blob: 7df09b4b1ba35e1ed35af032e08f989dabbd69b6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
|
# SPDX-License-Identifier: GPL-2.0-only
config INTEL_CBNT_SUPPORT
bool "Intel CBnT support"
default n
depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE
#depends on PLATFORM_HAS_DRAM_CLEAR
select INTEL_TXT
# With CBnT the bootblock is set up as a CBnT IBB and needs a fixed size
select FIXED_BOOTBLOCK_SIZE
help
Enables Intel Converged Bootguard and Trusted Execution Technology
Support. This will enable one to add a Key Manifest (KM) and a Boot
Policy Manifest (BPM) to the filesystem. It will also wrap a FIT around
the firmware and update appropriate entries.
if INTEL_CBNT_SUPPORT
config INTEL_CBNT_GENERATE_KM
bool "Generate Key Manifest (KM)"
default y
select INTEL_CBNT_NEED_KM_PUB_KEY
select INTEL_CBNT_NEED_KM_PRIV_KEY if !INTEL_CBNT_KM_ONLY_UNSIGNED
select INTEL_CBNT_NEED_BPM_PUB_KEY if !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE
help
Select y to generate the Key Manifest (KM).
Select n to include a KM binary.
config INTEL_CBNT_KM_ONLY_UNSIGNED
bool "Only unsigned key manifest (KM)"
depends on INTEL_CBNT_GENERATE_KM
help
Skip signing the KM.
The resulting unsigned KM will be placed at build/km_unsigned.bin.
The resulting coreboot image will not be functional with CBnT.
After the unsigned KM is signed externally you can either rebuild
coreboot using that binary or add it to cbfs and fit:
"$ cbfstool build/coreboot.rom add -f km.bin -n key_manifest.bin -t raw -a 16"
"$ ifittool -r COREBOOT -a -n key_manifest.bin -t 11 -s 12 -f build/coreboot.rom"
'-s 12' where 12 is CONFIG_CPU_INTEL_NUM_FIT_ENTRIES.
config INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE
bool "KM: use a CBnT json config file"
depends on INTEL_CBNT_GENERATE_KM
default y
help
Select y to generate KM from a json config file.
Select n to generate KM from Kconfig options
config INTEL_CBNT_GENERATE_BPM
bool "Generate Boot Policy Manifest (BPM)"
default y
select INTEL_CBNT_NEED_BPM_PRIV_KEY
help
Select y to generate the Boot Policy Manifest (BPM).
Select n to include a BPM binary.
config INTEL_CBNT_BG_PROV_CFG_FILE
string "CBnT json config file"
depends on INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE || INTEL_CBNT_GENERATE_BPM
help
Location of the bg-prov json config file.
Either get a sample JSON config file:
$ bg-prov template
Or extract it from a working configuration:
$ bg-prov read-config
config INTEL_CBNT_NEED_KM_PUB_KEY
bool
config INTEL_CBNT_NEED_KM_PRIV_KEY
bool
config INTEL_CBNT_KM_PUB_KEY_FILE
string "Key manifest (KM) public key"
depends on INTEL_CBNT_NEED_KM_PUB_KEY && !INTEL_CBNT_NEED_KM_PRIV_KEY
help
Location of the key manifest (KM) public key file in .pem format.
config INTEL_CBNT_KM_PRIV_KEY_FILE
string "Key manifest (KM) private key"
depends on INTEL_CBNT_NEED_KM_PRIV_KEY
help
Location of the key manifest (KM) private key file in .pem format.
config INTEL_CBNT_NEED_BPM_PUB_KEY
bool
config INTEL_CBNT_NEED_BPM_PRIV_KEY
bool
config INTEL_CBNT_BPM_PUB_KEY_FILE
string "Boot policy manifest (BPM) public key"
depends on INTEL_CBNT_NEED_BPM_PUB_KEY && !INTEL_CBNT_NEED_BPM_PRIV_KEY
help
Location of the boot policy manifest (BPM) public key file in .pem format.
config INTEL_CBNT_BPM_PRIV_KEY_FILE
string "Boot policy manifest (BPM) private key"
depends on INTEL_CBNT_NEED_BPM_PRIV_KEY
help
Location of the boot policy manifest (BPM) private key file in .pem format.
if !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE && INTEL_CBNT_GENERATE_KM
menu "KM options"
config INTEL_CBNT_KM_REVISION
int "KM revision"
default 1
help
Version of the Key Manifest defined by the Platform Manufacturer.
The actual value is transparent to Boot Guard and is not processed by Boot Guard.
config INTEL_CBNT_KM_SVN
int "KM security Version Number"
range 0 15
default 0
help
This value is determined by the Platform Manufacturer.
Boot Guard uses this to compare it to the Key Manifest
Revocation Value (Revocation.KMSVN) in FPF.
If KMSVN < Revocation.KMSVN, the KM will be revoked. It will trigger ENF (the
enforcement policy).
IF KMSVN > Revocation.KMSVN, the Revocation.KMSVN will be set to the KMSVN.
Note: Once the value reaches 0Fh, revocation saturates and one can no longer
revoke newer KMs.
config INTEL_CBNT_KM_ID
int "KM ID"
default 1
help
This identifies the Key Manifest to be used for a platform.
This must match the Key Manifest Identifier programmed in
the field programmable fuses.
endmenu
endif # !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE
config INTEL_CBNT_KEY_MANIFEST_BINARY
string "KM (Key Manifest) binary location"
depends on !INTEL_CBNT_GENERATE_KM
help
Location of the Key Manifest (KM)
config INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY
string "BPM (Boot Policy Manifest) binary location"
depends on !INTEL_CBNT_GENERATE_BPM
help
Location of the Boot Policy Manifest (BPM)
config INTEL_CBNT_CMOS_OFFSET
hex
default 0x7e
help
Address in RTC CMOS used by CBNT. Uses 2 bytes. If using an option table
adapt the cmos.layout accordingly. The bytes should not be checksummed.
endif # INTEL_CBNT_SUPPORT
|