security/intel: Add TXT infrastructure

* Add Kconfig to enable TXT
* Add possibility to add BIOS and SINIT ACMs
* Set default BIOS ACM alignment
* Increase FIT space if TXT is enabled

The following commits depend on the basic Kconfig infrastructure.
Intel TXT isn't supported until all following commits are merged.

Change-Id: I5f0f956d2b7ba43d4e7e0062803c6d8ba569a052
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34585
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: David Hendricks <david.hendricks@gmail.com>

Documentation/security/intel/txt.md

@@ -90,11 +90,11 @@ correct state. If it's not the SINIT ACM will reset the platform.
 
 ## For developers
 ### Configuring Intel TXT in Kconfig
-Enable ``TEE_INTEL_TXT`` and set the following:
+Enable ``INTEL_TXT`` and set the following:
 
-``TEE_INTEL_TXT_BIOSACM_FILE`` to the path of the BIOS ACM provided by Intel
+``INTEL_TXT_BIOSACM_FILE`` to the path of the BIOS ACM provided by Intel
 
-``TEE_INTEL_TXT_SINITACM_FILE`` to the path of the SINIT ACM provided by Intel
+``INTEL_TXT_SINITACM_FILE`` to the path of the SINIT ACM provided by Intel
 ### Print TXT status as early as possible
 Add platform code to print the TXT status as early as possible, as the register
 is cleared on cold reset.

src/cpu/intel/fit/Kconfig

@@ -5,6 +5,7 @@ config CPU_INTEL_FIRMWARE_INTERFACE_TABLE
 
 config CPU_INTEL_NUM_FIT_ENTRIES
 	int
+	default 16 if INTEL_TXT
 	default 4
 	depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE
 	help

src/security/Kconfig

@@ -15,3 +15,4 @@
 source "src/security/vboot/Kconfig"
 source "src/security/tpm/Kconfig"
 source "src/security/memory/Kconfig"
+source "src/security/intel/Kconfig"

src/security/Makefile.inc

@@ -1,3 +1,4 @@
 subdirs-y += vboot
 subdirs-y += tpm
 subdirs-y += memory
+subdirs-y += intel

src/security/intel/Kconfig

@@ -0,0 +1,20 @@
+## This file is part of the coreboot project.
+##
+## Copyright (C) 2019 9elements Agency GmbH
+## Copyright (C) 2019 Facebook Inc.
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; version 2 of the License.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+## GNU General Public License for more details.
+##
+
+menu "Intel"
+
+source "src/security/intel/txt/Kconfig"
+
+endmenu # Intel

src/security/intel/Makefile.inc

@@ -0,0 +1 @@
+subdirs-y += txt

src/security/intel/txt/Kconfig

@@ -0,0 +1,54 @@
+## This file is part of the coreboot project.
+##
+## Copyright (C) 2019 9elements Agency GmbH
+## Copyright (C) 2019 Facebook Inc.
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; version 2 of the License.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+## GNU General Public License for more details.
+##
+
+config INTEL_TXT
+	bool "Intel TXT support"
+	default n
+	select MRC_SETTINGS_PROTECT if CACHE_MRC_SETTINGS
+	select ENABLE_VMX if CPU_INTEL_COMMON
+	select AP_IN_SIPI_WAIT
+	depends on (TPM1 || TPM2)
+	depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE
+	depends on PLATFORM_HAS_DRAM_CLEAR
+	depends on SOC_INTEL_FSP_BROADWELL_DE || SOC_INTEL_COMMON_BLOCK_SA
+
+if INTEL_TXT
+
+config INTEL_TXT_BIOSACM_FILE
+	string "BIOS ACM file"
+	default "3rdparty/blobs/soc/intel/fsp_broadwell_de/biosacm.bin" if SOC_INTEL_FSP_BROADWELL_DE
+	default "3rdparty/blobs/soc/intel/skylake/biosacm.bin" if SOC_INTEL_COMMON_SKYLAKE_BASE
+	help
+	  Intel TXT BIOS ACM file. This file can be obtained by privileged
+	  access to Intel resources. Or for some platforms found inside the
+	  blob repository.
+
+config INTEL_TXT_SINITACM_FILE
+	string "SINIT ACM file"
+	default "3rdparty/blobs/soc/intel/fsp_broadwell_de/sinitacm.bin" if SOC_INTEL_FSP_BROADWELL_DE
+	default "3rdparty/blobs/soc/intel/skylake/sinitacm.bin" if SOC_INTEL_COMMON_SKYLAKE_BASE
+	help
+	  Intel TXT SINIT ACM file. This file can be obtained by privileged
+	  access to Intel resources. Or for some platforms found inside the
+	  blob repository.
+
+config INTEL_TXT_BIOSACM_ALIGNMENT
+	hex
+	default 0x20000 # 128KB
+	help
+	  Exceptions are Ivy- and Sandy Bridge with 64KB and Purely with 256KB
+	  alignment size. Please overwrite it SoC specific.
+
+endif

src/security/intel/txt/Makefile.inc

@@ -0,0 +1,20 @@
+ifeq ($(CONFIG_INTEL_TXT),y)
+
+cbfs-files-y += txt_bios_acm.bin
+txt_bios_acm.bin-file := $(CONFIG_INTEL_TXT_BIOSACM_FILE)
+txt_bios_acm.bin-type := raw
+txt_bios_acm.bin-align := $(CONFIG_INTEL_TXT_BIOSACM_ALIGNMENT)
+
+ifneq ($(CONFIG_INTEL_TXT_SINITACM_FILE),"")
+cbfs-files-y += txt_sinit_acm.bin
+txt_sinit_acm.bin-file := $(CONFIG_INTEL_TXT_SINITACM_FILE)
+txt_sinit_acm.bin-type := raw
+txt_sinit_acm.bin-align := 0x10
+txt_sinit_acm.bin-compression := lzma
+endif
+
+INTERMEDIATE+=add_acm_fit
+add_acm_fit: $(obj)/coreboot.pre $(IFITTOOL)
+	$(IFITTOOL) -r COREBOOT -a -n txt_bios_acm.bin -t 2 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
+
+endif

src/soc/intel/cannonlake/Kconfig

@@ -318,4 +318,8 @@ config PRERAM_CBMEM_CONSOLE_SIZE
 	hex
 	default 0xe00
 
+config INTEL_TXT_BIOSACM_ALIGNMENT
+	hex
+	default 0x40000 # 256KB
+
 endif

src/soc/intel/skylake/Kconfig

@@ -302,4 +302,8 @@ config IFD_CHIPSET
 	string
 	default "sklkbl"
 
+config INTEL_TXT_BIOSACM_ALIGNMENT
+	hex
+	default 0x40000 # 256KB
+
 endif