summaryrefslogtreecommitdiff
path: root/src/security/intel/cbnt
diff options
context:
space:
mode:
authorArthur Heymans <arthur@aheymans.xyz>2020-10-15 13:57:52 +0200
committerPatrick Georgi <pgeorgi@google.com>2020-11-10 06:17:24 +0000
commit94fe086a067ad635246f40a339748182ef7b943e (patch)
tree0ba1826a8fce05c3ef8412c5a07a7f1f8259b460 /src/security/intel/cbnt
parenta3ac82092f0d991ad4393f0d31b689760be8338e (diff)
sec/intel/cbnt: Stitch in ACMs in the coreboot image
Actual support CBnT will be added later on. Change-Id: Icc35c5e6c74d002efee43cc05ecc8023e00631e0 Signed-off-by: Arthur Heymans <arthur@aheymans.xyz> Reviewed-on: https://review.coreboot.org/c/coreboot/+/46456 Reviewed-by: Angel Pons <th3fanbus@gmail.com> Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Diffstat (limited to 'src/security/intel/cbnt')
-rw-r--r--src/security/intel/cbnt/Kconfig27
-rw-r--r--src/security/intel/cbnt/Makefile.inc25
2 files changed, 52 insertions, 0 deletions
diff --git a/src/security/intel/cbnt/Kconfig b/src/security/intel/cbnt/Kconfig
new file mode 100644
index 0000000000..f13f6ec59c
--- /dev/null
+++ b/src/security/intel/cbnt/Kconfig
@@ -0,0 +1,27 @@
+# SPDX-License-Identifier: GPL-2.0-only
+
+config INTEL_CBNT_SUPPORT
+ bool "Intel CBnT support"
+ default n
+ depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE
+ #depends on PLATFORM_HAS_DRAM_CLEAR
+ select INTEL_TXT
+ help
+ Enables Intel Converged Bootguard and Trusted Execution Technology
+ Support. This will enable one to add a Key Manifest (KM) and a Boot
+ Policy Manifest (BPM) to the filesystem. It will also wrap a FIT around
+ the firmware and update appropriate entries.
+
+if INTEL_CBNT_SUPPORT
+
+config INTEL_CBNT_KEY_MANIFEST_BINARY
+ string "KM (Key Manifest) binary location"
+ help
+ Location of the Key Manifest (KM)
+
+config INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY
+ string "BPM (Boot Policy Manifest) binary location"
+ help
+ Location of the Boot Policy Manifest (BPM)
+
+endif # INTEL_CBNT_SUPPORT
diff --git a/src/security/intel/cbnt/Makefile.inc b/src/security/intel/cbnt/Makefile.inc
new file mode 100644
index 0000000000..f2e5c76dba
--- /dev/null
+++ b/src/security/intel/cbnt/Makefile.inc
@@ -0,0 +1,25 @@
+ifeq ($(CONFIG_INTEL_CBNT_SUPPORT),y)
+
+ifneq ($(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY),"")
+cbfs-files-y += boot_policy_manifest.bin
+boot_policy_manifest.bin-file := $(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY)
+boot_policy_manifest.bin-type := raw
+boot_policy_manifest.bin-align := 0x10
+
+INTERMEDIATE+=add_bpm_fit
+add_bpm_fit: $(obj)/coreboot.pre $(IFITTOOL)
+ $(IFITTOOL) -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
+endif
+
+ifneq ($(CONFIG_INTEL_CBNT_KEY_MANIFEST_BINARY),"")
+cbfs-files-y += key_manifest.bin
+key_manifest.bin-file := $(CONFIG_INTEL_CBNT_KEY_MANIFEST_BINARY)
+key_manifest.bin-type := raw
+key_manifest.bin-align := 0x10
+
+INTERMEDIATE+=add_km_fit
+add_km_fit: $(obj)/coreboot.pre $(IFITTOOL)
+ $(IFITTOOL) -r COREBOOT -a -n key_manifest.bin -t 11 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
+endif
+
+endif # CONFIG_INTEL_CBNT_SUPPORT