blob: 8c4d9990437190d3e575c827ae60f27a3e0cdeb5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
|
# SPDX-License-Identifier: GPL-2.0-only
config INTEL_CBNT_SUPPORT
bool "Intel CBnT support"
default n
depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE
#depends on PLATFORM_HAS_DRAM_CLEAR
select INTEL_TXT
# With CBnT the bootblock is set up as a CBnT IBB and needs a fixed size
select FIXED_BOOTBLOCK_SIZE
help
Enables Intel Converged Bootguard and Trusted Execution Technology
Support. This will enable one to add a Key Manifest (KM) and a Boot
Policy Manifest (BPM) to the filesystem. It will also wrap a FIT around
the firmware and update appropriate entries.
if INTEL_CBNT_SUPPORT
config INTEL_CBNT_GENERATE_KM
bool "Generate Key Manifest (KM)"
default y
select INTEL_CBNT_NEED_KM_PUB_KEY
select INTEL_CBNT_NEED_KM_PRIV_KEY
help
Select y to generate the Key Manifest (KM).
Select n to include a KM binary.
config INTEL_CBNT_BG_PROV_CFG_FILE
string "CBnT json config file"
depends on INTEL_CBNT_GENERATE_KM
help
Location of the bg-prov json config file.
Either get a sample JSON config file:
$ bg-prov template
Or extract it from a working configuration:
$ bg-prov read-config
config INTEL_CBNT_NEED_KM_PUB_KEY
bool
config INTEL_CBNT_NEED_KM_PRIV_KEY
bool
config INTEL_CBNT_KM_PUB_KEY_FILE
string "Key manifest (KM) public key"
depends on INTEL_CBNT_NEED_KM_PUB_KEY && !INTEL_CBNT_NEED_KM_PRIV_KEY
help
Location of the key manifest (KM) public key file in .pem format.
config INTEL_CBNT_KM_PRIV_KEY_FILE
string "Key manifest (KM) private key"
depends on INTEL_CBNT_NEED_KM_PRIV_KEY
help
Location of the key manifest (KM) private key file in .pem format.
config INTEL_CBNT_NEED_BPM_PUB_KEY
bool
config INTEL_CBNT_NEED_BPM_PRIV_KEY
bool
config INTEL_CBNT_BPM_PUB_KEY_FILE
string "Boot policy manifest (BPM) public key"
depends on INTEL_CBNT_NEED_BPM_PUB_KEY && !INTEL_CBNT_NEED_BPM_PRIV_KEY
help
Location of the boot policy manifest (BPM) public key file in .pem format.
config INTEL_CBNT_BPM_PRIV_KEY_FILE
string "Boot policy manifest (BPM) private key"
depends on INTEL_CBNT_NEED_BPM_PRIV_KEY
help
Location of the boot policy manifest (BPM) private key file in .pem format.
config INTEL_CBNT_KEY_MANIFEST_BINARY
string "KM (Key Manifest) binary location"
depends on !INTEL_CBNT_GENERATE_KM
help
Location of the Key Manifest (KM)
config INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY
string "BPM (Boot Policy Manifest) binary location"
help
Location of the Boot Policy Manifest (BPM)
config INTEL_CBNT_CMOS_OFFSET
hex
default 0x7e
help
Address in RTC CMOS used by CBNT. Uses 2 bytes. If using an option table
adapt the cmos.layout accordingly. The bytes should not be checksummed.
endif # INTEL_CBNT_SUPPORT
|
