From 2390754982ce6fa458484871c7fc1407f7c92c92 Mon Sep 17 00:00:00 2001 From: Arthur Heymans Date: Tue, 16 Mar 2021 19:28:50 +0100 Subject: [PATCH] security/intel/cbnt: Make CBNT compatible with CMOS option table Make sure the bytes in RTC cmos used by CBNT don't collide with the option table. This depends on what is set up in the BPM, Boot Policy Manifest. When the BPM is provided as a binary the Kconfig needs to be adapted accordingly. A later patch will use this when generating the BPM. Change-Id: I246ada8a64ad5f831705a4293d87ab7adc5ef3aa Signed-off-by: Arthur Heymans Reviewed-on: https://review.coreboot.org/c/coreboot/+/51538 Tested-by: build bot (Jenkins) Reviewed-by: Patrick Georgi --- src/security/intel/cbnt/Kconfig | 7 +++++++ src/security/intel/cbnt/Makefile.inc | 2 ++ src/security/intel/cbnt/cmos.c | 16 ++++++++++++++++ 3 files changed, 25 insertions(+) create mode 100644 src/security/intel/cbnt/cmos.c diff --git a/src/security/intel/cbnt/Kconfig b/src/security/intel/cbnt/Kconfig index e5830b7b40..7289f7c514 100644 --- a/src/security/intel/cbnt/Kconfig +++ b/src/security/intel/cbnt/Kconfig @@ -26,4 +26,11 @@ config INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY help Location of the Boot Policy Manifest (BPM) +config INTEL_CBNT_CMOS_OFFSET + hex + default 0x7e + help + Address in RTC CMOS used by CBNT. Uses 2 bytes. If using an option table + adapt the cmos.layout accordingly. The bytes should not be checksummed. + endif # INTEL_CBNT_SUPPORT diff --git a/src/security/intel/cbnt/Makefile.inc b/src/security/intel/cbnt/Makefile.inc index b8ea702df2..4565a272b7 100644 --- a/src/security/intel/cbnt/Makefile.inc +++ b/src/security/intel/cbnt/Makefile.inc @@ -1,5 +1,7 @@ ifeq ($(CONFIG_INTEL_CBNT_SUPPORT),y) +ramstage-y += cmos.c + ifneq ($(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY),"") cbfs-files-y += boot_policy_manifest.bin boot_policy_manifest.bin-file := $(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY) diff --git a/src/security/intel/cbnt/cmos.c b/src/security/intel/cbnt/cmos.c new file mode 100644 index 0000000000..318828ba3b --- /dev/null +++ b/src/security/intel/cbnt/cmos.c @@ -0,0 +1,16 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ + +/* + * Address of the MRC status byte in CMOS. Should be reserved + * in mainboards' cmos.layout and not covered by checksum. + */ + +#if CONFIG(USE_OPTION_TABLE) +#include "option_table.h" +#if CMOS_VSTART_cbnt_cmos != CONFIG_INTEL_CBNT_CMOS_OFFSET * 8 +#error "CMOS start for CBNT CMOS is not correct, check your cmos.layout" +#endif +#if CMOS_VLEN_cbnt_cmos != 16 +#error "CMOS length for CBNT CMOS bytes are not correct, check your cmos.layout" +#endif +#endif