Gitiles
Code Review Sign In
review.coreboot.org / coreboot / 3d5319eb5ad135c016430a971dfab0eec66bbfde^! / . / src / security / intel
commit3d5319eb5ad135c016430a971dfab0eec66bbfde[log] [tgz]
authorArthur Heymans <arthur@aheymans.xyz>Fri Feb 19 19:39:56 2021 +0100
committerArthur Heymans <arthur@aheymans.xyz>Tue Mar 30 11:46:33 2021 +0000
treeaf589fa1cb80af70d4cf4f2aeb7bb7fee072ad7d
parent83a55930ddedb38c603383a799ea3f40034b6df1 [diff]
security/intel/cbnt: Add options to generate BPM from Kconfig

Use Kconfig options to set BPM fields.

Change-Id: I9f5ffa0f692b06265f992b07a44763ff1aa8dfa7
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/50928
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>

diff --git a/src/security/intel/cbnt/Kconfig b/src/security/intel/cbnt/Kconfig
index c018212..415092b 100644
--- a/src/security/intel/cbnt/Kconfig
+++ b/src/security/intel/cbnt/Kconfig

@@ -68,9 +68,17 @@
 	  "$ ifittool -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s 12 -f build/coreboot.rom"
 	  '-s 12' where 12 is CONFIG_CPU_INTEL_NUM_FIT_ENTRIES.
 
+config INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE
+	bool "BPM: use a CBnT json config file"
+	depends on INTEL_CBNT_GENERATE_BPM
+	default y
+	help
+	  Select y to generate BPM from a json config file.
+	  Select n to generate BPM from Kconfig options
+
 config INTEL_CBNT_BG_PROV_CFG_FILE
 	string "CBnT json config file"
-	depends on INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE || INTEL_CBNT_GENERATE_BPM
+	depends on INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE || INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE
 	help
 	  Location of the bg-prov json config file.
 	  Either get a sample JSON config file:
@@ -153,6 +161,67 @@
 
 endif # !INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE
 
+if !INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE && INTEL_CBNT_GENERATE_BPM
+menu "BPM options"
+
+config INTEL_CBNT_BPM_REVISION
+	int "BPM revision"
+	default 1
+	help
+	  Version of the Key Manifest defined by the Platform Manufacturer.
+	  The actual value is transparent to Boot Guard and is not processed by Boot Guard.
+
+config INTEL_CBNT_BPM_SVN
+	int "BPM Security Version Number"
+	default 0
+	help
+	  This value is determined by the Platform Manufacturer.
+
+config INTEL_CBNT_ACM_SVN
+	int "S-ACM Security Version Number"
+	default 2
+	help
+	  This defines the minimum version the S-ACM must have.
+
+config INTEL_CBNT_NUM_NEM_PAGES
+	int
+	default 32
+	help
+	  Set the amount of 4K pages of CAR required.
+
+config INTEL_CBNT_PBET
+	int "PBET value in s"
+	default 15
+	help
+	  Protect BIOS Environment Timer (PBET) value.
+	  Factor used by CSE to compute PBE timer value.
+	  Actual PBE timer value is set by CSE using formula:
+	  PBE timer value = 5 sec + PBETValue.
+
+config INTEL_CBNT_IBB_FLAGS
+	int "IBB flags"
+	default 7
+	help
+	  IBB Control flags.
+	  3: Don't extend PCR 0
+	  7: extend PCR 7
+
+config INTEL_CBNT_SINIT_SVN
+	int "SINIT ACM security version number"
+	default 0
+	help
+	  Minimum required version for the SINIT ACM.
+
+config INTEL_CBNT_PD_INTERVAL
+	int
+	default 60
+	help
+	  Duration of Power Down in 5 sec increments.
+
+endmenu
+
+endif # !INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE
+
 config INTEL_CBNT_KEY_MANIFEST_BINARY
 	string "KM (Key Manifest) binary location"
 	depends on !INTEL_CBNT_GENERATE_KM

diff --git a/src/security/intel/cbnt/Makefile.inc b/src/security/intel/cbnt/Makefile.inc
index 0ea9ed0..788b1b7 100644
--- a/src/security/intel/cbnt/Makefile.inc
+++ b/src/security/intel/cbnt/Makefile.inc

@@ -34,9 +34,35 @@
 	cp $(CONFIG_INTEL_CBNT_BG_PROV_CFG_FILE) $@
 
 ifeq ($(CONFIG_INTEL_CBNT_GENERATE_BPM),y)
+ifeq ($(CONFIG_INTEL_CBNT_BG_PROV_BPM_USE_CFG_FILE),y)
 $(obj)/bpm_unsigned.bin: $(obj)/coreboot.rom $(BG_PROV) $(CBNT_CFG)
 	printf "    BG_PROV    creating unsigned BPM using config file\n"
 	$(BG_PROV) bpm-gen $@ $< --config=$(CBNT_CFG) --cut
+else
+$(obj)/bpm_unsigned.bin: $(obj)/coreboot.rom $(BG_PROV)
+	printf "    BG_PROV    creating unsigned BPM\n"
+	# SHA256, SHA1, SHA384 for digest
+	$(BG_PROV) bpm-gen $@ $< --revision=$(CONFIG_INTEL_CBNT_BPM_REVISION) \
+				 --svn=$(CONFIG_INTEL_CBNT_BPM_SVN) \
+				 --acmsvn=$(CONFIG_INTEL_CBNT_ACM_SVN) \
+				 --nems=$(CONFIG_INTEL_CBNT_NUM_NEM_PAGES) \
+				 --pbet=$(CONFIG_INTEL_CBNT_PBET) \
+				 --ibbflags=$(CONFIG_INTEL_CBNT_IBB_FLAGS) \
+				 --entrypoint=$(shell printf "%d" 0xfffffff0) \
+				 --ibbhash={11,4,12} \
+				 --ibbsegbase=$(call int-add, $(call int-subtract, 0xffffffff $(CONFIG_C_ENV_BOOTBLOCK_SIZE)) 1) \
+				 --ibbsegsize=$(shell printf "%d" $(CONFIG_C_ENV_BOOTBLOCK_SIZE)) \
+				 --ibbsegflag=0 \
+				 --sintmin=$(CONFIG_INTEL_CBNT_SINIT_SVN) \
+				 --txtflags=0 \
+				 --powerdowninterval=$(CONFIG_INTEL_CBNT_PD_INTERVAL) \
+				 --acpibaseoffset=$(shell printf "%d" $(CONFIG_INTEL_ACPI_BASE_ADDRESS)) \
+				 --powermbaseoffset=$(shell printf "%d" $(CONFIG_INTEL_PCH_PWRM_BASE_ADDRESS)) \
+				 --cmosoff0=$(shell printf "%d" $(CONFIG_INTEL_CBNT_CMOS_OFFSET)) \
+				 --cmosoff1=$(call int-add, $(CONFIG_INTEL_CBNT_CMOS_OFFSET) 1) \
+				 --cut \
+				 --out=$(obj)/bpm_cfg.json
+endif
 
 ifeq ($(CONFIG_INTEL_CBNT_BPM_ONLY_UNSIGNED),y)
 build_complete:: $(obj)/bpm_unsigned.bin