security/intel: Add TXT infrastructure
* Add Kconfig to enable TXT * Add possibility to add BIOS and SINIT ACMs * Set default BIOS ACM alignment * Increase FIT space if TXT is enabled The following commits depend on the basic Kconfig infrastructure. Intel TXT isn't supported until all following commits are merged. Change-Id: I5f0f956d2b7ba43d4e7e0062803c6d8ba569a052 Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/34585 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: David Hendricks <david.hendricks@gmail.com>
This commit is contained in:
parent
d947c691bc
commit
5fffb5e30d
|
@ -90,11 +90,11 @@ correct state. If it's not the SINIT ACM will reset the platform.
|
||||||
|
|
||||||
## For developers
|
## For developers
|
||||||
### Configuring Intel TXT in Kconfig
|
### Configuring Intel TXT in Kconfig
|
||||||
Enable ``TEE_INTEL_TXT`` and set the following:
|
Enable ``INTEL_TXT`` and set the following:
|
||||||
|
|
||||||
``TEE_INTEL_TXT_BIOSACM_FILE`` to the path of the BIOS ACM provided by Intel
|
``INTEL_TXT_BIOSACM_FILE`` to the path of the BIOS ACM provided by Intel
|
||||||
|
|
||||||
``TEE_INTEL_TXT_SINITACM_FILE`` to the path of the SINIT ACM provided by Intel
|
``INTEL_TXT_SINITACM_FILE`` to the path of the SINIT ACM provided by Intel
|
||||||
### Print TXT status as early as possible
|
### Print TXT status as early as possible
|
||||||
Add platform code to print the TXT status as early as possible, as the register
|
Add platform code to print the TXT status as early as possible, as the register
|
||||||
is cleared on cold reset.
|
is cleared on cold reset.
|
||||||
|
|
|
@ -5,6 +5,7 @@ config CPU_INTEL_FIRMWARE_INTERFACE_TABLE
|
||||||
|
|
||||||
config CPU_INTEL_NUM_FIT_ENTRIES
|
config CPU_INTEL_NUM_FIT_ENTRIES
|
||||||
int
|
int
|
||||||
|
default 16 if INTEL_TXT
|
||||||
default 4
|
default 4
|
||||||
depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE
|
depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE
|
||||||
help
|
help
|
||||||
|
|
|
@ -15,3 +15,4 @@
|
||||||
source "src/security/vboot/Kconfig"
|
source "src/security/vboot/Kconfig"
|
||||||
source "src/security/tpm/Kconfig"
|
source "src/security/tpm/Kconfig"
|
||||||
source "src/security/memory/Kconfig"
|
source "src/security/memory/Kconfig"
|
||||||
|
source "src/security/intel/Kconfig"
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
subdirs-y += vboot
|
subdirs-y += vboot
|
||||||
subdirs-y += tpm
|
subdirs-y += tpm
|
||||||
subdirs-y += memory
|
subdirs-y += memory
|
||||||
|
subdirs-y += intel
|
||||||
|
|
|
@ -0,0 +1,20 @@
|
||||||
|
## This file is part of the coreboot project.
|
||||||
|
##
|
||||||
|
## Copyright (C) 2019 9elements Agency GmbH
|
||||||
|
## Copyright (C) 2019 Facebook Inc.
|
||||||
|
##
|
||||||
|
## This program is free software; you can redistribute it and/or modify
|
||||||
|
## it under the terms of the GNU General Public License as published by
|
||||||
|
## the Free Software Foundation; version 2 of the License.
|
||||||
|
##
|
||||||
|
## This program is distributed in the hope that it will be useful,
|
||||||
|
## but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
## GNU General Public License for more details.
|
||||||
|
##
|
||||||
|
|
||||||
|
menu "Intel"
|
||||||
|
|
||||||
|
source "src/security/intel/txt/Kconfig"
|
||||||
|
|
||||||
|
endmenu # Intel
|
|
@ -0,0 +1 @@
|
||||||
|
subdirs-y += txt
|
|
@ -0,0 +1,54 @@
|
||||||
|
## This file is part of the coreboot project.
|
||||||
|
##
|
||||||
|
## Copyright (C) 2019 9elements Agency GmbH
|
||||||
|
## Copyright (C) 2019 Facebook Inc.
|
||||||
|
##
|
||||||
|
## This program is free software; you can redistribute it and/or modify
|
||||||
|
## it under the terms of the GNU General Public License as published by
|
||||||
|
## the Free Software Foundation; version 2 of the License.
|
||||||
|
##
|
||||||
|
## This program is distributed in the hope that it will be useful,
|
||||||
|
## but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
## GNU General Public License for more details.
|
||||||
|
##
|
||||||
|
|
||||||
|
config INTEL_TXT
|
||||||
|
bool "Intel TXT support"
|
||||||
|
default n
|
||||||
|
select MRC_SETTINGS_PROTECT if CACHE_MRC_SETTINGS
|
||||||
|
select ENABLE_VMX if CPU_INTEL_COMMON
|
||||||
|
select AP_IN_SIPI_WAIT
|
||||||
|
depends on (TPM1 || TPM2)
|
||||||
|
depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE
|
||||||
|
depends on PLATFORM_HAS_DRAM_CLEAR
|
||||||
|
depends on SOC_INTEL_FSP_BROADWELL_DE || SOC_INTEL_COMMON_BLOCK_SA
|
||||||
|
|
||||||
|
if INTEL_TXT
|
||||||
|
|
||||||
|
config INTEL_TXT_BIOSACM_FILE
|
||||||
|
string "BIOS ACM file"
|
||||||
|
default "3rdparty/blobs/soc/intel/fsp_broadwell_de/biosacm.bin" if SOC_INTEL_FSP_BROADWELL_DE
|
||||||
|
default "3rdparty/blobs/soc/intel/skylake/biosacm.bin" if SOC_INTEL_COMMON_SKYLAKE_BASE
|
||||||
|
help
|
||||||
|
Intel TXT BIOS ACM file. This file can be obtained by privileged
|
||||||
|
access to Intel resources. Or for some platforms found inside the
|
||||||
|
blob repository.
|
||||||
|
|
||||||
|
config INTEL_TXT_SINITACM_FILE
|
||||||
|
string "SINIT ACM file"
|
||||||
|
default "3rdparty/blobs/soc/intel/fsp_broadwell_de/sinitacm.bin" if SOC_INTEL_FSP_BROADWELL_DE
|
||||||
|
default "3rdparty/blobs/soc/intel/skylake/sinitacm.bin" if SOC_INTEL_COMMON_SKYLAKE_BASE
|
||||||
|
help
|
||||||
|
Intel TXT SINIT ACM file. This file can be obtained by privileged
|
||||||
|
access to Intel resources. Or for some platforms found inside the
|
||||||
|
blob repository.
|
||||||
|
|
||||||
|
config INTEL_TXT_BIOSACM_ALIGNMENT
|
||||||
|
hex
|
||||||
|
default 0x20000 # 128KB
|
||||||
|
help
|
||||||
|
Exceptions are Ivy- and Sandy Bridge with 64KB and Purely with 256KB
|
||||||
|
alignment size. Please overwrite it SoC specific.
|
||||||
|
|
||||||
|
endif
|
|
@ -0,0 +1,20 @@
|
||||||
|
ifeq ($(CONFIG_INTEL_TXT),y)
|
||||||
|
|
||||||
|
cbfs-files-y += txt_bios_acm.bin
|
||||||
|
txt_bios_acm.bin-file := $(CONFIG_INTEL_TXT_BIOSACM_FILE)
|
||||||
|
txt_bios_acm.bin-type := raw
|
||||||
|
txt_bios_acm.bin-align := $(CONFIG_INTEL_TXT_BIOSACM_ALIGNMENT)
|
||||||
|
|
||||||
|
ifneq ($(CONFIG_INTEL_TXT_SINITACM_FILE),"")
|
||||||
|
cbfs-files-y += txt_sinit_acm.bin
|
||||||
|
txt_sinit_acm.bin-file := $(CONFIG_INTEL_TXT_SINITACM_FILE)
|
||||||
|
txt_sinit_acm.bin-type := raw
|
||||||
|
txt_sinit_acm.bin-align := 0x10
|
||||||
|
txt_sinit_acm.bin-compression := lzma
|
||||||
|
endif
|
||||||
|
|
||||||
|
INTERMEDIATE+=add_acm_fit
|
||||||
|
add_acm_fit: $(obj)/coreboot.pre $(IFITTOOL)
|
||||||
|
$(IFITTOOL) -r COREBOOT -a -n txt_bios_acm.bin -t 2 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
|
||||||
|
|
||||||
|
endif
|
|
@ -318,4 +318,8 @@ config PRERAM_CBMEM_CONSOLE_SIZE
|
||||||
hex
|
hex
|
||||||
default 0xe00
|
default 0xe00
|
||||||
|
|
||||||
|
config INTEL_TXT_BIOSACM_ALIGNMENT
|
||||||
|
hex
|
||||||
|
default 0x40000 # 256KB
|
||||||
|
|
||||||
endif
|
endif
|
||||||
|
|
|
@ -302,4 +302,8 @@ config IFD_CHIPSET
|
||||||
string
|
string
|
||||||
default "sklkbl"
|
default "sklkbl"
|
||||||
|
|
||||||
|
config INTEL_TXT_BIOSACM_ALIGNMENT
|
||||||
|
hex
|
||||||
|
default 0x40000 # 256KB
|
||||||
|
|
||||||
endif
|
endif
|
||||||
|
|
Loading…
Reference in New Issue