diff --git a/Documentation/security/intel/txt.md b/Documentation/security/intel/txt.md index f67b63942e..f80a731e81 100644 --- a/Documentation/security/intel/txt.md +++ b/Documentation/security/intel/txt.md @@ -90,11 +90,11 @@ correct state. If it's not the SINIT ACM will reset the platform. ## For developers ### Configuring Intel TXT in Kconfig -Enable ``TEE_INTEL_TXT`` and set the following: +Enable ``INTEL_TXT`` and set the following: -``TEE_INTEL_TXT_BIOSACM_FILE`` to the path of the BIOS ACM provided by Intel +``INTEL_TXT_BIOSACM_FILE`` to the path of the BIOS ACM provided by Intel -``TEE_INTEL_TXT_SINITACM_FILE`` to the path of the SINIT ACM provided by Intel +``INTEL_TXT_SINITACM_FILE`` to the path of the SINIT ACM provided by Intel ### Print TXT status as early as possible Add platform code to print the TXT status as early as possible, as the register is cleared on cold reset. diff --git a/src/cpu/intel/fit/Kconfig b/src/cpu/intel/fit/Kconfig index e48dca9f70..fa10802926 100644 --- a/src/cpu/intel/fit/Kconfig +++ b/src/cpu/intel/fit/Kconfig @@ -5,6 +5,7 @@ config CPU_INTEL_FIRMWARE_INTERFACE_TABLE config CPU_INTEL_NUM_FIT_ENTRIES int + default 16 if INTEL_TXT default 4 depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE help diff --git a/src/security/Kconfig b/src/security/Kconfig index 8a1531a08d..4e08bbd883 100644 --- a/src/security/Kconfig +++ b/src/security/Kconfig @@ -15,3 +15,4 @@ source "src/security/vboot/Kconfig" source "src/security/tpm/Kconfig" source "src/security/memory/Kconfig" +source "src/security/intel/Kconfig" diff --git a/src/security/Makefile.inc b/src/security/Makefile.inc index f62413e059..fd784385e6 100644 --- a/src/security/Makefile.inc +++ b/src/security/Makefile.inc @@ -1,3 +1,4 @@ subdirs-y += vboot subdirs-y += tpm subdirs-y += memory +subdirs-y += intel diff --git a/src/security/intel/Kconfig b/src/security/intel/Kconfig new file mode 100644 index 0000000000..333e3857ac --- /dev/null +++ b/src/security/intel/Kconfig @@ -0,0 +1,20 @@ +## This file is part of the coreboot project. +## +## Copyright (C) 2019 9elements Agency GmbH +## Copyright (C) 2019 Facebook Inc. +## +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; version 2 of the License. +## +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. +## + +menu "Intel" + +source "src/security/intel/txt/Kconfig" + +endmenu # Intel diff --git a/src/security/intel/Makefile.inc b/src/security/intel/Makefile.inc new file mode 100644 index 0000000000..9388d3f798 --- /dev/null +++ b/src/security/intel/Makefile.inc @@ -0,0 +1 @@ +subdirs-y += txt diff --git a/src/security/intel/txt/Kconfig b/src/security/intel/txt/Kconfig new file mode 100644 index 0000000000..011a41cdc3 --- /dev/null +++ b/src/security/intel/txt/Kconfig @@ -0,0 +1,54 @@ +## This file is part of the coreboot project. +## +## Copyright (C) 2019 9elements Agency GmbH +## Copyright (C) 2019 Facebook Inc. +## +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; version 2 of the License. +## +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. +## + +config INTEL_TXT + bool "Intel TXT support" + default n + select MRC_SETTINGS_PROTECT if CACHE_MRC_SETTINGS + select ENABLE_VMX if CPU_INTEL_COMMON + select AP_IN_SIPI_WAIT + depends on (TPM1 || TPM2) + depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE + depends on PLATFORM_HAS_DRAM_CLEAR + depends on SOC_INTEL_FSP_BROADWELL_DE || SOC_INTEL_COMMON_BLOCK_SA + +if INTEL_TXT + +config INTEL_TXT_BIOSACM_FILE + string "BIOS ACM file" + default "3rdparty/blobs/soc/intel/fsp_broadwell_de/biosacm.bin" if SOC_INTEL_FSP_BROADWELL_DE + default "3rdparty/blobs/soc/intel/skylake/biosacm.bin" if SOC_INTEL_COMMON_SKYLAKE_BASE + help + Intel TXT BIOS ACM file. This file can be obtained by privileged + access to Intel resources. Or for some platforms found inside the + blob repository. + +config INTEL_TXT_SINITACM_FILE + string "SINIT ACM file" + default "3rdparty/blobs/soc/intel/fsp_broadwell_de/sinitacm.bin" if SOC_INTEL_FSP_BROADWELL_DE + default "3rdparty/blobs/soc/intel/skylake/sinitacm.bin" if SOC_INTEL_COMMON_SKYLAKE_BASE + help + Intel TXT SINIT ACM file. This file can be obtained by privileged + access to Intel resources. Or for some platforms found inside the + blob repository. + +config INTEL_TXT_BIOSACM_ALIGNMENT + hex + default 0x20000 # 128KB + help + Exceptions are Ivy- and Sandy Bridge with 64KB and Purely with 256KB + alignment size. Please overwrite it SoC specific. + +endif diff --git a/src/security/intel/txt/Makefile.inc b/src/security/intel/txt/Makefile.inc new file mode 100644 index 0000000000..d24026ae62 --- /dev/null +++ b/src/security/intel/txt/Makefile.inc @@ -0,0 +1,20 @@ +ifeq ($(CONFIG_INTEL_TXT),y) + +cbfs-files-y += txt_bios_acm.bin +txt_bios_acm.bin-file := $(CONFIG_INTEL_TXT_BIOSACM_FILE) +txt_bios_acm.bin-type := raw +txt_bios_acm.bin-align := $(CONFIG_INTEL_TXT_BIOSACM_ALIGNMENT) + +ifneq ($(CONFIG_INTEL_TXT_SINITACM_FILE),"") +cbfs-files-y += txt_sinit_acm.bin +txt_sinit_acm.bin-file := $(CONFIG_INTEL_TXT_SINITACM_FILE) +txt_sinit_acm.bin-type := raw +txt_sinit_acm.bin-align := 0x10 +txt_sinit_acm.bin-compression := lzma +endif + +INTERMEDIATE+=add_acm_fit +add_acm_fit: $(obj)/coreboot.pre $(IFITTOOL) + $(IFITTOOL) -r COREBOOT -a -n txt_bios_acm.bin -t 2 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $< + +endif diff --git a/src/soc/intel/cannonlake/Kconfig b/src/soc/intel/cannonlake/Kconfig index a0107d5763..d949fffc79 100644 --- a/src/soc/intel/cannonlake/Kconfig +++ b/src/soc/intel/cannonlake/Kconfig @@ -318,4 +318,8 @@ config PRERAM_CBMEM_CONSOLE_SIZE hex default 0xe00 +config INTEL_TXT_BIOSACM_ALIGNMENT + hex + default 0x40000 # 256KB + endif diff --git a/src/soc/intel/skylake/Kconfig b/src/soc/intel/skylake/Kconfig index 13c15173b5..9cb8d450a3 100644 --- a/src/soc/intel/skylake/Kconfig +++ b/src/soc/intel/skylake/Kconfig @@ -302,4 +302,8 @@ config IFD_CHIPSET string default "sklkbl" +config INTEL_TXT_BIOSACM_ALIGNMENT + hex + default 0x40000 # 256KB + endif