From 94fe086a067ad635246f40a339748182ef7b943e Mon Sep 17 00:00:00 2001
From: Arthur Heymans <arthur@aheymans.xyz>
Date: Thu, 15 Oct 2020 13:57:52 +0200
Subject: sec/intel/cbnt: Stitch in ACMs in the coreboot image

Actual support CBnT will be added later on.

Change-Id: Icc35c5e6c74d002efee43cc05ecc8023e00631e0
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/46456
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
---
 src/security/intel/cbnt/Kconfig      | 27 +++++++++++++++++++++++++++
 src/security/intel/cbnt/Makefile.inc | 25 +++++++++++++++++++++++++
 2 files changed, 52 insertions(+)
 create mode 100644 src/security/intel/cbnt/Kconfig
 create mode 100644 src/security/intel/cbnt/Makefile.inc

(limited to 'src/security/intel/cbnt')

diff --git a/src/security/intel/cbnt/Kconfig b/src/security/intel/cbnt/Kconfig
new file mode 100644
index 0000000000..f13f6ec59c
--- /dev/null
+++ b/src/security/intel/cbnt/Kconfig
@@ -0,0 +1,27 @@
+# SPDX-License-Identifier: GPL-2.0-only
+
+config INTEL_CBNT_SUPPORT
+	bool "Intel CBnT support"
+	default n
+	depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE
+	#depends on PLATFORM_HAS_DRAM_CLEAR
+	select INTEL_TXT
+	help
+	  Enables Intel Converged Bootguard and Trusted Execution Technology
+	  Support. This will enable one to add a Key Manifest (KM) and a Boot
+	  Policy Manifest (BPM) to the filesystem. It will also wrap a FIT around
+	  the firmware and update appropriate entries.
+
+if INTEL_CBNT_SUPPORT
+
+config INTEL_CBNT_KEY_MANIFEST_BINARY
+	string "KM (Key Manifest) binary location"
+	help
+	  Location of the Key Manifest (KM)
+
+config INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY
+	string "BPM (Boot Policy Manifest) binary location"
+	help
+	  Location of the Boot Policy Manifest (BPM)
+
+endif # INTEL_CBNT_SUPPORT
diff --git a/src/security/intel/cbnt/Makefile.inc b/src/security/intel/cbnt/Makefile.inc
new file mode 100644
index 0000000000..f2e5c76dba
--- /dev/null
+++ b/src/security/intel/cbnt/Makefile.inc
@@ -0,0 +1,25 @@
+ifeq ($(CONFIG_INTEL_CBNT_SUPPORT),y)
+
+ifneq ($(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY),"")
+cbfs-files-y += boot_policy_manifest.bin
+boot_policy_manifest.bin-file := $(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY)
+boot_policy_manifest.bin-type := raw
+boot_policy_manifest.bin-align := 0x10
+
+INTERMEDIATE+=add_bpm_fit
+add_bpm_fit: $(obj)/coreboot.pre $(IFITTOOL)
+	$(IFITTOOL) -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
+endif
+
+ifneq ($(CONFIG_INTEL_CBNT_KEY_MANIFEST_BINARY),"")
+cbfs-files-y += key_manifest.bin
+key_manifest.bin-file := $(CONFIG_INTEL_CBNT_KEY_MANIFEST_BINARY)
+key_manifest.bin-type := raw
+key_manifest.bin-align := 0x10
+
+INTERMEDIATE+=add_km_fit
+add_km_fit: $(obj)/coreboot.pre $(IFITTOOL)
+	$(IFITTOOL) -r COREBOOT -a -n key_manifest.bin -t 11 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
+endif
+
+endif # CONFIG_INTEL_CBNT_SUPPORT
-- 
cgit v1.2.3