# SPDX-License-Identifier: GPL-2.0-only config INTEL_CBNT_SUPPORT bool "Intel CBnT support" default n depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE #depends on PLATFORM_HAS_DRAM_CLEAR select INTEL_TXT # With CBnT the bootblock is set up as a CBnT IBB and needs a fixed size select FIXED_BOOTBLOCK_SIZE help Enables Intel Converged Bootguard and Trusted Execution Technology Support. This will enable one to add a Key Manifest (KM) and a Boot Policy Manifest (BPM) to the filesystem. It will also wrap a FIT around the firmware and update appropriate entries. if INTEL_CBNT_SUPPORT config INTEL_CBNT_GENERATE_KM bool "Generate Key Manifest (KM)" default y select INTEL_CBNT_NEED_KM_PUB_KEY select INTEL_CBNT_NEED_KM_PRIV_KEY if !INTEL_CBNT_KM_ONLY_UNSIGNED select INTEL_CBNT_NEED_BPM_PUB_KEY if !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE help Select y to generate the Key Manifest (KM). Select n to include a KM binary. config INTEL_CBNT_KM_ONLY_UNSIGNED bool "Only unsigned key manifest (KM)" depends on INTEL_CBNT_GENERATE_KM help Skip signing the KM. The resulting unsigned KM will be placed at build/km_unsigned.bin. The resulting coreboot image will not be functional with CBnT. After the unsigned KM is signed externally you can either rebuild coreboot using that binary or add it to cbfs and fit: "$ cbfstool build/coreboot.rom add -f km.bin -n key_manifest.bin -t raw -a 16" "$ ifittool -r COREBOOT -a -n key_manifest.bin -t 11 -s 12 -f build/coreboot.rom" '-s 12' where 12 is CONFIG_CPU_INTEL_NUM_FIT_ENTRIES. config INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE bool "KM: use a CBnT json config file" depends on INTEL_CBNT_GENERATE_KM default y help Select y to generate KM from a json config file. Select n to generate KM from Kconfig options config INTEL_CBNT_GENERATE_BPM bool "Generate Boot Policy Manifest (BPM)" default y select INTEL_CBNT_NEED_BPM_PRIV_KEY if !INTEL_CBNT_BPM_ONLY_UNSIGNED help Select y to generate the Boot Policy Manifest (BPM). Select n to include a BPM binary. config INTEL_CBNT_BPM_ONLY_UNSIGNED bool "Only unsigned boot policy manifest (BPM)" depends on INTEL_CBNT_GENERATE_BPM help Skip signing the BPM. The resulting unsigned BPM will be placed at build/bpm_unsigned.bin. The resulting coreboot image will not be functional with CBnT. After the unsigned BPM is signed externally you can add it to cbfs and fit: "$ cbfstool build/coreboot.rom add -f bpm.bin -n boot_policy_manifest.bin -t raw -a 16" "$ ifittool -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s 12 -f build/coreboot.rom" '-s 12' where 12 is CONFIG_CPU_INTEL_NUM_FIT_ENTRIES. config INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE bool "BPM: use a CBnT json config file" depends on INTEL_CBNT_GENERATE_BPM default y help Select y to generate BPM from a json config file. Select n to generate BPM from Kconfig options config INTEL_CBNT_BG_PROV_CFG_FILE string "CBnT json config file" depends on INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE || INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE help Location of the bg-prov json config file. Either get a sample JSON config file: $ bg-prov template Or extract it from a working configuration: $ bg-prov read-config config INTEL_CBNT_NEED_KM_PUB_KEY bool config INTEL_CBNT_NEED_KM_PRIV_KEY bool config INTEL_CBNT_KM_PUB_KEY_FILE string "Key manifest (KM) public key" depends on INTEL_CBNT_NEED_KM_PUB_KEY && !INTEL_CBNT_NEED_KM_PRIV_KEY help Location of the key manifest (KM) public key file in .pem format. config INTEL_CBNT_KM_PRIV_KEY_FILE string "Key manifest (KM) private key" depends on INTEL_CBNT_NEED_KM_PRIV_KEY help Location of the key manifest (KM) private key file in .pem format. config INTEL_CBNT_NEED_BPM_PUB_KEY bool config INTEL_CBNT_NEED_BPM_PRIV_KEY bool config INTEL_CBNT_BPM_PUB_KEY_FILE string "Boot policy manifest (BPM) public key" depends on INTEL_CBNT_NEED_BPM_PUB_KEY && !INTEL_CBNT_NEED_BPM_PRIV_KEY help Location of the boot policy manifest (BPM) public key file in .pem format. config INTEL_CBNT_BPM_PRIV_KEY_FILE string "Boot policy manifest (BPM) private key" depends on INTEL_CBNT_NEED_BPM_PRIV_KEY help Location of the boot policy manifest (BPM) private key file in .pem format. if !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE && INTEL_CBNT_GENERATE_KM menu "KM options" config INTEL_CBNT_KM_REVISION int "KM revision" default 1 help Version of the Key Manifest defined by the Platform Manufacturer. The actual value is transparent to Boot Guard and is not processed by Boot Guard. config INTEL_CBNT_KM_SVN int "KM security Version Number" range 0 15 default 0 help This value is determined by the Platform Manufacturer. Boot Guard uses this to compare it to the Key Manifest Revocation Value (Revocation.KMSVN) in FPF. If KMSVN < Revocation.KMSVN, the KM will be revoked. It will trigger ENF (the enforcement policy). IF KMSVN > Revocation.KMSVN, the Revocation.KMSVN will be set to the KMSVN. Note: Once the value reaches 0Fh, revocation saturates and one can no longer revoke newer KMs. config INTEL_CBNT_KM_ID int "KM ID" default 1 help This identifies the Key Manifest to be used for a platform. This must match the Key Manifest Identifier programmed in the field programmable fuses. endmenu endif # !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE if !INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE && INTEL_CBNT_GENERATE_BPM menu "BPM options" config INTEL_CBNT_BPM_REVISION int "BPM revision" default 1 help Version of the Key Manifest defined by the Platform Manufacturer. The actual value is transparent to Boot Guard and is not processed by Boot Guard. config INTEL_CBNT_BPM_SVN int "BPM Security Version Number" default 0 help This value is determined by the Platform Manufacturer. config INTEL_CBNT_ACM_SVN int "S-ACM Security Version Number" default 2 help This defines the minimum version the S-ACM must have. config INTEL_CBNT_NUM_NEM_PAGES int default 32 help Set the amount of 4K pages of CAR required. config INTEL_CBNT_PBET int "PBET value in s" default 15 help Protect BIOS Environment Timer (PBET) value. Factor used by CSE to compute PBE timer value. Actual PBE timer value is set by CSE using formula: PBE timer value = 5 sec + PBETValue. config INTEL_CBNT_IBB_FLAGS int "IBB flags" default 7 help IBB Control flags. 3: Don't extend PCR 0 7: extend PCR 7 config INTEL_CBNT_SINIT_SVN int "SINIT ACM security version number" default 0 help Minimum required version for the SINIT ACM. config INTEL_CBNT_PD_INTERVAL int default 60 help Duration of Power Down in 5 sec increments. endmenu endif # !INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE config INTEL_CBNT_KEY_MANIFEST_BINARY string "KM (Key Manifest) binary location" depends on !INTEL_CBNT_GENERATE_KM help Location of the Key Manifest (KM) config INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY string "BPM (Boot Policy Manifest) binary location" depends on !INTEL_CBNT_GENERATE_BPM help Location of the Boot Policy Manifest (BPM) config INTEL_CBNT_CMOS_OFFSET hex default 0x7e help Address in RTC CMOS used by CBNT. Uses 2 bytes. If using an option table adapt the cmos.layout accordingly. The bytes should not be checksummed. endif # INTEL_CBNT_SUPPORT