| # SPDX-License-Identifier: GPL-2.0-only |
| |
| config INTEL_CBNT_SUPPORT |
| bool "Intel CBnT support" |
| default n |
| depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE |
| #depends on PLATFORM_HAS_DRAM_CLEAR |
| select INTEL_TXT |
| # With CBnT the bootblock is set up as a CBnT IBB and needs a fixed size |
| select FIXED_BOOTBLOCK_SIZE |
| help |
| Enables Intel Converged Bootguard and Trusted Execution Technology |
| Support. This will enable one to add a Key Manifest (KM) and a Boot |
| Policy Manifest (BPM) to the filesystem. It will also wrap a FIT around |
| the firmware and update appropriate entries. |
| |
| if INTEL_CBNT_SUPPORT |
| |
| config INTEL_CBNT_GENERATE_KM |
| bool "Generate Key Manifest (KM)" |
| default y |
| select INTEL_CBNT_NEED_KM_PUB_KEY |
| select INTEL_CBNT_NEED_KM_PRIV_KEY |
| select INTEL_CBNT_NEED_BPM_PUB_KEY if !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE |
| help |
| Select y to generate the Key Manifest (KM). |
| Select n to include a KM binary. |
| |
| config INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE |
| bool "KM: use a CBnT json config file" |
| depends on INTEL_CBNT_GENERATE_KM |
| default y |
| help |
| Select y to generate KM from a json config file. |
| Select n to generate KM from Kconfig options |
| |
| config INTEL_CBNT_BG_PROV_CFG_FILE |
| string "CBnT json config file" |
| depends on INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE |
| help |
| Location of the bg-prov json config file. |
| Either get a sample JSON config file: |
| $ bg-prov template |
| Or extract it from a working configuration: |
| $ bg-prov read-config |
| |
| config INTEL_CBNT_NEED_KM_PUB_KEY |
| bool |
| |
| config INTEL_CBNT_NEED_KM_PRIV_KEY |
| bool |
| |
| config INTEL_CBNT_KM_PUB_KEY_FILE |
| string "Key manifest (KM) public key" |
| depends on INTEL_CBNT_NEED_KM_PUB_KEY && !INTEL_CBNT_NEED_KM_PRIV_KEY |
| help |
| Location of the key manifest (KM) public key file in .pem format. |
| |
| config INTEL_CBNT_KM_PRIV_KEY_FILE |
| string "Key manifest (KM) private key" |
| depends on INTEL_CBNT_NEED_KM_PRIV_KEY |
| help |
| Location of the key manifest (KM) private key file in .pem format. |
| |
| config INTEL_CBNT_NEED_BPM_PUB_KEY |
| bool |
| |
| config INTEL_CBNT_NEED_BPM_PRIV_KEY |
| bool |
| |
| config INTEL_CBNT_BPM_PUB_KEY_FILE |
| string "Boot policy manifest (BPM) public key" |
| depends on INTEL_CBNT_NEED_BPM_PUB_KEY && !INTEL_CBNT_NEED_BPM_PRIV_KEY |
| help |
| Location of the boot policy manifest (BPM) public key file in .pem format. |
| |
| config INTEL_CBNT_BPM_PRIV_KEY_FILE |
| string "Boot policy manifest (BPM) private key" |
| depends on INTEL_CBNT_NEED_BPM_PRIV_KEY |
| help |
| Location of the boot policy manifest (BPM) private key file in .pem format. |
| |
| if !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE && INTEL_CBNT_GENERATE_KM |
| |
| menu "KM options" |
| |
| config INTEL_CBNT_KM_REVISION |
| int "KM revision" |
| default 1 |
| help |
| Version of the Key Manifest defined by the Platform Manufacturer. |
| The actual value is transparent to Boot Guard and is not processed by Boot Guard. |
| |
| config INTEL_CBNT_KM_SVN |
| int "KM security Version Number" |
| range 0 15 |
| default 0 |
| help |
| This value is determined by the Platform Manufacturer. |
| Boot Guard uses this to compare it to the Key Manifest |
| Revocation Value (Revocation.KMSVN) in FPF. |
| |
| If KMSVN < Revocation.KMSVN, the KM will be revoked. It will trigger ENF (the |
| enforcement policy). |
| IF KMSVN > Revocation.KMSVN, the Revocation.KMSVN will be set to the KMSVN. |
| |
| Note: Once the value reaches 0Fh, revocation saturates and one can no longer |
| revoke newer KMs. |
| |
| config INTEL_CBNT_KM_ID |
| int "KM ID" |
| default 1 |
| help |
| This identifies the Key Manifest to be used for a platform. |
| This must match the Key Manifest Identifier programmed in |
| the field programmable fuses. |
| |
| endmenu |
| |
| endif # !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE |
| |
| config INTEL_CBNT_KEY_MANIFEST_BINARY |
| string "KM (Key Manifest) binary location" |
| depends on !INTEL_CBNT_GENERATE_KM |
| help |
| Location of the Key Manifest (KM) |
| |
| config INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY |
| string "BPM (Boot Policy Manifest) binary location" |
| help |
| Location of the Boot Policy Manifest (BPM) |
| |
| config INTEL_CBNT_CMOS_OFFSET |
| hex |
| default 0x7e |
| help |
| Address in RTC CMOS used by CBNT. Uses 2 bytes. If using an option table |
| adapt the cmos.layout accordingly. The bytes should not be checksummed. |
| |
| endif # INTEL_CBNT_SUPPORT |