sec/intel/cbnt: Stitch in ACMs in the coreboot image
Actual support CBnT will be added later on.
Change-Id: Icc35c5e6c74d002efee43cc05ecc8023e00631e0
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/46456
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
diff --git a/Makefile.inc b/Makefile.inc
index b3868a5..69ac747 100644
--- a/Makefile.inc
+++ b/Makefile.inc
@@ -732,6 +732,16 @@
endif
+ifeq ($(CONFIG_INTEL_CBNT_SUPPORT),y)
+
+CBNTIBB := --cbnt
+
+else
+
+CBNTIBB :=
+
+endif # CONFIG_INTEL_CBNT_SUPPORT
+
ifeq ($(CONFIG_COMPRESS_BOOTBLOCK),y)
$(objcbfs)/bootblock.lz4: $(objcbfs)/bootblock.elf $(objutil)/cbfstool/cbfs-compression-tool
@@ -1063,6 +1073,7 @@
ifeq ($(CONFIG_INTEL_ADD_TOP_SWAP_BOOTBLOCK),y)
TS_OPTIONS := -j $(CONFIG_INTEL_TOP_SWAP_BOOTBLOCK_SIZE)
endif
+
ifneq ($(CONFIG_UPDATE_IMAGE),y)
$(obj)/coreboot.pre: $(objcbfs)/bootblock.bin $$(prebuilt-files) $(CBFSTOOL) $(IFITTOOL) $$(cpu_ucode_cbfs_file) $(obj)/fmap.fmap $(obj)/fmap.desc
$(CBFSTOOL) $@.tmp create -M $(obj)/fmap.fmap -r $(shell cat $(obj)/fmap.desc)
@@ -1072,6 +1083,7 @@
-n bootblock \
-t bootblock \
$(TXTIBB) \
+ $(CBNTIBB) \
-b -$(call file-size,$(objcbfs)/bootblock.bin) $(cbfs-autogen-attributes) \
$(TS_OPTIONS)
else # ifeq ($(CONFIG_ARCH_X86),y)
diff --git a/src/cpu/intel/fit/Kconfig b/src/cpu/intel/fit/Kconfig
index fa10802..9ea867e 100644
--- a/src/cpu/intel/fit/Kconfig
+++ b/src/cpu/intel/fit/Kconfig
@@ -5,7 +5,7 @@
config CPU_INTEL_NUM_FIT_ENTRIES
int
- default 16 if INTEL_TXT
+ default 16 if INTEL_TXT || INTEL_CBNT_SUPPORT
default 4
depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE
help
diff --git a/src/security/intel/Kconfig b/src/security/intel/Kconfig
index 9cdd8a6..0609a456 100644
--- a/src/security/intel/Kconfig
+++ b/src/security/intel/Kconfig
@@ -2,3 +2,4 @@
source "src/security/intel/txt/Kconfig"
source "src/security/intel/stm/Kconfig"
+source "src/security/intel/cbnt/Kconfig"
diff --git a/src/security/intel/Makefile.inc b/src/security/intel/Makefile.inc
index e00802a..20aea27 100644
--- a/src/security/intel/Makefile.inc
+++ b/src/security/intel/Makefile.inc
@@ -1,2 +1,3 @@
subdirs-y += txt
subdirs-y += stm
+subdirs-y += cbnt
diff --git a/src/security/intel/cbnt/Kconfig b/src/security/intel/cbnt/Kconfig
new file mode 100644
index 0000000..f13f6ec
--- /dev/null
+++ b/src/security/intel/cbnt/Kconfig
@@ -0,0 +1,27 @@
+# SPDX-License-Identifier: GPL-2.0-only
+
+config INTEL_CBNT_SUPPORT
+ bool "Intel CBnT support"
+ default n
+ depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE
+ #depends on PLATFORM_HAS_DRAM_CLEAR
+ select INTEL_TXT
+ help
+ Enables Intel Converged Bootguard and Trusted Execution Technology
+ Support. This will enable one to add a Key Manifest (KM) and a Boot
+ Policy Manifest (BPM) to the filesystem. It will also wrap a FIT around
+ the firmware and update appropriate entries.
+
+if INTEL_CBNT_SUPPORT
+
+config INTEL_CBNT_KEY_MANIFEST_BINARY
+ string "KM (Key Manifest) binary location"
+ help
+ Location of the Key Manifest (KM)
+
+config INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY
+ string "BPM (Boot Policy Manifest) binary location"
+ help
+ Location of the Boot Policy Manifest (BPM)
+
+endif # INTEL_CBNT_SUPPORT
diff --git a/src/security/intel/cbnt/Makefile.inc b/src/security/intel/cbnt/Makefile.inc
new file mode 100644
index 0000000..f2e5c76
--- /dev/null
+++ b/src/security/intel/cbnt/Makefile.inc
@@ -0,0 +1,25 @@
+ifeq ($(CONFIG_INTEL_CBNT_SUPPORT),y)
+
+ifneq ($(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY),"")
+cbfs-files-y += boot_policy_manifest.bin
+boot_policy_manifest.bin-file := $(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY)
+boot_policy_manifest.bin-type := raw
+boot_policy_manifest.bin-align := 0x10
+
+INTERMEDIATE+=add_bpm_fit
+add_bpm_fit: $(obj)/coreboot.pre $(IFITTOOL)
+ $(IFITTOOL) -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
+endif
+
+ifneq ($(CONFIG_INTEL_CBNT_KEY_MANIFEST_BINARY),"")
+cbfs-files-y += key_manifest.bin
+key_manifest.bin-file := $(CONFIG_INTEL_CBNT_KEY_MANIFEST_BINARY)
+key_manifest.bin-type := raw
+key_manifest.bin-align := 0x10
+
+INTERMEDIATE+=add_km_fit
+add_km_fit: $(obj)/coreboot.pre $(IFITTOOL)
+ $(IFITTOOL) -r COREBOOT -a -n key_manifest.bin -t 11 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
+endif
+
+endif # CONFIG_INTEL_CBNT_SUPPORT
diff --git a/src/security/intel/txt/Kconfig b/src/security/intel/txt/Kconfig
index 80be7c2..f9e4bc4 100644
--- a/src/security/intel/txt/Kconfig
+++ b/src/security/intel/txt/Kconfig
@@ -52,6 +52,7 @@
config INTEL_TXT_BIOSACM_ALIGNMENT
hex
+ default 0x40000 if INTEL_CBNT_SUPPORT
default 0x20000 # 128 KiB
help
Exceptions are Ivy and Sandy Bridge with 64 KiB and Purley with 256 KiB
diff --git a/src/security/intel/txt/Makefile.inc b/src/security/intel/txt/Makefile.inc
index eab47b9..77a5f69 100644
--- a/src/security/intel/txt/Makefile.inc
+++ b/src/security/intel/txt/Makefile.inc
@@ -33,6 +33,8 @@
$(IFITTOOL) -r COREBOOT -a -n $(CONFIG_INTEL_TXT_CBFS_BIOS_ACM) -t 2 \
-s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
+# CBnT does not use FIT for IBB
+ifneq ($(CONFIG_INTEL_CBNT_SUPPORT),y)
# Initial BootBlock files
ibb-files := $(foreach file,$(cbfs-files), \
$(if $(shell echo '$(call extract_nth,7,$(file))'|grep -- --ibb), \
@@ -45,6 +47,8 @@
$(foreach file, $(ibb-files), $(shell $(IFITTOOL) -f $< -a -n $(file) -t 7 \
-s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -r COREBOOT)) true
+endif # INTEL_CBNT_SUPPORT
+
endif # CPU_INTEL_FIRMWARE_INTERFACE_TABLE
endif # INTEL_TXT