summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorravindr1 <ravindra@intel.com>2021-12-10 09:11:23 +0530
committerTim Wawrzynczak <twawrzynczak@chromium.org>2021-12-13 20:31:57 +0000
commit123312d6a56778faf676df8f0dcf622d4350b126 (patch)
treea34c3b172052a447762d60cd6be871bb0486677e
parent10f457af5f11d9383f9b5fe729ead3ca290f111b (diff)
soc/intel/common/cse: Update help text for CSE_OEMP_FILE
The OEM may create and sign an Audio component to extend the Audio capability provided by Intel. The manifest is then signed, and the signature and public key are entered into the header of the manifest to create the final signed component binary. This creates a secure verification mechanism where firmware verifies that the OEM Key Manifest was signed with a key owned by a trusted owner. Once OEM KM is authenticated, each public key hash stored within the OEM KM is able to authenticate the corresponding FW binary. Link to the Document: https://www.intel.com/content/www/us/en/secure/design/confidential/software-kits/kit-details.html?kitId=689893 ADL_Signing_and_Manifesting_User_Guide.pdf BUG=b:207820413 TEST:none Signed-off-by: ravindr1 <ravindra@intel.com> Change-Id: Id52b51ab1c910d70b7897eb31add8287b5b0166f Reviewed-on: https://review.coreboot.org/c/coreboot/+/60020 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Paul Menzel <paulepanter@mailbox.org> Reviewed-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
-rw-r--r--src/soc/intel/common/block/cse/Kconfig6
1 files changed, 5 insertions, 1 deletions
diff --git a/src/soc/intel/common/block/cse/Kconfig b/src/soc/intel/common/block/cse/Kconfig
index 055927be22..ec901ca8a1 100644
--- a/src/soc/intel/common/block/cse/Kconfig
+++ b/src/soc/intel/common/block/cse/Kconfig
@@ -181,7 +181,11 @@ config CSE_BPDT_VERSION
This config indicates the BPDT version used by CSE for a given SoC.
config CSE_OEMP_FILE
- string "Name of OEM KM file"
+ string "Name of OEM Key Manifest file"
default "oem_km.bin"
+ help
+ OEM Key Manifest lists the public key hashes used for authenticating the
+ OEM created binaries to be loaded. This binary is generated by signing with
+ the key owned by trusted owner.
endif