 100644
index 0000000000..9388d3f798
--- /dev/null
+++ b/src/security/intel/Makefile.inc
@@ -0,0 +1 @@
+subdirs-y += txt
diff --git a/src/security/intel/txt/Kconfig b/src/security/intel/txt/Kconfig
new file mode 100644
index 0000000000..011a41cdc3
--- /dev/null
+++ b/src/security/intel/txt/Kconfig
@@ -0,0 +1,54 @@
+## This file is part of the coreboot project.
+##
+## Copyright (C) 2019 9elements Agency GmbH
+## Copyright (C) 2019 Facebook Inc.
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; version 2 of the License.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+## GNU General Public License for more details.
+##
+
+config INTEL_TXT
+ bool "Intel TXT support"
+ default n
+ select MRC_SETTINGS_PROTECT if CACHE_MRC_SETTINGS
+ select ENABLE_VMX if CPU_INTEL_COMMON
+ select AP_IN_SIPI_WAIT
+ depends on (TPM1 || TPM2)
+ depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE
+ depends on PLATFORM_HAS_DRAM_CLEAR
+ depends on SOC_INTEL_FSP_BROADWELL_DE || SOC_INTEL_COMMON_BLOCK_SA
+
+if INTEL_TXT
+
+config INTEL_TXT_BIOSACM_FILE
+ string "BIOS ACM file"
+ default "3rdparty/blobs/soc/intel/fsp_broadwell_de/biosacm.bin" if SOC_INTEL_FSP_BROADWELL_DE
+ default "3rdparty/blobs/soc/intel/skylake/biosacm.bin" if SOC_INTEL_COMMON_SKYLAKE_BASE
+ help
+ Intel TXT BIOS ACM file. This file can be obtained by privileged
+ access to Intel resources. Or for some platforms found inside the
+ blob repository.
+
+config INTEL_TXT_SINITACM_FILE
+ string "SINIT ACM file"
+ default "3rdparty/blobs/soc/intel/fsp_broadwell_de/sinitacm.bin" if SOC_INTEL_FSP_BROADWELL_DE
+ default "3rdparty/blobs/soc/intel/skylake/sinitacm.bin" if SOC_INTEL_COMMON_SKYLAKE_BASE
+ help
+ Intel TXT SINIT ACM file. This file can be obtained by privileged
+ access to Intel resources. Or for some platforms found inside the
+ blob repository.
+
+config INTEL_TXT_BIOSACM_ALIGNMENT
+ hex
+ default 0x20000 # 128KB
+ help
+ Exceptions are Ivy- and Sandy Bridge with 64KB and Purely with 256KB
+ alignment size. Please overwrite it SoC specific.
+
+endif
diff --git a/src/security/intel/txt/Makefile.inc b/src/security/intel/txt/Makefile.inc
new file mode 100644
index 0000000000..d24026ae62
--- /dev/null
+++ b/src/security/intel/txt/Makefile.inc
@@ -0,0 +1,20 @@
+ifeq ($(CONFIG_INTEL_TXT),y)
+
+cbfs-files-y += txt_bios_acm.bin
+txt_bios_acm.bin-file := $(CONFIG_INTEL_TXT_BIOSACM_FILE)
+txt_bios_acm.bin-type := raw
+txt_bios_acm.bin-align := $(CONFIG_INTEL_TXT_BIOSACM_ALIGNMENT)
+
+ifneq ($(CONFIG_INTEL_TXT_SINITACM_FILE),"")
+cbfs-files-y += txt_sinit_acm.bin
+txt_sinit_acm.bin-file := $(CONFIG_INTEL_TXT_SINITACM_FILE)
+txt_sinit_acm.bin-type := raw
+txt_sinit_acm.bin-align := 0x10
+txt_sinit_acm.bin-compression := lzma
+endif
+
+INTERMEDIATE+=add_acm_fit
+add_acm_fit: $(obj)/coreboot.pre $(IFITTOOL)
+ $(IFITTOOL) -r COREBOOT -a -n txt_bios_acm.bin -t 2 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
+
+endif
diff --git a/src/soc/intel/cannonlake/Kconfig b/src/soc/intel/cannonlake/Kconfig
index a0107d5763..d949fffc79 100644
--- a/src/soc/intel/cannonlake/Kconfig
+++ b/src/soc/intel/cannonlake/Kconfig
@@ -318,4 +318,8 @@ config PRERAM_CBMEM_CONSOLE_SIZE
hex
default 0xe00
+config INTEL_TXT_BIOSACM_ALIGNMENT
+ hex
+ default 0x40000 # 256KB
+
endif
diff --git a/src/soc/intel/skylake/Kconfig b/src/soc/intel/skylake/Kconfig
index 13c15173b5..9cb8d450a3 100644
--- a/src/soc/intel/skylake/Kconfig
+++ b/src/soc/intel/skylake/Kconfig
@@ -302,4 +302,8 @@ config IFD_CHIPSET
string
default "sklkbl"
+config INTEL_TXT_BIOSACM_ALIGNMENT
+ hex
+ default 0x40000 # 256KB
+
endif