diff options
-rw-r--r-- | src/security/intel/cbnt/Kconfig | 50 | ||||
-rw-r--r-- | src/security/intel/cbnt/Makefile.inc | 13 |
2 files changed, 62 insertions, 1 deletions
diff --git a/src/security/intel/cbnt/Kconfig b/src/security/intel/cbnt/Kconfig index 8c4d999043..0f4c2167c9 100644 --- a/src/security/intel/cbnt/Kconfig +++ b/src/security/intel/cbnt/Kconfig @@ -21,13 +21,22 @@ config INTEL_CBNT_GENERATE_KM default y select INTEL_CBNT_NEED_KM_PUB_KEY select INTEL_CBNT_NEED_KM_PRIV_KEY + select INTEL_CBNT_NEED_BPM_PUB_KEY if !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE help Select y to generate the Key Manifest (KM). Select n to include a KM binary. +config INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE + bool "KM: use a CBnT json config file" + depends on INTEL_CBNT_GENERATE_KM + default y + help + Select y to generate KM from a json config file. + Select n to generate KM from Kconfig options + config INTEL_CBNT_BG_PROV_CFG_FILE string "CBnT json config file" - depends on INTEL_CBNT_GENERATE_KM + depends on INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE help Location of the bg-prov json config file. Either get a sample JSON config file: @@ -71,6 +80,45 @@ config INTEL_CBNT_BPM_PRIV_KEY_FILE help Location of the boot policy manifest (BPM) private key file in .pem format. +if !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE && INTEL_CBNT_GENERATE_KM + +menu "KM options" + +config INTEL_CBNT_KM_REVISION + int "KM revision" + default 1 + help + Version of the Key Manifest defined by the Platform Manufacturer. + The actual value is transparent to Boot Guard and is not processed by Boot Guard. + +config INTEL_CBNT_KM_SVN + int "KM security Version Number" + range 0 15 + default 0 + help + This value is determined by the Platform Manufacturer. + Boot Guard uses this to compare it to the Key Manifest + Revocation Value (Revocation.KMSVN) in FPF. + + If KMSVN < Revocation.KMSVN, the KM will be revoked. It will trigger ENF (the + enforcement policy). + IF KMSVN > Revocation.KMSVN, the Revocation.KMSVN will be set to the KMSVN. + + Note: Once the value reaches 0Fh, revocation saturates and one can no longer + revoke newer KMs. + +config INTEL_CBNT_KM_ID + int "KM ID" + default 1 + help + This identifies the Key Manifest to be used for a platform. + This must match the Key Manifest Identifier programmed in + the field programmable fuses. + +endmenu + +endif # !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE + config INTEL_CBNT_KEY_MANIFEST_BINARY string "KM (Key Manifest) binary location" depends on !INTEL_CBNT_GENERATE_KM diff --git a/src/security/intel/cbnt/Makefile.inc b/src/security/intel/cbnt/Makefile.inc index b508974283..62b12f0c0f 100644 --- a/src/security/intel/cbnt/Makefile.inc +++ b/src/security/intel/cbnt/Makefile.inc @@ -44,9 +44,22 @@ $(call add_intermediate, add_bpm_fit, $(IFITTOOL) set_fit_ptr) endif ifeq ($(CONFIG_INTEL_CBNT_GENERATE_KM),y) +ifeq ($(CONFIG_INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE),y) $(obj)/km_unsigned.bin: $(obj)/km_pub.pem $(BG_PROV) $(CBNT_CFG) printf " BG_PROV creating unsigned KM using config file\n" $(BG_PROV) km-gen $@ $< --config=$(CBNT_CFG) +else +PK_HASH_ALG_SHA256:=11 # Hardcode as no other options are available for CBnT +$(obj)/km_unsigned.bin: $(obj)/km_pub.pem $(obj)/bpm_pub.pem $(BG_PROV) + printf " BG_PROV creating unsigned KM\n" + $(BG_PROV) km-gen $@ $< --revision=$(CONFIG_INTEL_CBNT_KM_REVISION) \ + --svn=$(CONFIG_INTEL_CBNT_KM_SVN) \ + --id=$(CONFIG_INTEL_CBNT_KM_ID) \ + --pkhashalg=$(PK_HASH_ALG_SHA256) \ + --bpmpubkey=$(obj)/bpm_pub.pem \ + --bpmhashalgo=$(PK_HASH_ALG_SHA256) \ + --out=$(obj)/km_cfg.json +endif $(obj)/km.bin: $(obj)/km_unsigned.bin $(BG_PROV) $(call strip_quotes, $(CONFIG_INTEL_CBNT_KM_PRIV_KEY_FILE)) printf " BG_PROV signing KM\n" |