sravan/system76-coreboot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

security/intel/cbnt: Rename bg-prov to cbnt-prov

Browse Source 
This prepares for updating the intel-sec-tools submodule pointer. In
that submodule bg-prov got renamed to cbnt-prov as Intel Bootguard
uses different structures and will require a different tool.

Change-Id: I54a9f458e124d355d50b5edd8694dee39657bc0d
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/52970
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
This commit is contained in:
Arthur Heymans
2021-05-06 11:15:32 +02:00
parent 91b2024bae
commit 53164ba286
2 changed files with 34 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/security/intel/cbnt/Kconfig
View File

@@ -22,7 +22,7 @@ config INTEL_CBNT_GENERATE_KM
default y default y
select INTEL_CBNT_NEED_KM_PUB_KEY select INTEL_CBNT_NEED_KM_PUB_KEY
select INTEL_CBNT_NEED_KM_PRIV_KEY if !INTEL_CBNT_KM_ONLY_UNSIGNED select INTEL_CBNT_NEED_KM_PRIV_KEY if !INTEL_CBNT_KM_ONLY_UNSIGNED
select INTEL_CBNT_NEED_BPM_PUB_KEY if !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE select INTEL_CBNT_NEED_BPM_PUB_KEY if !INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE
help help
Select y to generate the Key Manifest (KM). Select y to generate the Key Manifest (KM).
Select n to include a KM binary. Select n to include a KM binary.
@@ -40,7 +40,7 @@ config INTEL_CBNT_KM_ONLY_UNSIGNED
"$ ifittool -r COREBOOT -a -n key_manifest.bin -t 11 -s 12 -f build/coreboot.rom" "$ ifittool -r COREBOOT -a -n key_manifest.bin -t 11 -s 12 -f build/coreboot.rom"
'-s 12' where 12 is CONFIG_CPU_INTEL_NUM_FIT_ENTRIES. '-s 12' where 12 is CONFIG_CPU_INTEL_NUM_FIT_ENTRIES.
config INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE config INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE
bool "KM: use a CBnT json config file" bool "KM: use a CBnT json config file"
depends on INTEL_CBNT_GENERATE_KM depends on INTEL_CBNT_GENERATE_KM
default y default y
@@ -69,7 +69,7 @@ config INTEL_CBNT_BPM_ONLY_UNSIGNED
"$ ifittool -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s 12 -f build/coreboot.rom" "$ ifittool -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s 12 -f build/coreboot.rom"
'-s 12' where 12 is CONFIG_CPU_INTEL_NUM_FIT_ENTRIES. '-s 12' where 12 is CONFIG_CPU_INTEL_NUM_FIT_ENTRIES.
config INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE config INTEL_CBNT_CBNT_PROV_BPM_USE_CFG_FILE
bool "BPM: use a CBnT json config file" bool "BPM: use a CBnT json config file"
depends on INTEL_CBNT_GENERATE_BPM depends on INTEL_CBNT_GENERATE_BPM
default y default y
@@ -77,9 +77,9 @@ config INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE
Select y to generate BPM from a json config file. Select y to generate BPM from a json config file.
Select n to generate BPM from Kconfig options Select n to generate BPM from Kconfig options
config INTEL_CBNT_BG_PROV_CFG_FILE config INTEL_CBNT_CBNT_PROV_CFG_FILE
string "CBnT json config file" string "CBnT json config file"
depends on INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE || INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE depends on INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE || INTEL_CBNT_CBNT_PROV_BPM_USE_CFG_FILE
help help
Location of the bg-prov json config file. Location of the bg-prov json config file.
Either get a sample JSON config file: Either get a sample JSON config file:
@@ -123,7 +123,7 @@ config INTEL_CBNT_BPM_PRIV_KEY_FILE
help help
Location of the boot policy manifest (BPM) private key file in .pem format. Location of the boot policy manifest (BPM) private key file in .pem format.
if !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE && INTEL_CBNT_GENERATE_KM if !INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE && INTEL_CBNT_GENERATE_KM
menu "KM options" menu "KM options"
@@ -160,9 +160,9 @@ config INTEL_CBNT_KM_ID
endmenu endmenu
endif # !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE endif # !INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE
if !INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE && INTEL_CBNT_GENERATE_BPM if !INTEL_CBNT_CBNT_PROV_BPM_USE_CFG_FILE && INTEL_CBNT_GENERATE_BPM
menu "BPM options" menu "BPM options"
config INTEL_CBNT_BPM_REVISION config INTEL_CBNT_BPM_REVISION
@@ -221,7 +221,7 @@ config INTEL_CBNT_PD_INTERVAL
endmenu endmenu
endif # !INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE endif # !INTEL_CBNT_CBNT_PROV_BPM_USE_CFG_FILE
config INTEL_CBNT_KEY_MANIFEST_BINARY config INTEL_CBNT_KEY_MANIFEST_BINARY
string "KM (Key Manifest) binary location" string "KM (Key Manifest) binary location"

50
src/security/intel/cbnt/Makefile.inc
View File

@@ -20,29 +20,29 @@ $(obj)/bpm_pub.pem: $(call strip_quotes, $(CONFIG_INTEL_CBNT_BPM_PUB_KEY_FILE))
cp $< $@ cp $< $@
endif endif
BG_PROV:=$(obj)/bg-prov CBNT_PROV:=$(obj)/cbnt-prov
CBNT_CFG:=$(obj)/cbnt.json CBNT_CFG:=$(obj)/cbnt.json
$(BG_PROV): $(CBNT_PROV):
printf " BG_PROV building tool\n" printf " CBNT_PROV building tool\n"
cd 3rdparty/intel-sec-tools; \ cd 3rdparty/intel-sec-tools; \
GO111MODULE=on go mod download; \ GO111MODULE=on go mod download; \
GO111MODULE=on go mod verify; \ GO111MODULE=on go mod verify; \
GO111MODULE=on go build -o $(top)/$@ cmd/bg-prov/*.go GO111MODULE=on go build -o $(top)/$@ cmd/bg-prov/*.go
$(CBNT_CFG): $(call strip_quotes, $(CONFIG_INTEL_CBNT_BG_PROV_CFG_FILE)) $(CBNT_CFG): $(call strip_quotes, $(CONFIG_INTEL_CBNT_CBNT_PROV_CFG_FILE))
cp $(CONFIG_INTEL_CBNT_BG_PROV_CFG_FILE) $@ cp $(CONFIG_INTEL_CBNT_CBNT_PROV_CFG_FILE) $@
ifeq ($(CONFIG_INTEL_CBNT_GENERATE_BPM),y) ifeq ($(CONFIG_INTEL_CBNT_GENERATE_BPM),y)
ifeq ($(CONFIG_INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE),y) ifeq ($(CONFIG_INTEL_CBNT_CBNT_PROV_BPM_USE_CFG_FILE),y)
$(obj)/bpm_unsigned.bin: $(obj)/coreboot.rom $(BG_PROV) $(CBNT_CFG) $(obj)/bpm_unsigned.bin: $(obj)/coreboot.rom $(CBNT_PROV) $(CBNT_CFG)
printf " BG_PROV creating unsigned BPM using config file\n" printf " CBNT_PROV creating unsigned BPM using config file\n"
$(BG_PROV) bpm-gen $@ $< --config=$(CBNT_CFG) --cut $(CBNT_PROV) bpm-gen $@ $< --config=$(CBNT_CFG) --cut
else else
$(obj)/bpm_unsigned.bin: $(obj)/coreboot.rom $(BG_PROV) $(obj)/bpm_unsigned.bin: $(obj)/coreboot.rom $(CBNT_PROV)
printf " BG_PROV creating unsigned BPM\n" printf " CBNT_PROV creating unsigned BPM\n"
# SHA256, SHA1, SHA384 for digest # SHA256, SHA1, SHA384 for digest
$(BG_PROV) bpm-gen $@ $< --revision=$(CONFIG_INTEL_CBNT_BPM_REVISION) \ $(CBNT_PROV) bpm-gen $@ $< --revision=$(CONFIG_INTEL_CBNT_BPM_REVISION) \
--svn=$(CONFIG_INTEL_CBNT_BPM_SVN) \ --svn=$(CONFIG_INTEL_CBNT_BPM_SVN) \
--acmsvn=$(CONFIG_INTEL_CBNT_ACM_SVN) \ --acmsvn=$(CONFIG_INTEL_CBNT_ACM_SVN) \
--nems=$(CONFIG_INTEL_CBNT_NUM_NEM_PAGES) \ --nems=$(CONFIG_INTEL_CBNT_NUM_NEM_PAGES) \
@@ -73,9 +73,9 @@ build_complete:: $(obj)/bpm_unsigned.bin
@printf "$$ cbfstool build/coreboot.rom add -f bpm.bin -n boot_policy_manifest.bin -t raw -a 16\n" @printf "$$ cbfstool build/coreboot.rom add -f bpm.bin -n boot_policy_manifest.bin -t raw -a 16\n"
@printf "$$ ifittool -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s 12 -f build/coreboot.rom\n" @printf "$$ ifittool -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s 12 -f build/coreboot.rom\n"
else else
$(obj)/bpm.bin: $(obj)/bpm_unsigned.bin $(BG_PROV) $(call strip_quotes, $(CONFIG_INTEL_CBNT_BPM_PRIV_KEY_FILE)) $(obj)/bpm.bin: $(obj)/bpm_unsigned.bin $(CBNT_PROV) $(call strip_quotes, $(CONFIG_INTEL_CBNT_BPM_PRIV_KEY_FILE))
printf " BG_PROV signing real BPM\n" printf " CBNT_PROV signing real BPM\n"
$(BG_PROV) bpm-sign $< $@ $(CONFIG_INTEL_CBNT_BPM_PRIV_KEY_FILE) "" $(CBNT_PROV) bpm-sign $< $@ $(CONFIG_INTEL_CBNT_BPM_PRIV_KEY_FILE) ""
# Add BPM at the end of the build when all files have been added # Add BPM at the end of the build when all files have been added
files_added:: $(obj)/bpm.bin files_added:: $(obj)/bpm.bin
@@ -100,15 +100,15 @@ endif
endif # CONFIG_INTEL_CBNT_GENERATE_BPM endif # CONFIG_INTEL_CBNT_GENERATE_BPM
ifeq ($(CONFIG_INTEL_CBNT_GENERATE_KM),y) ifeq ($(CONFIG_INTEL_CBNT_GENERATE_KM),y)
ifeq ($(CONFIG_INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE),y) ifeq ($(CONFIG_INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE),y)
$(obj)/km_unsigned.bin: $(obj)/km_pub.pem $(BG_PROV) $(CBNT_CFG) $(obj)/km_unsigned.bin: $(obj)/km_pub.pem $(CBNT_PROV) $(CBNT_CFG)
printf " BG_PROV creating unsigned KM using config file\n" printf " CBNT_PROV creating unsigned KM using config file\n"
$(BG_PROV) km-gen $@ $< --config=$(CBNT_CFG) $(CBNT_PROV) km-gen $@ $< --config=$(CBNT_CFG)
else else
PK_HASH_ALG_SHA256:=11 # Hardcode as no other options are available for CBnT PK_HASH_ALG_SHA256:=11 # Hardcode as no other options are available for CBnT
$(obj)/km_unsigned.bin: $(obj)/km_pub.pem $(obj)/bpm_pub.pem $(BG_PROV) $(obj)/km_unsigned.bin: $(obj)/km_pub.pem $(obj)/bpm_pub.pem $(CBNT_PROV)
printf " BG_PROV creating unsigned KM\n" printf " CBNT_PROV creating unsigned KM\n"
$(BG_PROV) km-gen $@ $< --revision=$(CONFIG_INTEL_CBNT_KM_REVISION) \ $(CBNT_PROV) km-gen $@ $< --revision=$(CONFIG_INTEL_CBNT_KM_REVISION) \
--svn=$(CONFIG_INTEL_CBNT_KM_SVN) \ --svn=$(CONFIG_INTEL_CBNT_KM_SVN) \
--id=$(CONFIG_INTEL_CBNT_KM_ID) \ --id=$(CONFIG_INTEL_CBNT_KM_ID) \
--pkhashalg=$(PK_HASH_ALG_SHA256) \ --pkhashalg=$(PK_HASH_ALG_SHA256) \
@@ -117,9 +117,9 @@ $(obj)/km_unsigned.bin: $(obj)/km_pub.pem $(obj)/bpm_pub.pem $(BG_PROV)
--out=$(obj)/km_cfg.json --out=$(obj)/km_cfg.json
endif endif
$(obj)/km.bin: $(obj)/km_unsigned.bin $(BG_PROV) $(call strip_quotes, $(CONFIG_INTEL_CBNT_KM_PRIV_KEY_FILE)) $(obj)/km.bin: $(obj)/km_unsigned.bin $(CBNT_PROV) $(call strip_quotes, $(CONFIG_INTEL_CBNT_KM_PRIV_KEY_FILE))
printf " BG_PROV signing KM\n" printf " CBNT_PROV signing KM\n"
$(BG_PROV) km-sign $< $@ $(CONFIG_INTEL_CBNT_KM_PRIV_KEY_FILE) "" $(CBNT_PROV) km-sign $< $@ $(CONFIG_INTEL_CBNT_KM_PRIV_KEY_FILE) ""
KM_FILE=$(obj)/km.bin KM_FILE=$(obj)/km.bin
else else