src/security/intel/cbnt/Kconfig - coreboot - Gitiles

 # SPDX-License-Identifier: GPL-2.0-only

 config INTEL_CBNT_SUPPORT
 	bool "Intel CBnT support"
 	default n
 	depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE
 	#depends on PLATFORM_HAS_DRAM_CLEAR
 	select INTEL_TXT
 	# With CBnT the bootblock is set up as a CBnT IBB and needs a fixed size
 	select FIXED_BOOTBLOCK_SIZE
 	help
 	  Enables Intel Converged Bootguard and Trusted Execution Technology
 	  Support. This will enable one to add a Key Manifest (KM) and a Boot
 	  Policy Manifest (BPM) to the filesystem. It will also wrap a FIT around
 	  the firmware and update appropriate entries.

 if INTEL_CBNT_SUPPORT

 config INTEL_CBNT_GENERATE_KM
 	bool "Generate Key Manifest (KM)"
 	default y
 	select INTEL_CBNT_NEED_KM_PUB_KEY
 	select INTEL_CBNT_NEED_KM_PRIV_KEY
 	select INTEL_CBNT_NEED_BPM_PUB_KEY if !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE
 	help
 	  Select y to generate the Key Manifest (KM).
 	  Select n to include a KM binary.

 config INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE
 	bool "KM: use a CBnT json config file"
 	depends on INTEL_CBNT_GENERATE_KM
 	default y
 	help
 	  Select y to generate KM from a json config file.
 	  Select n to generate KM from Kconfig options

 config INTEL_CBNT_BG_PROV_CFG_FILE
 	string "CBnT json config file"
 	depends on INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE
 	help
 	  Location of the bg-prov json config file.
 	  Either get a sample JSON config file:
 	  $ bg-prov template
 	  Or extract it from a working configuration:
 	  $ bg-prov read-config

 config INTEL_CBNT_NEED_KM_PUB_KEY
 	bool

 config INTEL_CBNT_NEED_KM_PRIV_KEY
 	bool

 config INTEL_CBNT_KM_PUB_KEY_FILE
 	string "Key manifest (KM) public key"
 	depends on INTEL_CBNT_NEED_KM_PUB_KEY && !INTEL_CBNT_NEED_KM_PRIV_KEY
 	help
 	  Location of the key manifest (KM) public key file in .pem format.

 config INTEL_CBNT_KM_PRIV_KEY_FILE
 	string "Key manifest (KM) private key"
 	depends on INTEL_CBNT_NEED_KM_PRIV_KEY
 	help
 	  Location of the key manifest (KM) private key file in .pem format.

 config INTEL_CBNT_NEED_BPM_PUB_KEY
 	bool

 config INTEL_CBNT_NEED_BPM_PRIV_KEY
 	bool

 config INTEL_CBNT_BPM_PUB_KEY_FILE
 	string "Boot policy manifest (BPM) public key"
 	depends on INTEL_CBNT_NEED_BPM_PUB_KEY && !INTEL_CBNT_NEED_BPM_PRIV_KEY
 	help
 	  Location of the boot policy manifest (BPM) public key file in .pem format.

 config INTEL_CBNT_BPM_PRIV_KEY_FILE
 	string "Boot policy manifest (BPM) private key"
 	depends on INTEL_CBNT_NEED_BPM_PRIV_KEY
 	help
 	  Location of the boot policy manifest (BPM) private key file in .pem format.

 if !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE && INTEL_CBNT_GENERATE_KM

 menu "KM options"

 config INTEL_CBNT_KM_REVISION
 	int "KM revision"
 	default 1
 	help
 	  Version of the Key Manifest defined by the Platform Manufacturer.
 	  The actual value is transparent to Boot Guard and is not processed by Boot Guard.

 config INTEL_CBNT_KM_SVN
 	int "KM security Version Number"
 	range 0 15
 	default 0
 	help
 	  This value is determined by the Platform Manufacturer.
 	  Boot Guard uses this to compare it to the Key Manifest
 	  Revocation Value (Revocation.KMSVN) in FPF.

 	  If KMSVN < Revocation.KMSVN, the KM will be revoked. It will trigger ENF (the
 	  enforcement policy).
 	  IF KMSVN > Revocation.KMSVN, the Revocation.KMSVN will be set to the KMSVN.

 	  Note: Once the value reaches 0Fh, revocation saturates and one can no longer
 	  revoke newer KMs.

 config INTEL_CBNT_KM_ID
 	int "KM ID"
 	default 1
 	help
 	  This identifies the Key Manifest to be used for a platform.
 	  This must match the Key Manifest Identifier programmed in
 	  the field programmable fuses.

 endmenu

 endif # !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE

 config INTEL_CBNT_KEY_MANIFEST_BINARY
 	string "KM (Key Manifest) binary location"
 	depends on !INTEL_CBNT_GENERATE_KM
 	help
 	  Location of the Key Manifest (KM)

 config INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY
 	string "BPM (Boot Policy Manifest) binary location"
 	help
 	  Location of the Boot Policy Manifest (BPM)

 config INTEL_CBNT_CMOS_OFFSET
 	hex
 	default 0x7e
 	help
 	  Address in RTC CMOS used by CBNT. Uses 2 bytes. If using an option table
 	  adapt the cmos.layout accordingly. The bytes should not be checksummed.

 endif # INTEL_CBNT_SUPPORT
	# SPDX-License-Identifier: GPL-2.0-only

	config INTEL_CBNT_SUPPORT
	bool "Intel CBnT support"
	default n
	depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE
	#depends on PLATFORM_HAS_DRAM_CLEAR
	select INTEL_TXT
	# With CBnT the bootblock is set up as a CBnT IBB and needs a fixed size
	select FIXED_BOOTBLOCK_SIZE
	help
	Enables Intel Converged Bootguard and Trusted Execution Technology
	Support. This will enable one to add a Key Manifest (KM) and a Boot
	Policy Manifest (BPM) to the filesystem. It will also wrap a FIT around
	the firmware and update appropriate entries.

	if INTEL_CBNT_SUPPORT

	config INTEL_CBNT_GENERATE_KM
	bool "Generate Key Manifest (KM)"
	default y
	select INTEL_CBNT_NEED_KM_PUB_KEY
	select INTEL_CBNT_NEED_KM_PRIV_KEY
	select INTEL_CBNT_NEED_BPM_PUB_KEY if !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE
	help
	Select y to generate the Key Manifest (KM).
	Select n to include a KM binary.

	config INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE
	bool "KM: use a CBnT json config file"
	depends on INTEL_CBNT_GENERATE_KM
	default y
	help
	Select y to generate KM from a json config file.
	Select n to generate KM from Kconfig options

	config INTEL_CBNT_BG_PROV_CFG_FILE
	string "CBnT json config file"
	depends on INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE
	help
	Location of the bg-prov json config file.
	Either get a sample JSON config file:
	$ bg-prov template
	Or extract it from a working configuration:
	$ bg-prov read-config

	config INTEL_CBNT_NEED_KM_PUB_KEY
	bool

	config INTEL_CBNT_NEED_KM_PRIV_KEY
	bool

	config INTEL_CBNT_KM_PUB_KEY_FILE
	string "Key manifest (KM) public key"
	depends on INTEL_CBNT_NEED_KM_PUB_KEY && !INTEL_CBNT_NEED_KM_PRIV_KEY
	help
	Location of the key manifest (KM) public key file in .pem format.

	config INTEL_CBNT_KM_PRIV_KEY_FILE
	string "Key manifest (KM) private key"
	depends on INTEL_CBNT_NEED_KM_PRIV_KEY
	help
	Location of the key manifest (KM) private key file in .pem format.

	config INTEL_CBNT_NEED_BPM_PUB_KEY
	bool

	config INTEL_CBNT_NEED_BPM_PRIV_KEY
	bool

	config INTEL_CBNT_BPM_PUB_KEY_FILE
	string "Boot policy manifest (BPM) public key"
	depends on INTEL_CBNT_NEED_BPM_PUB_KEY && !INTEL_CBNT_NEED_BPM_PRIV_KEY
	help
	Location of the boot policy manifest (BPM) public key file in .pem format.

	config INTEL_CBNT_BPM_PRIV_KEY_FILE
	string "Boot policy manifest (BPM) private key"
	depends on INTEL_CBNT_NEED_BPM_PRIV_KEY
	help
	Location of the boot policy manifest (BPM) private key file in .pem format.

	if !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE && INTEL_CBNT_GENERATE_KM

	menu "KM options"

	config INTEL_CBNT_KM_REVISION
	int "KM revision"
	default 1
	help
	Version of the Key Manifest defined by the Platform Manufacturer.
	The actual value is transparent to Boot Guard and is not processed by Boot Guard.

	config INTEL_CBNT_KM_SVN
	int "KM security Version Number"
	range 0 15
	default 0
	help
	This value is determined by the Platform Manufacturer.
	Boot Guard uses this to compare it to the Key Manifest
	Revocation Value (Revocation.KMSVN) in FPF.

	If KMSVN < Revocation.KMSVN, the KM will be revoked. It will trigger ENF (the
	enforcement policy).
	IF KMSVN > Revocation.KMSVN, the Revocation.KMSVN will be set to the KMSVN.

	Note: Once the value reaches 0Fh, revocation saturates and one can no longer
	revoke newer KMs.

	config INTEL_CBNT_KM_ID
	int "KM ID"
	default 1
	help
	This identifies the Key Manifest to be used for a platform.
	This must match the Key Manifest Identifier programmed in
	the field programmable fuses.

	endmenu

	endif # !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE

	config INTEL_CBNT_KEY_MANIFEST_BINARY
	string "KM (Key Manifest) binary location"
	depends on !INTEL_CBNT_GENERATE_KM
	help
	Location of the Key Manifest (KM)

	config INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY
	string "BPM (Boot Policy Manifest) binary location"
	help
	Location of the Boot Policy Manifest (BPM)

	config INTEL_CBNT_CMOS_OFFSET
	hex
	default 0x7e
	help
	Address in RTC CMOS used by CBNT. Uses 2 bytes. If using an option table
	adapt the cmos.layout accordingly. The bytes should not be checksummed.

	endif # INTEL_CBNT_SUPPORT