security/intel/cbnt: Make CBNT compatible with CMOS option table

Make sure the bytes in RTC cmos used by CBNT don't collide with the
option table. This depends on what is set up in the BPM, Boot Policy
Manifest. When the BPM is provided as a binary the Kconfig needs to be
adapted accordingly. A later patch will use this when generating the
BPM.

Change-Id: I246ada8a64ad5f831705a4293d87ab7adc5ef3aa
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/51538
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>

src/security/intel/cbnt/Kconfig

@@ -26,4 +26,11 @@ config INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY
 	help
 	  Location of the Boot Policy Manifest (BPM)
 
+config INTEL_CBNT_CMOS_OFFSET
+	hex
+	default 0x7e
+	help
+	  Address in RTC CMOS used by CBNT. Uses 2 bytes. If using an option table
+	  adapt the cmos.layout accordingly. The bytes should not be checksummed.
+
 endif # INTEL_CBNT_SUPPORT

src/security/intel/cbnt/Makefile.inc

@@ -1,5 +1,7 @@
 ifeq ($(CONFIG_INTEL_CBNT_SUPPORT),y)
 
+ramstage-y += cmos.c
+
 ifneq ($(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY),"")
 cbfs-files-y += boot_policy_manifest.bin
 boot_policy_manifest.bin-file := $(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY)

src/security/intel/cbnt/cmos.c

@@ -0,0 +1,16 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+
+/*
+ * Address of the MRC status byte in CMOS. Should be reserved
+ * in mainboards' cmos.layout and not covered by checksum.
+ */
+
+#if CONFIG(USE_OPTION_TABLE)
+#include "option_table.h"
+#if CMOS_VSTART_cbnt_cmos != CONFIG_INTEL_CBNT_CMOS_OFFSET * 8
+#error "CMOS start for CBNT CMOS is not correct, check your cmos.layout"
+#endif
+#if CMOS_VLEN_cbnt_cmos != 16
+#error "CMOS length for CBNT CMOS bytes are not correct, check your cmos.layout"
+#endif
+#endif