sravan/system76-coreboot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sec/intel/cbnt: Stitch in ACMs in the coreboot image

Browse Source 
Actual support CBnT will be added later on.

Change-Id: Icc35c5e6c74d002efee43cc05ecc8023e00631e0
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/46456
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
This commit is contained in:
Arthur Heymans
2020-10-15 13:57:52 +02:00
committed by Patrick Georgi
parent a3ac82092f
commit 94fe086a06
8 changed files with 72 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
src/security/intel/cbnt/Kconfig Normal file
View File

@@ -0,0 +1,27 @@
# SPDX-License-Identifier: GPL-2.0-only
config INTEL_CBNT_SUPPORT
bool "Intel CBnT support"
default n
depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE
#depends on PLATFORM_HAS_DRAM_CLEAR
select INTEL_TXT
help
Enables Intel Converged Bootguard and Trusted Execution Technology
Support. This will enable one to add a Key Manifest (KM) and a Boot
Policy Manifest (BPM) to the filesystem. It will also wrap a FIT around
the firmware and update appropriate entries.
if INTEL_CBNT_SUPPORT
config INTEL_CBNT_KEY_MANIFEST_BINARY
string "KM (Key Manifest) binary location"
help
Location of the Key Manifest (KM)
config INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY
string "BPM (Boot Policy Manifest) binary location"
help
Location of the Boot Policy Manifest (BPM)
endif # INTEL_CBNT_SUPPORT

25
src/security/intel/cbnt/Makefile.inc Normal file
View File

@@ -0,0 +1,25 @@
ifeq ($(CONFIG_INTEL_CBNT_SUPPORT),y)
ifneq ($(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY),"")
cbfs-files-y += boot_policy_manifest.bin
boot_policy_manifest.bin-file := $(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY)
boot_policy_manifest.bin-type := raw
boot_policy_manifest.bin-align := 0x10
INTERMEDIATE+=add_bpm_fit
add_bpm_fit: $(obj)/coreboot.pre $(IFITTOOL)
$(IFITTOOL) -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
endif
ifneq ($(CONFIG_INTEL_CBNT_KEY_MANIFEST_BINARY),"")
cbfs-files-y += key_manifest.bin
key_manifest.bin-file := $(CONFIG_INTEL_CBNT_KEY_MANIFEST_BINARY)
key_manifest.bin-type := raw
key_manifest.bin-align := 0x10
INTERMEDIATE+=add_km_fit
add_km_fit: $(obj)/coreboot.pre $(IFITTOOL)
$(IFITTOOL) -r COREBOOT -a -n key_manifest.bin -t 11 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
endif
endif # CONFIG_INTEL_CBNT_SUPPORT