From 94fe086a067ad635246f40a339748182ef7b943e Mon Sep 17 00:00:00 2001 From: Arthur Heymans Date: Thu, 15 Oct 2020 13:57:52 +0200 Subject: sec/intel/cbnt: Stitch in ACMs in the coreboot image Actual support CBnT will be added later on. Change-Id: Icc35c5e6c74d002efee43cc05ecc8023e00631e0 Signed-off-by: Arthur Heymans Reviewed-on: https://review.coreboot.org/c/coreboot/+/46456 Reviewed-by: Angel Pons Tested-by: build bot (Jenkins) --- src/security/intel/cbnt/Kconfig | 27 +++++++++++++++++++++++++++ src/security/intel/cbnt/Makefile.inc | 25 +++++++++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 src/security/intel/cbnt/Kconfig create mode 100644 src/security/intel/cbnt/Makefile.inc (limited to 'src/security/intel/cbnt') diff --git a/src/security/intel/cbnt/Kconfig b/src/security/intel/cbnt/Kconfig new file mode 100644 index 0000000000..f13f6ec59c --- /dev/null +++ b/src/security/intel/cbnt/Kconfig @@ -0,0 +1,27 @@ +# SPDX-License-Identifier: GPL-2.0-only + +config INTEL_CBNT_SUPPORT + bool "Intel CBnT support" + default n + depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE + #depends on PLATFORM_HAS_DRAM_CLEAR + select INTEL_TXT + help + Enables Intel Converged Bootguard and Trusted Execution Technology + Support. This will enable one to add a Key Manifest (KM) and a Boot + Policy Manifest (BPM) to the filesystem. It will also wrap a FIT around + the firmware and update appropriate entries. + +if INTEL_CBNT_SUPPORT + +config INTEL_CBNT_KEY_MANIFEST_BINARY + string "KM (Key Manifest) binary location" + help + Location of the Key Manifest (KM) + +config INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY + string "BPM (Boot Policy Manifest) binary location" + help + Location of the Boot Policy Manifest (BPM) + +endif # INTEL_CBNT_SUPPORT diff --git a/src/security/intel/cbnt/Makefile.inc b/src/security/intel/cbnt/Makefile.inc new file mode 100644 index 0000000000..f2e5c76dba --- /dev/null +++ b/src/security/intel/cbnt/Makefile.inc @@ -0,0 +1,25 @@ +ifeq ($(CONFIG_INTEL_CBNT_SUPPORT),y) + +ifneq ($(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY),"") +cbfs-files-y += boot_policy_manifest.bin +boot_policy_manifest.bin-file := $(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY) +boot_policy_manifest.bin-type := raw +boot_policy_manifest.bin-align := 0x10 + +INTERMEDIATE+=add_bpm_fit +add_bpm_fit: $(obj)/coreboot.pre $(IFITTOOL) + $(IFITTOOL) -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $< +endif + +ifneq ($(CONFIG_INTEL_CBNT_KEY_MANIFEST_BINARY),"") +cbfs-files-y += key_manifest.bin +key_manifest.bin-file := $(CONFIG_INTEL_CBNT_KEY_MANIFEST_BINARY) +key_manifest.bin-type := raw +key_manifest.bin-align := 0x10 + +INTERMEDIATE+=add_km_fit +add_km_fit: $(obj)/coreboot.pre $(IFITTOOL) + $(IFITTOOL) -r COREBOOT -a -n key_manifest.bin -t 11 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $< +endif + +endif # CONFIG_INTEL_CBNT_SUPPORT -- cgit v1.2.3