summaryrefslogtreecommitdiff
path: root/src/security
diff options
context:
space:
mode:
authorArthur Heymans <arthur@aheymans.xyz>2021-02-19 19:39:56 +0100
committerArthur Heymans <arthur@aheymans.xyz>2021-03-30 11:46:33 +0000
commit3d5319eb5ad135c016430a971dfab0eec66bbfde (patch)
treeaf589fa1cb80af70d4cf4f2aeb7bb7fee072ad7d /src/security
parent83a55930ddedb38c603383a799ea3f40034b6df1 (diff)
security/intel/cbnt: Add options to generate BPM from Kconfig
Use Kconfig options to set BPM fields. Change-Id: I9f5ffa0f692b06265f992b07a44763ff1aa8dfa7 Signed-off-by: Arthur Heymans <arthur@aheymans.xyz> Reviewed-on: https://review.coreboot.org/c/coreboot/+/50928 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Diffstat (limited to 'src/security')
-rw-r--r--src/security/intel/cbnt/Kconfig71
-rw-r--r--src/security/intel/cbnt/Makefile.inc26
2 files changed, 96 insertions, 1 deletions
diff --git a/src/security/intel/cbnt/Kconfig b/src/security/intel/cbnt/Kconfig
index c018212311..415092b6c2 100644
--- a/src/security/intel/cbnt/Kconfig
+++ b/src/security/intel/cbnt/Kconfig
@@ -68,9 +68,17 @@ config INTEL_CBNT_BPM_ONLY_UNSIGNED
"$ ifittool -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s 12 -f build/coreboot.rom"
'-s 12' where 12 is CONFIG_CPU_INTEL_NUM_FIT_ENTRIES.
+config INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE
+ bool "BPM: use a CBnT json config file"
+ depends on INTEL_CBNT_GENERATE_BPM
+ default y
+ help
+ Select y to generate BPM from a json config file.
+ Select n to generate BPM from Kconfig options
+
config INTEL_CBNT_BG_PROV_CFG_FILE
string "CBnT json config file"
- depends on INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE || INTEL_CBNT_GENERATE_BPM
+ depends on INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE || INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE
help
Location of the bg-prov json config file.
Either get a sample JSON config file:
@@ -153,6 +161,67 @@ endmenu
endif # !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE
+if !INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE && INTEL_CBNT_GENERATE_BPM
+menu "BPM options"
+
+config INTEL_CBNT_BPM_REVISION
+ int "BPM revision"
+ default 1
+ help
+ Version of the Key Manifest defined by the Platform Manufacturer.
+ The actual value is transparent to Boot Guard and is not processed by Boot Guard.
+
+config INTEL_CBNT_BPM_SVN
+ int "BPM Security Version Number"
+ default 0
+ help
+ This value is determined by the Platform Manufacturer.
+
+config INTEL_CBNT_ACM_SVN
+ int "S-ACM Security Version Number"
+ default 2
+ help
+ This defines the minimum version the S-ACM must have.
+
+config INTEL_CBNT_NUM_NEM_PAGES
+ int
+ default 32
+ help
+ Set the amount of 4K pages of CAR required.
+
+config INTEL_CBNT_PBET
+ int "PBET value in s"
+ default 15
+ help
+ Protect BIOS Environment Timer (PBET) value.
+ Factor used by CSE to compute PBE timer value.
+ Actual PBE timer value is set by CSE using formula:
+ PBE timer value = 5 sec + PBETValue.
+
+config INTEL_CBNT_IBB_FLAGS
+ int "IBB flags"
+ default 7
+ help
+ IBB Control flags.
+ 3: Don't extend PCR 0
+ 7: extend PCR 7
+
+config INTEL_CBNT_SINIT_SVN
+ int "SINIT ACM security version number"
+ default 0
+ help
+ Minimum required version for the SINIT ACM.
+
+config INTEL_CBNT_PD_INTERVAL
+ int
+ default 60
+ help
+ Duration of Power Down in 5 sec increments.
+
+endmenu
+
+endif # !INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE
+
config INTEL_CBNT_KEY_MANIFEST_BINARY
string "KM (Key Manifest) binary location"
depends on !INTEL_CBNT_GENERATE_KM
diff --git a/src/security/intel/cbnt/Makefile.inc b/src/security/intel/cbnt/Makefile.inc
index 0ea9ed0b0b..788b1b7567 100644
--- a/src/security/intel/cbnt/Makefile.inc
+++ b/src/security/intel/cbnt/Makefile.inc
@@ -34,9 +34,35 @@ $(CBNT_CFG): $(call strip_quotes, $(CONFIG_INTEL_CBNT_BG_PROV_CFG_FILE))
cp $(CONFIG_INTEL_CBNT_BG_PROV_CFG_FILE) $@
ifeq ($(CONFIG_INTEL_CBNT_GENERATE_BPM),y)
+ifeq ($(CONFIG_INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE),y)
$(obj)/bpm_unsigned.bin: $(obj)/coreboot.rom $(BG_PROV) $(CBNT_CFG)
printf " BG_PROV creating unsigned BPM using config file\n"
$(BG_PROV) bpm-gen $@ $< --config=$(CBNT_CFG) --cut
+else
+$(obj)/bpm_unsigned.bin: $(obj)/coreboot.rom $(BG_PROV)
+ printf " BG_PROV creating unsigned BPM\n"
+ # SHA256, SHA1, SHA384 for digest
+ $(BG_PROV) bpm-gen $@ $< --revision=$(CONFIG_INTEL_CBNT_BPM_REVISION) \
+ --svn=$(CONFIG_INTEL_CBNT_BPM_SVN) \
+ --acmsvn=$(CONFIG_INTEL_CBNT_ACM_SVN) \
+ --nems=$(CONFIG_INTEL_CBNT_NUM_NEM_PAGES) \
+ --pbet=$(CONFIG_INTEL_CBNT_PBET) \
+ --ibbflags=$(CONFIG_INTEL_CBNT_IBB_FLAGS) \
+ --entrypoint=$(shell printf "%d" 0xfffffff0) \
+ --ibbhash={11,4,12} \
+ --ibbsegbase=$(call int-add, $(call int-subtract, 0xffffffff $(CONFIG_C_ENV_BOOTBLOCK_SIZE)) 1) \
+ --ibbsegsize=$(shell printf "%d" $(CONFIG_C_ENV_BOOTBLOCK_SIZE)) \
+ --ibbsegflag=0 \
+ --sintmin=$(CONFIG_INTEL_CBNT_SINIT_SVN) \
+ --txtflags=0 \
+ --powerdowninterval=$(CONFIG_INTEL_CBNT_PD_INTERVAL) \
+ --acpibaseoffset=$(shell printf "%d" $(CONFIG_INTEL_ACPI_BASE_ADDRESS)) \
+ --powermbaseoffset=$(shell printf "%d" $(CONFIG_INTEL_PCH_PWRM_BASE_ADDRESS)) \
+ --cmosoff0=$(shell printf "%d" $(CONFIG_INTEL_CBNT_CMOS_OFFSET)) \
+ --cmosoff1=$(call int-add, $(CONFIG_INTEL_CBNT_CMOS_OFFSET) 1) \
+ --cut \
+ --out=$(obj)/bpm_cfg.json
+endif
ifeq ($(CONFIG_INTEL_CBNT_BPM_ONLY_UNSIGNED),y)
build_complete:: $(obj)/bpm_unsigned.bin