From 5fffb5e30d0d0caa5bd3256fdce3f337bbef1d0f Mon Sep 17 00:00:00 2001 From: Patrick Rudolph Date: Thu, 25 Jul 2019 11:55:30 +0200 Subject: security/intel: Add TXT infrastructure * Add Kconfig to enable TXT * Add possibility to add BIOS and SINIT ACMs * Set default BIOS ACM alignment * Increase FIT space if TXT is enabled The following commits depend on the basic Kconfig infrastructure. Intel TXT isn't supported until all following commits are merged. Change-Id: I5f0f956d2b7ba43d4e7e0062803c6d8ba569a052 Signed-off-by: Patrick Rudolph Reviewed-on: https://review.coreboot.org/c/coreboot/+/34585 Tested-by: build bot (Jenkins) Reviewed-by: David Hendricks --- src/security/intel/txt/Kconfig | 54 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 src/security/intel/txt/Kconfig (limited to 'src/security/intel/txt/Kconfig') diff --git a/src/security/intel/txt/Kconfig b/src/security/intel/txt/Kconfig new file mode 100644 index 0000000000..011a41cdc3 --- /dev/null +++ b/src/security/intel/txt/Kconfig @@ -0,0 +1,54 @@ +## This file is part of the coreboot project. +## +## Copyright (C) 2019 9elements Agency GmbH +## Copyright (C) 2019 Facebook Inc. +## +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; version 2 of the License. +## +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. +## + +config INTEL_TXT + bool "Intel TXT support" + default n + select MRC_SETTINGS_PROTECT if CACHE_MRC_SETTINGS + select ENABLE_VMX if CPU_INTEL_COMMON + select AP_IN_SIPI_WAIT + depends on (TPM1 || TPM2) + depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE + depends on PLATFORM_HAS_DRAM_CLEAR + depends on SOC_INTEL_FSP_BROADWELL_DE || SOC_INTEL_COMMON_BLOCK_SA + +if INTEL_TXT + +config INTEL_TXT_BIOSACM_FILE + string "BIOS ACM file" + default "3rdparty/blobs/soc/intel/fsp_broadwell_de/biosacm.bin" if SOC_INTEL_FSP_BROADWELL_DE + default "3rdparty/blobs/soc/intel/skylake/biosacm.bin" if SOC_INTEL_COMMON_SKYLAKE_BASE + help + Intel TXT BIOS ACM file. This file can be obtained by privileged + access to Intel resources. Or for some platforms found inside the + blob repository. + +config INTEL_TXT_SINITACM_FILE + string "SINIT ACM file" + default "3rdparty/blobs/soc/intel/fsp_broadwell_de/sinitacm.bin" if SOC_INTEL_FSP_BROADWELL_DE + default "3rdparty/blobs/soc/intel/skylake/sinitacm.bin" if SOC_INTEL_COMMON_SKYLAKE_BASE + help + Intel TXT SINIT ACM file. This file can be obtained by privileged + access to Intel resources. Or for some platforms found inside the + blob repository. + +config INTEL_TXT_BIOSACM_ALIGNMENT + hex + default 0x20000 # 128KB + help + Exceptions are Ivy- and Sandy Bridge with 64KB and Purely with 256KB + alignment size. Please overwrite it SoC specific. + +endif -- cgit v1.2.3