GNUBoot
/
coreboot-kgpe-d16
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

security/intel/cbnt: Add options to generate BPM from Kconfig 

Use Kconfig options to set BPM fields.

Change-Id: I9f5ffa0f692b06265f992b07a44763ff1aa8dfa7
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/50928
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
This commit is contained in:
Arthur Heymans 2021-02-19 19:39:56 +01:00
parent 83a55930dd
commit 3d5319eb5a
2 changed files with 96 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
src/security/intel/cbnt/Kconfig
View File

@ -68,9 +68,17 @@ config INTEL_CBNT_BPM_ONLY_UNSIGNED
"$ ifittool -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s 12 -f build/coreboot.rom" "$ ifittool -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s 12 -f build/coreboot.rom"
'-s 12' where 12 is CONFIG_CPU_INTEL_NUM_FIT_ENTRIES. '-s 12' where 12 is CONFIG_CPU_INTEL_NUM_FIT_ENTRIES.
config INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE
bool "BPM: use a CBnT json config file"
depends on INTEL_CBNT_GENERATE_BPM
default y
help
Select y to generate BPM from a json config file.
Select n to generate BPM from Kconfig options
config INTEL_CBNT_BG_PROV_CFG_FILE config INTEL_CBNT_BG_PROV_CFG_FILE
string "CBnT json config file" string "CBnT json config file"
depends on INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE || INTEL_CBNT_GENERATE_BPM depends on INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE || INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE
help help
Location of the bg-prov json config file. Location of the bg-prov json config file.
Either get a sample JSON config file: Either get a sample JSON config file:
@ -153,6 +161,67 @@ endmenu
endif # !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE endif # !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE
if !INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE && INTEL_CBNT_GENERATE_BPM
menu "BPM options"
config INTEL_CBNT_BPM_REVISION
int "BPM revision"
default 1
help
Version of the Key Manifest defined by the Platform Manufacturer.
The actual value is transparent to Boot Guard and is not processed by Boot Guard.
config INTEL_CBNT_BPM_SVN
int "BPM Security Version Number"
default 0
help
This value is determined by the Platform Manufacturer.
config INTEL_CBNT_ACM_SVN
int "S-ACM Security Version Number"
default 2
help
This defines the minimum version the S-ACM must have.
config INTEL_CBNT_NUM_NEM_PAGES
int
default 32
help
Set the amount of 4K pages of CAR required.
config INTEL_CBNT_PBET
int "PBET value in s"
default 15
help
Protect BIOS Environment Timer (PBET) value.
Factor used by CSE to compute PBE timer value.
Actual PBE timer value is set by CSE using formula:
PBE timer value = 5 sec + PBETValue.
config INTEL_CBNT_IBB_FLAGS
int "IBB flags"
default 7
help
IBB Control flags.
3: Don't extend PCR 0
7: extend PCR 7
config INTEL_CBNT_SINIT_SVN
int "SINIT ACM security version number"
default 0
help
Minimum required version for the SINIT ACM.
config INTEL_CBNT_PD_INTERVAL
int
default 60
help
Duration of Power Down in 5 sec increments.
endmenu
endif # !INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE
config INTEL_CBNT_KEY_MANIFEST_BINARY config INTEL_CBNT_KEY_MANIFEST_BINARY
string "KM (Key Manifest) binary location" string "KM (Key Manifest) binary location"
depends on !INTEL_CBNT_GENERATE_KM depends on !INTEL_CBNT_GENERATE_KM

26
src/security/intel/cbnt/Makefile.inc
View File

@ -34,9 +34,35 @@ $(CBNT_CFG): $(call strip_quotes, $(CONFIG_INTEL_CBNT_BG_PROV_CFG_FILE))
cp $(CONFIG_INTEL_CBNT_BG_PROV_CFG_FILE) $@ cp $(CONFIG_INTEL_CBNT_BG_PROV_CFG_FILE) $@
ifeq ($(CONFIG_INTEL_CBNT_GENERATE_BPM),y) ifeq ($(CONFIG_INTEL_CBNT_GENERATE_BPM),y)
ifeq ($(CONFIG_INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE),y)
$(obj)/bpm_unsigned.bin: $(obj)/coreboot.rom $(BG_PROV) $(CBNT_CFG) $(obj)/bpm_unsigned.bin: $(obj)/coreboot.rom $(BG_PROV) $(CBNT_CFG)
printf " BG_PROV creating unsigned BPM using config file\n" printf " BG_PROV creating unsigned BPM using config file\n"
$(BG_PROV) bpm-gen $@ $< --config=$(CBNT_CFG) --cut $(BG_PROV) bpm-gen $@ $< --config=$(CBNT_CFG) --cut
else
$(obj)/bpm_unsigned.bin: $(obj)/coreboot.rom $(BG_PROV)
printf " BG_PROV creating unsigned BPM\n"
# SHA256, SHA1, SHA384 for digest
$(BG_PROV) bpm-gen $@ $< --revision=$(CONFIG_INTEL_CBNT_BPM_REVISION) \
--svn=$(CONFIG_INTEL_CBNT_BPM_SVN) \
--acmsvn=$(CONFIG_INTEL_CBNT_ACM_SVN) \
--nems=$(CONFIG_INTEL_CBNT_NUM_NEM_PAGES) \
--pbet=$(CONFIG_INTEL_CBNT_PBET) \
--ibbflags=$(CONFIG_INTEL_CBNT_IBB_FLAGS) \
--entrypoint=$(shell printf "%d" 0xfffffff0) \
--ibbhash={11,4,12} \
--ibbsegbase=$(call int-add, $(call int-subtract, 0xffffffff $(CONFIG_C_ENV_BOOTBLOCK_SIZE)) 1) \
--ibbsegsize=$(shell printf "%d" $(CONFIG_C_ENV_BOOTBLOCK_SIZE)) \
--ibbsegflag=0 \
--sintmin=$(CONFIG_INTEL_CBNT_SINIT_SVN) \
--txtflags=0 \
--powerdowninterval=$(CONFIG_INTEL_CBNT_PD_INTERVAL) \
--acpibaseoffset=$(shell printf "%d" $(CONFIG_INTEL_ACPI_BASE_ADDRESS)) \
--powermbaseoffset=$(shell printf "%d" $(CONFIG_INTEL_PCH_PWRM_BASE_ADDRESS)) \
--cmosoff0=$(shell printf "%d" $(CONFIG_INTEL_CBNT_CMOS_OFFSET)) \
--cmosoff1=$(call int-add, $(CONFIG_INTEL_CBNT_CMOS_OFFSET) 1) \
--cut \
--out=$(obj)/bpm_cfg.json
endif
ifeq ($(CONFIG_INTEL_CBNT_BPM_ONLY_UNSIGNED),y) ifeq ($(CONFIG_INTEL_CBNT_BPM_ONLY_UNSIGNED),y)
build_complete:: $(obj)/bpm_unsigned.bin build_complete:: $(obj)/bpm_unsigned.bin