# SPDX-License-Identifier: GPL-2.0-only config INTEL_CBNT_SUPPORT bool "Intel CBnT support" default n depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE #depends on PLATFORM_HAS_DRAM_CLEAR select INTEL_TXT # With CBnT the bootblock is set up as a CBnT IBB and needs a fixed size select FIXED_BOOTBLOCK_SIZE help Enables Intel Converged Bootguard and Trusted Execution Technology Support. This will enable one to add a Key Manifest (KM) and a Boot Policy Manifest (BPM) to the filesystem. It will also wrap a FIT around the firmware and update appropriate entries. if INTEL_CBNT_SUPPORT config INTEL_CBNT_GENERATE_KM bool "Generate Key Manifest (KM)" default y select INTEL_CBNT_NEED_KM_PUB_KEY select INTEL_CBNT_NEED_KM_PRIV_KEY select INTEL_CBNT_NEED_BPM_PUB_KEY if !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE help Select y to generate the Key Manifest (KM). Select n to include a KM binary. config INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE bool "KM: use a CBnT json config file" depends on INTEL_CBNT_GENERATE_KM default y help Select y to generate KM from a json config file. Select n to generate KM from Kconfig options config INTEL_CBNT_BG_PROV_CFG_FILE string "CBnT json config file" depends on INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE help Location of the bg-prov json config file. Either get a sample JSON config file: $ bg-prov template Or extract it from a working configuration: $ bg-prov read-config config INTEL_CBNT_NEED_KM_PUB_KEY bool config INTEL_CBNT_NEED_KM_PRIV_KEY bool config INTEL_CBNT_KM_PUB_KEY_FILE string "Key manifest (KM) public key" depends on INTEL_CBNT_NEED_KM_PUB_KEY && !INTEL_CBNT_NEED_KM_PRIV_KEY help Location of the key manifest (KM) public key file in .pem format. config INTEL_CBNT_KM_PRIV_KEY_FILE string "Key manifest (KM) private key" depends on INTEL_CBNT_NEED_KM_PRIV_KEY help Location of the key manifest (KM) private key file in .pem format. config INTEL_CBNT_NEED_BPM_PUB_KEY bool config INTEL_CBNT_NEED_BPM_PRIV_KEY bool config INTEL_CBNT_BPM_PUB_KEY_FILE string "Boot policy manifest (BPM) public key" depends on INTEL_CBNT_NEED_BPM_PUB_KEY && !INTEL_CBNT_NEED_BPM_PRIV_KEY help Location of the boot policy manifest (BPM) public key file in .pem format. config INTEL_CBNT_BPM_PRIV_KEY_FILE string "Boot policy manifest (BPM) private key" depends on INTEL_CBNT_NEED_BPM_PRIV_KEY help Location of the boot policy manifest (BPM) private key file in .pem format. if !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE && INTEL_CBNT_GENERATE_KM menu "KM options" config INTEL_CBNT_KM_REVISION int "KM revision" default 1 help Version of the Key Manifest defined by the Platform Manufacturer. The actual value is transparent to Boot Guard and is not processed by Boot Guard. config INTEL_CBNT_KM_SVN int "KM security Version Number" range 0 15 default 0 help This value is determined by the Platform Manufacturer. Boot Guard uses this to compare it to the Key Manifest Revocation Value (Revocation.KMSVN) in FPF. If KMSVN < Revocation.KMSVN, the KM will be revoked. It will trigger ENF (the enforcement policy). IF KMSVN > Revocation.KMSVN, the Revocation.KMSVN will be set to the KMSVN. Note: Once the value reaches 0Fh, revocation saturates and one can no longer revoke newer KMs. config INTEL_CBNT_KM_ID int "KM ID" default 1 help This identifies the Key Manifest to be used for a platform. This must match the Key Manifest Identifier programmed in the field programmable fuses. endmenu endif # !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE config INTEL_CBNT_KEY_MANIFEST_BINARY string "KM (Key Manifest) binary location" depends on !INTEL_CBNT_GENERATE_KM help Location of the Key Manifest (KM) config INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY string "BPM (Boot Policy Manifest) binary location" help Location of the Boot Policy Manifest (BPM) config INTEL_CBNT_CMOS_OFFSET hex default 0x7e help Address in RTC CMOS used by CBNT. Uses 2 bytes. If using an option table adapt the cmos.layout accordingly. The bytes should not be checksummed. endif # INTEL_CBNT_SUPPORT