From 0514324724b9f5d224f561ad7023782d691054e0 Mon Sep 17 00:00:00 2001
From: Arthur Heymans <arthur@aheymans.xyz>
Date: Mon, 8 Feb 2021 19:41:23 +0100
Subject: security/intel/cbnt: Generate KM from Kconfig symbols

Add an option to generate the Key Manifest from Kconfig options.

Change-Id: I3a448f37c81148625c7879dcb64da4d517567067
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/50410
Reviewed-by: Christian Walter <christian.walter@9elements.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
---
 src/security/intel/cbnt/Kconfig | 50 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 49 insertions(+), 1 deletion(-)

(limited to 'src/security/intel/cbnt/Kconfig')

diff --git a/src/security/intel/cbnt/Kconfig b/src/security/intel/cbnt/Kconfig
index 8c4d999043..0f4c2167c9 100644
--- a/src/security/intel/cbnt/Kconfig
+++ b/src/security/intel/cbnt/Kconfig
@@ -21,13 +21,22 @@ config INTEL_CBNT_GENERATE_KM
 	default y
 	select INTEL_CBNT_NEED_KM_PUB_KEY
 	select INTEL_CBNT_NEED_KM_PRIV_KEY
+	select INTEL_CBNT_NEED_BPM_PUB_KEY if !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE
 	help
 	  Select y to generate the Key Manifest (KM).
 	  Select n to include a KM binary.
 
+config INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE
+	bool "KM: use a CBnT json config file"
+	depends on INTEL_CBNT_GENERATE_KM
+	default y
+	help
+	  Select y to generate KM from a json config file.
+	  Select n to generate KM from Kconfig options
+
 config INTEL_CBNT_BG_PROV_CFG_FILE
 	string "CBnT json config file"
-	depends on INTEL_CBNT_GENERATE_KM
+	depends on INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE
 	help
 	  Location of the bg-prov json config file.
 	  Either get a sample JSON config file:
@@ -71,6 +80,45 @@ config INTEL_CBNT_BPM_PRIV_KEY_FILE
 	help
 	  Location of the boot policy manifest (BPM) private key file in .pem format.
 
+if !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE && INTEL_CBNT_GENERATE_KM
+
+menu "KM options"
+
+config INTEL_CBNT_KM_REVISION
+	int "KM revision"
+	default 1
+	help
+	  Version of the Key Manifest defined by the Platform Manufacturer.
+	  The actual value is transparent to Boot Guard and is not processed by Boot Guard.
+
+config INTEL_CBNT_KM_SVN
+	int "KM security Version Number"
+	range 0 15
+	default 0
+	help
+	  This value is determined by the Platform Manufacturer.
+	  Boot Guard uses this to compare it to the Key Manifest
+	  Revocation Value (Revocation.KMSVN) in FPF.
+
+	  If KMSVN < Revocation.KMSVN, the KM will be revoked. It will trigger ENF (the
+	  enforcement policy).
+	  IF KMSVN > Revocation.KMSVN, the Revocation.KMSVN will be set to the KMSVN.
+
+	  Note: Once the value reaches 0Fh, revocation saturates and one can no longer
+	  revoke newer KMs.
+
+config INTEL_CBNT_KM_ID
+	int "KM ID"
+	default 1
+	help
+	  This identifies the Key Manifest to be used for a platform.
+	  This must match the Key Manifest Identifier programmed in
+	  the field programmable fuses.
+
+endmenu
+
+endif # !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE
+
 config INTEL_CBNT_KEY_MANIFEST_BINARY
 	string "KM (Key Manifest) binary location"
 	depends on !INTEL_CBNT_GENERATE_KM
-- 
cgit v1.2.3