sravan/system76-coreboot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

cpu/intel/fit: Add the FIT table as a separate CBFS file

Browse Source 
With CBnT a digest needs to be made of the IBB, Initial BootBlock, in
this case the bootblock. After that a pointer to the BPM, Boot Policy
Manifest, containing the IBB digest needs to be added to the FIT
table.

If the fit table is inside the IBB, updating it with a pointer to the
BPM, would make the digest invalid.
The proper solution is to move the FIT table out of the bootblock.

The FIT table itself does not need to be covered by the digest as it
just contains pointers to structures that can by verified by the
hardware itself, such as microcode and ACMs (Authenticated Code
Modules).

Change-Id: I352e11d5f7717147a877be16a87e9ae35ae14856
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/50926
Reviewed-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-by: Christian Walter <christian.walter@9elements.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
This commit is contained in:
Arthur Heymans
2021-02-19 17:14:23 +01:00
committed by Patrick Georgi
parent e9e4e54e27
commit eeacd8349c
6 changed files with 55 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/security/intel/cbnt/Makefile.inc
View File

@@ -6,7 +6,7 @@ boot_policy_manifest.bin-file := $(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY
boot_policy_manifest.bin-type := raw
boot_policy_manifest.bin-align := 0x10
$(call add_intermediate, add_bpm_fit, $(IFITTOOL))
$(call add_intermediate, add_bpm_fit, $(IFITTOOL) set_fit_ptr)
$(IFITTOOL) -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
endif
@@ -16,7 +16,7 @@ key_manifest.bin-file := $(CONFIG_INTEL_CBNT_KEY_MANIFEST_BINARY)
key_manifest.bin-type := raw
key_manifest.bin-align := 0x10
$(call add_intermediate, add_km_fit, $(IFITTOOL))
$(call add_intermediate, add_km_fit, $(IFITTOOL) set_fit_ptr)
$(IFITTOOL) -r COREBOOT -a -n key_manifest.bin -t 11 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
endif

4
src/security/intel/txt/Makefile.inc
View File

@@ -28,7 +28,7 @@ endif
ifeq ($(CONFIG_CPU_INTEL_FIRMWARE_INTERFACE_TABLE),y)
$(call add_intermediate, add_acm_fit, $(IFITTOOL))
$(call add_intermediate, add_acm_fit, $(IFITTOOL) set_fit_ptr)
$(IFITTOOL) -r COREBOOT -a -n $(CONFIG_INTEL_TXT_CBFS_BIOS_ACM) -t 2 \
-s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
@@ -41,7 +41,7 @@ ibb-files := $(foreach file,$(cbfs-files), \
ibb-files += bootblock
$(call add_intermediate, add_ibb_fit, $(IFITTOOL))
$(call add_intermediate, add_ibb_fit, $(IFITTOOL) set_fit_ptr)
$(foreach file, $(ibb-files), $(shell $(IFITTOOL) -f $< -a -n $(file) -t 7 \
-s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -r COREBOOT)) true