security/intel: Add TXT infrastructure

* Add Kconfig to enable TXT
* Add possibility to add BIOS and SINIT ACMs
* Set default BIOS ACM alignment
* Increase FIT space if TXT is enabled

The following commits depend on the basic Kconfig infrastructure.
Intel TXT isn't supported until all following commits are merged.

Change-Id: I5f0f956d2b7ba43d4e7e0062803c6d8ba569a052
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34585
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: David Hendricks <david.hendricks@gmail.com>

2 files changed, 74 insertions, 0 deletions

diff --git a/src/security/intel/txt/Kconfig b/src/security/intel/txt/Kconfig
new file mode 100644
index 0000000000..011a41cdc3
--- /dev/null
+++ b/src/security/intel/txt/Kconfig
@@ -0,0 +1,54 @@
+## This file is part of the coreboot project.
+##
+## Copyright (C) 2019 9elements Agency GmbH
+## Copyright (C) 2019 Facebook Inc.
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; version 2 of the License.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+## GNU General Public License for more details.
+##
+
+config INTEL_TXT
+	bool "Intel TXT support"
+	default n
+	select MRC_SETTINGS_PROTECT if CACHE_MRC_SETTINGS
+	select ENABLE_VMX if CPU_INTEL_COMMON
+	select AP_IN_SIPI_WAIT
+	depends on (TPM1 || TPM2)
+	depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE
+	depends on PLATFORM_HAS_DRAM_CLEAR
+	depends on SOC_INTEL_FSP_BROADWELL_DE || SOC_INTEL_COMMON_BLOCK_SA
+
+if INTEL_TXT
+
+config INTEL_TXT_BIOSACM_FILE
+	string "BIOS ACM file"
+	default "3rdparty/blobs/soc/intel/fsp_broadwell_de/biosacm.bin" if SOC_INTEL_FSP_BROADWELL_DE
+	default "3rdparty/blobs/soc/intel/skylake/biosacm.bin" if SOC_INTEL_COMMON_SKYLAKE_BASE
+	help
+	  Intel TXT BIOS ACM file. This file can be obtained by privileged
+	  access to Intel resources. Or for some platforms found inside the
+	  blob repository.
+
+config INTEL_TXT_SINITACM_FILE
+	string "SINIT ACM file"
+	default "3rdparty/blobs/soc/intel/fsp_broadwell_de/sinitacm.bin" if SOC_INTEL_FSP_BROADWELL_DE
+	default "3rdparty/blobs/soc/intel/skylake/sinitacm.bin" if SOC_INTEL_COMMON_SKYLAKE_BASE
+	help
+	  Intel TXT SINIT ACM file. This file can be obtained by privileged
+	  access to Intel resources. Or for some platforms found inside the
+	  blob repository.
+
+config INTEL_TXT_BIOSACM_ALIGNMENT
+	hex
+	default 0x20000 # 128KB
+	help
+	  Exceptions are Ivy- and Sandy Bridge with 64KB and Purely with 256KB
+	  alignment size. Please overwrite it SoC specific.
+
+endif
diff --git a/src/security/intel/txt/Makefile.inc b/src/security/intel/txt/Makefile.inc
new file mode 100644
index 0000000000..d24026ae62
--- /dev/null
+++ b/src/security/intel/txt/Makefile.inc
@@ -0,0 +1,20 @@
+ifeq ($(CONFIG_INTEL_TXT),y)
+
+cbfs-files-y += txt_bios_acm.bin
+txt_bios_acm.bin-file := $(CONFIG_INTEL_TXT_BIOSACM_FILE)
+txt_bios_acm.bin-type := raw
+txt_bios_acm.bin-align := $(CONFIG_INTEL_TXT_BIOSACM_ALIGNMENT)
+
+ifneq ($(CONFIG_INTEL_TXT_SINITACM_FILE),"")
+cbfs-files-y += txt_sinit_acm.bin
+txt_sinit_acm.bin-file := $(CONFIG_INTEL_TXT_SINITACM_FILE)
+txt_sinit_acm.bin-type := raw
+txt_sinit_acm.bin-align := 0x10
+txt_sinit_acm.bin-compression := lzma
+endif
+
+INTERMEDIATE+=add_acm_fit
+add_acm_fit: $(obj)/coreboot.pre $(IFITTOOL)
+	$(IFITTOOL) -r COREBOOT -a -n txt_bios_acm.bin -t 2 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
+
+endif