security/intel/cbnt: Add an option to generate an unsigned KM
This is useful if you have external infrastructure to sign KM. Change-Id: If5e9306366230b75d97e4e1fb271bcd7615abd5f Signed-off-by: Arthur Heymans <arthur@aheymans.xyz> Reviewed-on: https://review.coreboot.org/c/coreboot/+/51572 Reviewed-by: Christian Walter <christian.walter@9elements.com> Reviewed-by: Angel Pons <th3fanbus@gmail.com> Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
This commit is contained in:
parent
f1d196c489
commit
5e0119eaf6
|
@ -20,12 +20,25 @@ config INTEL_CBNT_GENERATE_KM
|
||||||
bool "Generate Key Manifest (KM)"
|
bool "Generate Key Manifest (KM)"
|
||||||
default y
|
default y
|
||||||
select INTEL_CBNT_NEED_KM_PUB_KEY
|
select INTEL_CBNT_NEED_KM_PUB_KEY
|
||||||
select INTEL_CBNT_NEED_KM_PRIV_KEY
|
select INTEL_CBNT_NEED_KM_PRIV_KEY if !INTEL_CBNT_KM_ONLY_UNSIGNED
|
||||||
select INTEL_CBNT_NEED_BPM_PUB_KEY if !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE
|
select INTEL_CBNT_NEED_BPM_PUB_KEY if !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE
|
||||||
help
|
help
|
||||||
Select y to generate the Key Manifest (KM).
|
Select y to generate the Key Manifest (KM).
|
||||||
Select n to include a KM binary.
|
Select n to include a KM binary.
|
||||||
|
|
||||||
|
config INTEL_CBNT_KM_ONLY_UNSIGNED
|
||||||
|
bool "Only unsigned key manifest (KM)"
|
||||||
|
depends on INTEL_CBNT_GENERATE_KM
|
||||||
|
help
|
||||||
|
Skip signing the KM.
|
||||||
|
The resulting unsigned KM will be placed at build/km_unsigned.bin.
|
||||||
|
The resulting coreboot image will not be functional with CBnT.
|
||||||
|
After the unsigned KM is signed externally you can either rebuild
|
||||||
|
coreboot using that binary or add it to cbfs and fit:
|
||||||
|
"$ cbfstool build/coreboot.rom add -f km.bin -n key_manifest.bin -t raw -a 16"
|
||||||
|
"$ ifittool -r COREBOOT -a -n key_manifest.bin -t 11 -s 12 -f build/coreboot.rom"
|
||||||
|
'-s 12' where 12 is CONFIG_CPU_INTEL_NUM_FIT_ENTRIES.
|
||||||
|
|
||||||
config INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE
|
config INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE
|
||||||
bool "KM: use a CBnT json config file"
|
bool "KM: use a CBnT json config file"
|
||||||
depends on INTEL_CBNT_GENERATE_KM
|
depends on INTEL_CBNT_GENERATE_KM
|
||||||
|
|
|
@ -71,6 +71,19 @@ KM_FILE=$(CONFIG_INTEL_CBNT_KEY_MANIFEST_BINARY)
|
||||||
endif
|
endif
|
||||||
|
|
||||||
ifneq ($(KM_FILE),"")
|
ifneq ($(KM_FILE),"")
|
||||||
|
ifeq ($(CONFIG_INTEL_CBNT_KM_ONLY_UNSIGNED),y)
|
||||||
|
$(call add_intermediate, gen_unsigned_km, $(obj)/km_unsigned.bin)
|
||||||
|
@printf "Generating unsgined KM\n"
|
||||||
|
|
||||||
|
build_complete::
|
||||||
|
@printf "\n** WARNING **\n"
|
||||||
|
@printf "Build generated an unsigned KM image: build/km_unsiged.bin.\n"
|
||||||
|
@printf "The resulting image will not work with CBnT.\n"
|
||||||
|
@printf "After you have externally signed the image you can add it to the coreboot image:\n"
|
||||||
|
@printf "$$ cbfstool build/coreboot.rom add -f km.bin -n key_manifest.bin -t raw -a 16\n"
|
||||||
|
@printf "$$ ifittool -r COREBOOT -a -n key_manifest.bin -t 11 -s 12 -f build/coreboot.rom\n"
|
||||||
|
|
||||||
|
else
|
||||||
cbfs-files-y += key_manifest.bin
|
cbfs-files-y += key_manifest.bin
|
||||||
key_manifest.bin-file := $(KM_FILE)
|
key_manifest.bin-file := $(KM_FILE)
|
||||||
key_manifest.bin-type := raw
|
key_manifest.bin-type := raw
|
||||||
|
@ -80,4 +93,5 @@ $(call add_intermediate, add_km_fit, $(IFITTOOL) set_fit_ptr)
|
||||||
$(IFITTOOL) -r COREBOOT -a -n key_manifest.bin -t 11 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
|
$(IFITTOOL) -r COREBOOT -a -n key_manifest.bin -t 11 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
endif # CONFIG_INTEL_CBNT_KM_ONLY_UNSIGNED
|
||||||
endif # CONFIG_INTEL_CBNT_SUPPORT
|
endif # CONFIG_INTEL_CBNT_SUPPORT
|
||||||
|
|
Loading…
Reference in New Issue