security/intel/cbnt: Add an option to generate an unsigned KM

This is useful if you have external infrastructure to sign KM.

Change-Id: If5e9306366230b75d97e4e1fb271bcd7615abd5f
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/51572
Reviewed-by: Christian Walter <christian.walter@9elements.com>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
This commit is contained in:
Arthur Heymans 2021-03-17 12:03:39 +01:00
parent f1d196c489
commit 5e0119eaf6
2 changed files with 28 additions and 1 deletions

View File

@ -20,12 +20,25 @@ config INTEL_CBNT_GENERATE_KM
bool "Generate Key Manifest (KM)" bool "Generate Key Manifest (KM)"
default y default y
select INTEL_CBNT_NEED_KM_PUB_KEY select INTEL_CBNT_NEED_KM_PUB_KEY
select INTEL_CBNT_NEED_KM_PRIV_KEY select INTEL_CBNT_NEED_KM_PRIV_KEY if !INTEL_CBNT_KM_ONLY_UNSIGNED
select INTEL_CBNT_NEED_BPM_PUB_KEY if !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE select INTEL_CBNT_NEED_BPM_PUB_KEY if !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE
help help
Select y to generate the Key Manifest (KM). Select y to generate the Key Manifest (KM).
Select n to include a KM binary. Select n to include a KM binary.
config INTEL_CBNT_KM_ONLY_UNSIGNED
bool "Only unsigned key manifest (KM)"
depends on INTEL_CBNT_GENERATE_KM
help
Skip signing the KM.
The resulting unsigned KM will be placed at build/km_unsigned.bin.
The resulting coreboot image will not be functional with CBnT.
After the unsigned KM is signed externally you can either rebuild
coreboot using that binary or add it to cbfs and fit:
"$ cbfstool build/coreboot.rom add -f km.bin -n key_manifest.bin -t raw -a 16"
"$ ifittool -r COREBOOT -a -n key_manifest.bin -t 11 -s 12 -f build/coreboot.rom"
'-s 12' where 12 is CONFIG_CPU_INTEL_NUM_FIT_ENTRIES.
config INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE config INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE
bool "KM: use a CBnT json config file" bool "KM: use a CBnT json config file"
depends on INTEL_CBNT_GENERATE_KM depends on INTEL_CBNT_GENERATE_KM

View File

@ -71,6 +71,19 @@ KM_FILE=$(CONFIG_INTEL_CBNT_KEY_MANIFEST_BINARY)
endif endif
ifneq ($(KM_FILE),"") ifneq ($(KM_FILE),"")
ifeq ($(CONFIG_INTEL_CBNT_KM_ONLY_UNSIGNED),y)
$(call add_intermediate, gen_unsigned_km, $(obj)/km_unsigned.bin)
@printf "Generating unsgined KM\n"
build_complete::
@printf "\n** WARNING **\n"
@printf "Build generated an unsigned KM image: build/km_unsiged.bin.\n"
@printf "The resulting image will not work with CBnT.\n"
@printf "After you have externally signed the image you can add it to the coreboot image:\n"
@printf "$$ cbfstool build/coreboot.rom add -f km.bin -n key_manifest.bin -t raw -a 16\n"
@printf "$$ ifittool -r COREBOOT -a -n key_manifest.bin -t 11 -s 12 -f build/coreboot.rom\n"
else
cbfs-files-y += key_manifest.bin cbfs-files-y += key_manifest.bin
key_manifest.bin-file := $(KM_FILE) key_manifest.bin-file := $(KM_FILE)
key_manifest.bin-type := raw key_manifest.bin-type := raw
@ -80,4 +93,5 @@ $(call add_intermediate, add_km_fit, $(IFITTOOL) set_fit_ptr)
$(IFITTOOL) -r COREBOOT -a -n key_manifest.bin -t 11 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $< $(IFITTOOL) -r COREBOOT -a -n key_manifest.bin -t 11 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
endif endif
endif # CONFIG_INTEL_CBNT_KM_ONLY_UNSIGNED
endif # CONFIG_INTEL_CBNT_SUPPORT endif # CONFIG_INTEL_CBNT_SUPPORT