sec/intel/cbnt: Stitch in ACMs in the coreboot image
Actual support CBnT will be added later on. Change-Id: Icc35c5e6c74d002efee43cc05ecc8023e00631e0 Signed-off-by: Arthur Heymans <arthur@aheymans.xyz> Reviewed-on: https://review.coreboot.org/c/coreboot/+/46456 Reviewed-by: Angel Pons <th3fanbus@gmail.com> Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
This commit is contained in:
Arthur Heymans
Patrick Georgi
parent
a3ac82092f
commit
94fe086a06
12
Makefile.inc
12
Makefile.inc
@ -732,6 +732,16 @@ TXTIBB :=
|
|||||||
|
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
ifeq ($(CONFIG_INTEL_CBNT_SUPPORT),y)
|
||||||
|
|
||||||
|
CBNTIBB := --cbnt
|
||||||
|
|
||||||
|
else
|
||||||
|
|
||||||
|
CBNTIBB :=
|
||||||
|
|
||||||
|
endif # CONFIG_INTEL_CBNT_SUPPORT
|
||||||
|
|
||||||
ifeq ($(CONFIG_COMPRESS_BOOTBLOCK),y)
|
ifeq ($(CONFIG_COMPRESS_BOOTBLOCK),y)
|
||||||
|
|
||||||
$(objcbfs)/bootblock.lz4: $(objcbfs)/bootblock.elf $(objutil)/cbfstool/cbfs-compression-tool
|
$(objcbfs)/bootblock.lz4: $(objcbfs)/bootblock.elf $(objutil)/cbfstool/cbfs-compression-tool
|
||||||
@ -1063,6 +1073,7 @@ $(obj)/fmap.fmap: $(obj)/fmap.fmd $(FMAPTOOL)
|
|||||||
ifeq ($(CONFIG_INTEL_ADD_TOP_SWAP_BOOTBLOCK),y)
|
ifeq ($(CONFIG_INTEL_ADD_TOP_SWAP_BOOTBLOCK),y)
|
||||||
TS_OPTIONS := -j $(CONFIG_INTEL_TOP_SWAP_BOOTBLOCK_SIZE)
|
TS_OPTIONS := -j $(CONFIG_INTEL_TOP_SWAP_BOOTBLOCK_SIZE)
|
||||||
endif
|
endif
|
||||||
|
|
||||||
ifneq ($(CONFIG_UPDATE_IMAGE),y)
|
ifneq ($(CONFIG_UPDATE_IMAGE),y)
|
||||||
$(obj)/coreboot.pre: $(objcbfs)/bootblock.bin $$(prebuilt-files) $(CBFSTOOL) $(IFITTOOL) $$(cpu_ucode_cbfs_file) $(obj)/fmap.fmap $(obj)/fmap.desc
|
$(obj)/coreboot.pre: $(objcbfs)/bootblock.bin $$(prebuilt-files) $(CBFSTOOL) $(IFITTOOL) $$(cpu_ucode_cbfs_file) $(obj)/fmap.fmap $(obj)/fmap.desc
|
||||||
$(CBFSTOOL) $@.tmp create -M $(obj)/fmap.fmap -r $(shell cat $(obj)/fmap.desc)
|
$(CBFSTOOL) $@.tmp create -M $(obj)/fmap.fmap -r $(shell cat $(obj)/fmap.desc)
|
||||||
@ -1072,6 +1083,7 @@ ifeq ($(CONFIG_ARCH_X86),y)
|
|||||||
-n bootblock \
|
-n bootblock \
|
||||||
-t bootblock \
|
-t bootblock \
|
||||||
$(TXTIBB) \
|
$(TXTIBB) \
|
||||||
|
$(CBNTIBB) \
|
||||||
-b -$(call file-size,$(objcbfs)/bootblock.bin) $(cbfs-autogen-attributes) \
|
-b -$(call file-size,$(objcbfs)/bootblock.bin) $(cbfs-autogen-attributes) \
|
||||||
$(TS_OPTIONS)
|
$(TS_OPTIONS)
|
||||||
else # ifeq ($(CONFIG_ARCH_X86),y)
|
else # ifeq ($(CONFIG_ARCH_X86),y)
|
||||||
|
|||||||
@ -5,7 +5,7 @@ config CPU_INTEL_FIRMWARE_INTERFACE_TABLE
|
|||||||
|
|
||||||
config CPU_INTEL_NUM_FIT_ENTRIES
|
config CPU_INTEL_NUM_FIT_ENTRIES
|
||||||
int
|
int
|
||||||
default 16 if INTEL_TXT
|
default 16 if INTEL_TXT || INTEL_CBNT_SUPPORT
|
||||||
default 4
|
default 4
|
||||||
depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE
|
depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE
|
||||||
help
|
help
|
||||||
|
|||||||
@ -2,3 +2,4 @@
|
|||||||
|
|
||||||
source "src/security/intel/txt/Kconfig"
|
source "src/security/intel/txt/Kconfig"
|
||||||
source "src/security/intel/stm/Kconfig"
|
source "src/security/intel/stm/Kconfig"
|
||||||
|
source "src/security/intel/cbnt/Kconfig"
|
||||||
|
|||||||
@ -1,2 +1,3 @@
|
|||||||
subdirs-y += txt
|
subdirs-y += txt
|
||||||
subdirs-y += stm
|
subdirs-y += stm
|
||||||
|
subdirs-y += cbnt
|
||||||
|
|||||||
27
src/security/intel/cbnt/Kconfig
Normal file
27
src/security/intel/cbnt/Kconfig
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
config INTEL_CBNT_SUPPORT
|
||||||
|
bool "Intel CBnT support"
|
||||||
|
default n
|
||||||
|
depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE
|
||||||
|
#depends on PLATFORM_HAS_DRAM_CLEAR
|
||||||
|
select INTEL_TXT
|
||||||
|
help
|
||||||
|
Enables Intel Converged Bootguard and Trusted Execution Technology
|
||||||
|
Support. This will enable one to add a Key Manifest (KM) and a Boot
|
||||||
|
Policy Manifest (BPM) to the filesystem. It will also wrap a FIT around
|
||||||
|
the firmware and update appropriate entries.
|
||||||
|
|
||||||
|
if INTEL_CBNT_SUPPORT
|
||||||
|
|
||||||
|
config INTEL_CBNT_KEY_MANIFEST_BINARY
|
||||||
|
string "KM (Key Manifest) binary location"
|
||||||
|
help
|
||||||
|
Location of the Key Manifest (KM)
|
||||||
|
|
||||||
|
config INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY
|
||||||
|
string "BPM (Boot Policy Manifest) binary location"
|
||||||
|
help
|
||||||
|
Location of the Boot Policy Manifest (BPM)
|
||||||
|
|
||||||
|
endif # INTEL_CBNT_SUPPORT
|
||||||
25
src/security/intel/cbnt/Makefile.inc
Normal file
25
src/security/intel/cbnt/Makefile.inc
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
ifeq ($(CONFIG_INTEL_CBNT_SUPPORT),y)
|
||||||
|
|
||||||
|
ifneq ($(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY),"")
|
||||||
|
cbfs-files-y += boot_policy_manifest.bin
|
||||||
|
boot_policy_manifest.bin-file := $(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY)
|
||||||
|
boot_policy_manifest.bin-type := raw
|
||||||
|
boot_policy_manifest.bin-align := 0x10
|
||||||
|
|
||||||
|
INTERMEDIATE+=add_bpm_fit
|
||||||
|
add_bpm_fit: $(obj)/coreboot.pre $(IFITTOOL)
|
||||||
|
$(IFITTOOL) -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
|
||||||
|
endif
|
||||||
|
|
||||||
|
ifneq ($(CONFIG_INTEL_CBNT_KEY_MANIFEST_BINARY),"")
|
||||||
|
cbfs-files-y += key_manifest.bin
|
||||||
|
key_manifest.bin-file := $(CONFIG_INTEL_CBNT_KEY_MANIFEST_BINARY)
|
||||||
|
key_manifest.bin-type := raw
|
||||||
|
key_manifest.bin-align := 0x10
|
||||||
|
|
||||||
|
INTERMEDIATE+=add_km_fit
|
||||||
|
add_km_fit: $(obj)/coreboot.pre $(IFITTOOL)
|
||||||
|
$(IFITTOOL) -r COREBOOT -a -n key_manifest.bin -t 11 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
|
||||||
|
endif
|
||||||
|
|
||||||
|
endif # CONFIG_INTEL_CBNT_SUPPORT
|
||||||
@ -52,6 +52,7 @@ config INTEL_TXT_LOGGING
|
|||||||
|
|
||||||
config INTEL_TXT_BIOSACM_ALIGNMENT
|
config INTEL_TXT_BIOSACM_ALIGNMENT
|
||||||
hex
|
hex
|
||||||
|
default 0x40000 if INTEL_CBNT_SUPPORT
|
||||||
default 0x20000 # 128 KiB
|
default 0x20000 # 128 KiB
|
||||||
help
|
help
|
||||||
Exceptions are Ivy and Sandy Bridge with 64 KiB and Purley with 256 KiB
|
Exceptions are Ivy and Sandy Bridge with 64 KiB and Purley with 256 KiB
|
||||||
|
|||||||
@ -33,6 +33,8 @@ add_acm_fit: $(obj)/coreboot.pre $(IFITTOOL)
|
|||||||
$(IFITTOOL) -r COREBOOT -a -n $(CONFIG_INTEL_TXT_CBFS_BIOS_ACM) -t 2 \
|
$(IFITTOOL) -r COREBOOT -a -n $(CONFIG_INTEL_TXT_CBFS_BIOS_ACM) -t 2 \
|
||||||
-s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
|
-s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
|
||||||
|
|
||||||
|
# CBnT does not use FIT for IBB
|
||||||
|
ifneq ($(CONFIG_INTEL_CBNT_SUPPORT),y)
|
||||||
# Initial BootBlock files
|
# Initial BootBlock files
|
||||||
ibb-files := $(foreach file,$(cbfs-files), \
|
ibb-files := $(foreach file,$(cbfs-files), \
|
||||||
$(if $(shell echo '$(call extract_nth,7,$(file))'|grep -- --ibb), \
|
$(if $(shell echo '$(call extract_nth,7,$(file))'|grep -- --ibb), \
|
||||||
@ -45,6 +47,8 @@ add_ibb_fit: $(obj)/coreboot.pre $(IFITTOOL)
|
|||||||
$(foreach file, $(ibb-files), $(shell $(IFITTOOL) -f $< -a -n $(file) -t 7 \
|
$(foreach file, $(ibb-files), $(shell $(IFITTOOL) -f $< -a -n $(file) -t 7 \
|
||||||
-s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -r COREBOOT)) true
|
-s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -r COREBOOT)) true
|
||||||
|
|
||||||
|
endif # INTEL_CBNT_SUPPORT
|
||||||
|
|
||||||
endif # CPU_INTEL_FIRMWARE_INTERFACE_TABLE
|
endif # CPU_INTEL_FIRMWARE_INTERFACE_TABLE
|
||||||
|
|
||||||
endif # INTEL_TXT
|
endif # INTEL_TXT
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user