soc/intel/common/cse: Update help text for CSE_OEMP_FILE

The OEM may create and sign an Audio component to extend the Audio
capability provided by Intel. The manifest is then signed, and the
signature and public key are entered into the header of the manifest
to create the final signed component binary. This creates a secure
verification mechanism where firmware verifies that the OEM Key
Manifest was signed with a key owned by a trusted owner. Once OEM KM
is authenticated, each public key hash stored within the OEM KM is
able to authenticate the corresponding FW binary.

Link to the Document:
https://www.intel.com/content/www/us/en/secure/design/confidential/software-kits/kit-details.html?kitId=689893
ADL_Signing_and_Manifesting_User_Guide.pdf

BUG=b:207820413
TEST:none

Signed-off-by: ravindr1 <ravindra@intel.com>
Change-Id: Id52b51ab1c910d70b7897eb31add8287b5b0166f
Reviewed-on: https://review.coreboot.org/c/coreboot/+/60020
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Paul Menzel <paulepanter@mailbox.org>
Reviewed-by: Tim Wawrzynczak <twawrzynczak@chromium.org>

1 files changed, 5 insertions, 1 deletions

diff --git a/src/soc/intel/common/block/cse/Kconfig b/src/soc/intel/common/block/cse/Kconfig
index 055927be22..ec901ca8a1 100644
--- a/src/soc/intel/common/block/cse/Kconfig
+++ b/src/soc/intel/common/block/cse/Kconfig
@@ -181,7 +181,11 @@ config CSE_BPDT_VERSION
 	  This config indicates the BPDT version used by CSE for a given SoC.
 
 config CSE_OEMP_FILE
-	string "Name of OEM KM file"
+	string "Name of OEM Key Manifest file"
 	default "oem_km.bin"
+	help
+	  OEM Key Manifest lists the public key hashes used for authenticating the
+	  OEM created binaries to be loaded. This binary is generated by signing with
+	  the key owned by trusted owner.
 
 endif