# SPDX-License-Identifier: GPL-2.0-only

config INTEL_CBNT_SUPPORT
	bool "Intel CBnT support"
	default n
	depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE
	#depends on PLATFORM_HAS_DRAM_CLEAR
	select INTEL_TXT
	# With CBnT the bootblock is set up as a CBnT IBB and needs a fixed size
	select FIXED_BOOTBLOCK_SIZE
	help
	  Enables Intel Converged Bootguard and Trusted Execution Technology
	  Support. This will enable one to add a Key Manifest (KM) and a Boot
	  Policy Manifest (BPM) to the filesystem. It will also wrap a FIT around
	  the firmware and update appropriate entries.

if INTEL_CBNT_SUPPORT

config INTEL_CBNT_GENERATE_KM
	bool "Generate Key Manifest (KM)"
	default y
	select INTEL_CBNT_NEED_KM_PUB_KEY
	select INTEL_CBNT_NEED_KM_PRIV_KEY if !INTEL_CBNT_KM_ONLY_UNSIGNED
	select INTEL_CBNT_NEED_BPM_PUB_KEY if !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE
	help
	  Select y to generate the Key Manifest (KM).
	  Select n to include a KM binary.

config INTEL_CBNT_KM_ONLY_UNSIGNED
	bool "Only unsigned key manifest (KM)"
	depends on INTEL_CBNT_GENERATE_KM
	help
	  Skip signing the KM.
	  The resulting unsigned KM will be placed at build/km_unsigned.bin.
	  The resulting coreboot image will not be functional with CBnT.
	  After the unsigned KM is signed externally you can either rebuild
	  coreboot using that binary or add it to cbfs and fit:
	  "$ cbfstool build/coreboot.rom add -f km.bin -n key_manifest.bin -t raw -a 16"
	  "$ ifittool -r COREBOOT -a -n key_manifest.bin -t 11 -s 12 -f build/coreboot.rom"
	  '-s 12' where 12 is CONFIG_CPU_INTEL_NUM_FIT_ENTRIES.

config INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE
	bool "KM: use a CBnT json config file"
	depends on INTEL_CBNT_GENERATE_KM
	default y
	help
	  Select y to generate KM from a json config file.
	  Select n to generate KM from Kconfig options

config INTEL_CBNT_GENERATE_BPM
	bool "Generate Boot Policy Manifest (BPM)"
	default y
	select INTEL_CBNT_NEED_BPM_PRIV_KEY if !INTEL_CBNT_BPM_ONLY_UNSIGNED
	help
	  Select y to generate the Boot Policy Manifest (BPM).
	  Select n to include a BPM binary.

config INTEL_CBNT_BPM_ONLY_UNSIGNED
	bool "Only unsigned boot policy manifest (BPM)"
	depends on INTEL_CBNT_GENERATE_BPM
	help
	  Skip signing the BPM.
	  The resulting unsigned BPM will be placed at build/bpm_unsigned.bin.
	  The resulting coreboot image will not be functional with CBnT.
	  After the unsigned BPM is signed externally you can add it to cbfs
	  and fit:
	  "$ cbfstool build/coreboot.rom add -f bpm.bin -n boot_policy_manifest.bin -t raw -a 16"
	  "$ ifittool -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s 12 -f build/coreboot.rom"
	  '-s 12' where 12 is CONFIG_CPU_INTEL_NUM_FIT_ENTRIES.

config INTEL_CBNT_BG_PROV_CFG_FILE
	string "CBnT json config file"
	depends on INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE || INTEL_CBNT_GENERATE_BPM
	help
	  Location of the bg-prov json config file.
	  Either get a sample JSON config file:
	  $ bg-prov template
	  Or extract it from a working configuration:
	  $ bg-prov read-config

config INTEL_CBNT_NEED_KM_PUB_KEY
	bool

config INTEL_CBNT_NEED_KM_PRIV_KEY
	bool

config INTEL_CBNT_KM_PUB_KEY_FILE
	string "Key manifest (KM) public key"
	depends on INTEL_CBNT_NEED_KM_PUB_KEY && !INTEL_CBNT_NEED_KM_PRIV_KEY
	help
	  Location of the key manifest (KM) public key file in .pem format.

config INTEL_CBNT_KM_PRIV_KEY_FILE
	string "Key manifest (KM) private key"
	depends on INTEL_CBNT_NEED_KM_PRIV_KEY
	help
	  Location of the key manifest (KM) private key file in .pem format.

config INTEL_CBNT_NEED_BPM_PUB_KEY
	bool

config INTEL_CBNT_NEED_BPM_PRIV_KEY
	bool

config INTEL_CBNT_BPM_PUB_KEY_FILE
	string "Boot policy manifest (BPM) public key"
	depends on INTEL_CBNT_NEED_BPM_PUB_KEY && !INTEL_CBNT_NEED_BPM_PRIV_KEY
	help
	  Location of the boot policy manifest (BPM) public key file in .pem format.

config INTEL_CBNT_BPM_PRIV_KEY_FILE
	string "Boot policy manifest (BPM) private key"
	depends on INTEL_CBNT_NEED_BPM_PRIV_KEY
	help
	  Location of the boot policy manifest (BPM) private key file in .pem format.

if !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE && INTEL_CBNT_GENERATE_KM

menu "KM options"

config INTEL_CBNT_KM_REVISION
	int "KM revision"
	default 1
	help
	  Version of the Key Manifest defined by the Platform Manufacturer.
	  The actual value is transparent to Boot Guard and is not processed by Boot Guard.

config INTEL_CBNT_KM_SVN
	int "KM security Version Number"
	range 0 15
	default 0
	help
	  This value is determined by the Platform Manufacturer.
	  Boot Guard uses this to compare it to the Key Manifest
	  Revocation Value (Revocation.KMSVN) in FPF.

	  If KMSVN < Revocation.KMSVN, the KM will be revoked. It will trigger ENF (the
	  enforcement policy).
	  IF KMSVN > Revocation.KMSVN, the Revocation.KMSVN will be set to the KMSVN.

	  Note: Once the value reaches 0Fh, revocation saturates and one can no longer
	  revoke newer KMs.

config INTEL_CBNT_KM_ID
	int "KM ID"
	default 1
	help
	  This identifies the Key Manifest to be used for a platform.
	  This must match the Key Manifest Identifier programmed in
	  the field programmable fuses.

endmenu

endif # !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE

config INTEL_CBNT_KEY_MANIFEST_BINARY
	string "KM (Key Manifest) binary location"
	depends on !INTEL_CBNT_GENERATE_KM
	help
	  Location of the Key Manifest (KM)

config INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY
	string "BPM (Boot Policy Manifest) binary location"
	depends on !INTEL_CBNT_GENERATE_BPM
	help
	  Location of the Boot Policy Manifest (BPM)

config INTEL_CBNT_CMOS_OFFSET
	hex
	default 0x7e
	help
	  Address in RTC CMOS used by CBNT. Uses 2 bytes. If using an option table
	  adapt the cmos.layout accordingly. The bytes should not be checksummed.

endif # INTEL_CBNT_SUPPORT