security/intel/cbnt: Add options to generate BPM from Kconfig

Use Kconfig options to set BPM fields. Change-Id: I9f5ffa0f692b06265f992b07a44763ff1aa8dfa7 Signed-off-by: Arthur Heymans <arthur@aheymans.xyz> Reviewed-on: https://review.coreboot.org/c/coreboot/+/50928 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Angel Pons <th3fanbus@gmail.com>
2021-02-19 19:39:56 +01:00 · 2021-02-19 19:39:56 +01:00 · 3d5319eb5a
parent 83a55930dd
commit 3d5319eb5a
2 changed files with 96 additions and 1 deletions
--- a/src/security/intel/cbnt/Kconfig
+++ b/src/security/intel/cbnt/Kconfig
@ -68,9 +68,17 @@ config INTEL_CBNT_BPM_ONLY_UNSIGNED
 	  "$ ifittool -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s 12 -f build/coreboot.rom"
 	  '-s 12' where 12 is CONFIG_CPU_INTEL_NUM_FIT_ENTRIES.

+config INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE
+	bool "BPM: use a CBnT json config file"
+	depends on INTEL_CBNT_GENERATE_BPM
+	default y
+	help
+	  Select y to generate BPM from a json config file.
+	  Select n to generate BPM from Kconfig options
+
 config INTEL_CBNT_BG_PROV_CFG_FILE
 	string "CBnT json config file"
-	depends on INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE || INTEL_CBNT_GENERATE_BPM
+	depends on INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE || INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE
 	help
 	  Location of the bg-prov json config file.
 	  Either get a sample JSON config file:
@ -153,6 +161,67 @@ endmenu

 endif # !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE

+if !INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE && INTEL_CBNT_GENERATE_BPM
+menu "BPM options"
+
+config INTEL_CBNT_BPM_REVISION
+	int "BPM revision"
+	default 1
+	help
+	  Version of the Key Manifest defined by the Platform Manufacturer.
+	  The actual value is transparent to Boot Guard and is not processed by Boot Guard.
+
+config INTEL_CBNT_BPM_SVN
+	int "BPM Security Version Number"
+	default 0
+	help
+	  This value is determined by the Platform Manufacturer.
+
+config INTEL_CBNT_ACM_SVN
+	int "S-ACM Security Version Number"
+	default 2
+	help
+	  This defines the minimum version the S-ACM must have.
+
+config INTEL_CBNT_NUM_NEM_PAGES
+	int
+	default 32
+	help
+	  Set the amount of 4K pages of CAR required.
+
+config INTEL_CBNT_PBET
+	int "PBET value in s"
+	default 15
+	help
+	  Protect BIOS Environment Timer (PBET) value.
+	  Factor used by CSE to compute PBE timer value.
+	  Actual PBE timer value is set by CSE using formula:
+	  PBE timer value = 5 sec + PBETValue.
+
+config INTEL_CBNT_IBB_FLAGS
+	int "IBB flags"
+	default 7
+	help
+	  IBB Control flags.
+	  3: Don't extend PCR 0
+	  7: extend PCR 7
+
+config INTEL_CBNT_SINIT_SVN
+	int "SINIT ACM security version number"
+	default 0
+	help
+	  Minimum required version for the SINIT ACM.
+
+config INTEL_CBNT_PD_INTERVAL
+	int
+	default 60
+	help
+	  Duration of Power Down in 5 sec increments.
+
+endmenu
+
+endif # !INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE
+
 config INTEL_CBNT_KEY_MANIFEST_BINARY
 	string "KM (Key Manifest) binary location"
 	depends on !INTEL_CBNT_GENERATE_KM
--- a/src/security/intel/cbnt/Makefile.inc
+++ b/src/security/intel/cbnt/Makefile.inc
@ -34,9 +34,35 @@ $(CBNT_CFG): $(call strip_quotes, $(CONFIG_INTEL_CBNT_BG_PROV_CFG_FILE))
 	cp $(CONFIG_INTEL_CBNT_BG_PROV_CFG_FILE) $@

 ifeq ($(CONFIG_INTEL_CBNT_GENERATE_BPM),y)
+ifeq ($(CONFIG_INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE),y)
 $(obj)/bpm_unsigned.bin: $(obj)/coreboot.rom $(BG_PROV) $(CBNT_CFG)
 	printf "    BG_PROV    creating unsigned BPM using config file\n"
 	$(BG_PROV) bpm-gen $@ $< --config=$(CBNT_CFG) --cut
+else
+$(obj)/bpm_unsigned.bin: $(obj)/coreboot.rom $(BG_PROV)
+	printf "    BG_PROV    creating unsigned BPM\n"
+	# SHA256, SHA1, SHA384 for digest
+	$(BG_PROV) bpm-gen $@ $< --revision=$(CONFIG_INTEL_CBNT_BPM_REVISION) \
+				 --svn=$(CONFIG_INTEL_CBNT_BPM_SVN) \
+				 --acmsvn=$(CONFIG_INTEL_CBNT_ACM_SVN) \
+				 --nems=$(CONFIG_INTEL_CBNT_NUM_NEM_PAGES) \
+				 --pbet=$(CONFIG_INTEL_CBNT_PBET) \
+				 --ibbflags=$(CONFIG_INTEL_CBNT_IBB_FLAGS) \
+				 --entrypoint=$(shell printf "%d" 0xfffffff0) \
+				 --ibbhash={11,4,12} \
+				 --ibbsegbase=$(call int-add, $(call int-subtract, 0xffffffff $(CONFIG_C_ENV_BOOTBLOCK_SIZE)) 1) \
+				 --ibbsegsize=$(shell printf "%d" $(CONFIG_C_ENV_BOOTBLOCK_SIZE)) \
+				 --ibbsegflag=0 \
+				 --sintmin=$(CONFIG_INTEL_CBNT_SINIT_SVN) \
+				 --txtflags=0 \
+				 --powerdowninterval=$(CONFIG_INTEL_CBNT_PD_INTERVAL) \
+				 --acpibaseoffset=$(shell printf "%d" $(CONFIG_INTEL_ACPI_BASE_ADDRESS)) \
+				 --powermbaseoffset=$(shell printf "%d" $(CONFIG_INTEL_PCH_PWRM_BASE_ADDRESS)) \
+				 --cmosoff0=$(shell printf "%d" $(CONFIG_INTEL_CBNT_CMOS_OFFSET)) \
+				 --cmosoff1=$(call int-add, $(CONFIG_INTEL_CBNT_CMOS_OFFSET) 1) \
+				 --cut \
+				 --out=$(obj)/bpm_cfg.json
+endif

 ifeq ($(CONFIG_INTEL_CBNT_BPM_ONLY_UNSIGNED),y)
 build_complete:: $(obj)/bpm_unsigned.bin