diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/cpu/intel/fit/Kconfig | 2 | ||||
-rw-r--r-- | src/security/intel/Kconfig | 1 | ||||
-rw-r--r-- | src/security/intel/Makefile.inc | 1 | ||||
-rw-r--r-- | src/security/intel/cbnt/Kconfig | 27 | ||||
-rw-r--r-- | src/security/intel/cbnt/Makefile.inc | 25 | ||||
-rw-r--r-- | src/security/intel/txt/Kconfig | 1 | ||||
-rw-r--r-- | src/security/intel/txt/Makefile.inc | 4 |
7 files changed, 60 insertions, 1 deletions
diff --git a/src/cpu/intel/fit/Kconfig b/src/cpu/intel/fit/Kconfig index fa10802926..9ea867e579 100644 --- a/src/cpu/intel/fit/Kconfig +++ b/src/cpu/intel/fit/Kconfig @@ -5,7 +5,7 @@ config CPU_INTEL_FIRMWARE_INTERFACE_TABLE config CPU_INTEL_NUM_FIT_ENTRIES int - default 16 if INTEL_TXT + default 16 if INTEL_TXT || INTEL_CBNT_SUPPORT default 4 depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE help diff --git a/src/security/intel/Kconfig b/src/security/intel/Kconfig index 9cdd8a6610..0609a45684 100644 --- a/src/security/intel/Kconfig +++ b/src/security/intel/Kconfig @@ -2,3 +2,4 @@ source "src/security/intel/txt/Kconfig" source "src/security/intel/stm/Kconfig" +source "src/security/intel/cbnt/Kconfig" diff --git a/src/security/intel/Makefile.inc b/src/security/intel/Makefile.inc index e00802ad06..20aea273e0 100644 --- a/src/security/intel/Makefile.inc +++ b/src/security/intel/Makefile.inc @@ -1,2 +1,3 @@ subdirs-y += txt subdirs-y += stm +subdirs-y += cbnt diff --git a/src/security/intel/cbnt/Kconfig b/src/security/intel/cbnt/Kconfig new file mode 100644 index 0000000000..f13f6ec59c --- /dev/null +++ b/src/security/intel/cbnt/Kconfig @@ -0,0 +1,27 @@ +# SPDX-License-Identifier: GPL-2.0-only + +config INTEL_CBNT_SUPPORT + bool "Intel CBnT support" + default n + depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE + #depends on PLATFORM_HAS_DRAM_CLEAR + select INTEL_TXT + help + Enables Intel Converged Bootguard and Trusted Execution Technology + Support. This will enable one to add a Key Manifest (KM) and a Boot + Policy Manifest (BPM) to the filesystem. It will also wrap a FIT around + the firmware and update appropriate entries. + +if INTEL_CBNT_SUPPORT + +config INTEL_CBNT_KEY_MANIFEST_BINARY + string "KM (Key Manifest) binary location" + help + Location of the Key Manifest (KM) + +config INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY + string "BPM (Boot Policy Manifest) binary location" + help + Location of the Boot Policy Manifest (BPM) + +endif # INTEL_CBNT_SUPPORT diff --git a/src/security/intel/cbnt/Makefile.inc b/src/security/intel/cbnt/Makefile.inc new file mode 100644 index 0000000000..f2e5c76dba --- /dev/null +++ b/src/security/intel/cbnt/Makefile.inc @@ -0,0 +1,25 @@ +ifeq ($(CONFIG_INTEL_CBNT_SUPPORT),y) + +ifneq ($(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY),"") +cbfs-files-y += boot_policy_manifest.bin +boot_policy_manifest.bin-file := $(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY) +boot_policy_manifest.bin-type := raw +boot_policy_manifest.bin-align := 0x10 + +INTERMEDIATE+=add_bpm_fit +add_bpm_fit: $(obj)/coreboot.pre $(IFITTOOL) + $(IFITTOOL) -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $< +endif + +ifneq ($(CONFIG_INTEL_CBNT_KEY_MANIFEST_BINARY),"") +cbfs-files-y += key_manifest.bin +key_manifest.bin-file := $(CONFIG_INTEL_CBNT_KEY_MANIFEST_BINARY) +key_manifest.bin-type := raw +key_manifest.bin-align := 0x10 + +INTERMEDIATE+=add_km_fit +add_km_fit: $(obj)/coreboot.pre $(IFITTOOL) + $(IFITTOOL) -r COREBOOT -a -n key_manifest.bin -t 11 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $< +endif + +endif # CONFIG_INTEL_CBNT_SUPPORT diff --git a/src/security/intel/txt/Kconfig b/src/security/intel/txt/Kconfig index 80be7c29e9..f9e4bc4bf4 100644 --- a/src/security/intel/txt/Kconfig +++ b/src/security/intel/txt/Kconfig @@ -52,6 +52,7 @@ config INTEL_TXT_LOGGING config INTEL_TXT_BIOSACM_ALIGNMENT hex + default 0x40000 if INTEL_CBNT_SUPPORT default 0x20000 # 128 KiB help Exceptions are Ivy and Sandy Bridge with 64 KiB and Purley with 256 KiB diff --git a/src/security/intel/txt/Makefile.inc b/src/security/intel/txt/Makefile.inc index eab47b95f9..77a5f69f2a 100644 --- a/src/security/intel/txt/Makefile.inc +++ b/src/security/intel/txt/Makefile.inc @@ -33,6 +33,8 @@ add_acm_fit: $(obj)/coreboot.pre $(IFITTOOL) $(IFITTOOL) -r COREBOOT -a -n $(CONFIG_INTEL_TXT_CBFS_BIOS_ACM) -t 2 \ -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $< +# CBnT does not use FIT for IBB +ifneq ($(CONFIG_INTEL_CBNT_SUPPORT),y) # Initial BootBlock files ibb-files := $(foreach file,$(cbfs-files), \ $(if $(shell echo '$(call extract_nth,7,$(file))'|grep -- --ibb), \ @@ -45,6 +47,8 @@ add_ibb_fit: $(obj)/coreboot.pre $(IFITTOOL) $(foreach file, $(ibb-files), $(shell $(IFITTOOL) -f $< -a -n $(file) -t 7 \ -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -r COREBOOT)) true +endif # INTEL_CBNT_SUPPORT + endif # CPU_INTEL_FIRMWARE_INTERFACE_TABLE endif # INTEL_TXT |