| # SPDX-License-Identifier: GPL-2.0-only |
| |
| config INTEL_CBNT_SUPPORT |
| bool "Intel CBnT support" |
| default n |
| depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE |
| #depends on PLATFORM_HAS_DRAM_CLEAR |
| select INTEL_TXT |
| # With CBnT the bootblock is set up as a CBnT IBB and needs a fixed size |
| select TPM_MEASURED_BOOT_INIT_BOOTBLOCK if TPM_MEASURED_BOOT |
| help |
| Enables Intel Converged Bootguard and Trusted Execution Technology |
| Support. This will enable one to add a Key Manifest (KM) and a Boot |
| Policy Manifest (BPM) to the filesystem. It will also wrap a FIT around |
| the firmware and update appropriate entries. |
| |
| if INTEL_CBNT_SUPPORT |
| |
| config INTEL_CBNT_LOGGING |
| bool "Enable verbose CBnT logging" |
| help |
| Print more CBnT related debug output. |
| Use in pre-production environments only! |
| |
| config INTEL_CBNT_GENERATE_KM |
| bool "Generate Key Manifest (KM)" |
| default y |
| select INTEL_CBNT_NEED_KM_PUB_KEY |
| select INTEL_CBNT_NEED_KM_PRIV_KEY if !INTEL_CBNT_KM_ONLY_UNSIGNED |
| select INTEL_CBNT_NEED_BPM_PUB_KEY if !INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE |
| help |
| Select y to generate the Key Manifest (KM). |
| Select n to include a KM binary. |
| |
| config INTEL_CBNT_KM_ONLY_UNSIGNED |
| bool "Only unsigned key manifest (KM)" |
| depends on INTEL_CBNT_GENERATE_KM |
| help |
| Skip signing the KM. |
| The resulting unsigned KM will be placed at build/km_unsigned.bin. |
| The resulting coreboot image will not be functional with CBnT. |
| After the unsigned KM is signed externally you can either rebuild |
| coreboot using that binary or add it to cbfs and fit: |
| "$ cbfstool build/coreboot.rom add -f km.bin -n key_manifest.bin -t raw -a 16" |
| "$ ifittool -r COREBOOT -a -n key_manifest.bin -t 11 -s 12 -f build/coreboot.rom" |
| '-s 12' where 12 is CONFIG_CPU_INTEL_NUM_FIT_ENTRIES. |
| |
| config INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE |
| bool "KM: use a CBnT json config file" |
| depends on INTEL_CBNT_GENERATE_KM |
| default y |
| help |
| Select y to generate KM from a json config file. |
| Select n to generate KM from Kconfig options |
| |
| config INTEL_CBNT_GENERATE_BPM |
| bool "Generate Boot Policy Manifest (BPM)" |
| default y |
| select INTEL_CBNT_NEED_BPM_PRIV_KEY if !INTEL_CBNT_BPM_ONLY_UNSIGNED |
| help |
| Select y to generate the Boot Policy Manifest (BPM). |
| Select n to include a BPM binary. |
| |
| config INTEL_CBNT_BPM_ONLY_UNSIGNED |
| bool "Only unsigned boot policy manifest (BPM)" |
| depends on INTEL_CBNT_GENERATE_BPM |
| help |
| Skip signing the BPM. |
| The resulting unsigned BPM will be placed at build/bpm_unsigned.bin. |
| The resulting coreboot image will not be functional with CBnT. |
| After the unsigned BPM is signed externally you can add it to cbfs |
| and fit: |
| "$ cbfstool build/coreboot.rom add -f bpm.bin -n boot_policy_manifest.bin -t raw -a 16" |
| "$ ifittool -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s 12 -f build/coreboot.rom" |
| '-s 12' where 12 is CONFIG_CPU_INTEL_NUM_FIT_ENTRIES. |
| |
| config INTEL_CBNT_CBNT_PROV_BPM_USE_CFG_FILE |
| bool "BPM: use a CBnT json config file" |
| depends on INTEL_CBNT_GENERATE_BPM |
| default y |
| help |
| Select y to generate BPM from a json config file. |
| Select n to generate BPM from Kconfig options |
| |
| config INTEL_CBNT_CBNT_PROV_CFG_FILE |
| string "CBnT json config file" |
| depends on INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE || INTEL_CBNT_CBNT_PROV_BPM_USE_CFG_FILE |
| help |
| Location of the bg-prov json config file. |
| Either get a sample JSON config file: |
| $ bg-prov template |
| Or extract it from a working configuration: |
| $ bg-prov read-config |
| |
| config INTEL_CBNT_PROV_EXTERNAL_BIN |
| bool "Use an external cbnt-prov binary" |
| default n |
| depends on INTEL_CBNT_GENERATE_BPM || INTEL_CBNT_GENERATE_KM |
| help |
| Building cbnt-prov requires godeps which makes it impossible to build |
| it in an offline environment. A solution is to use an external binary. |
| |
| config INTEL_CBNT_PROV_EXTERNAL_BIN_PATH |
| string "cbnt-prov path" |
| depends on INTEL_CBNT_PROV_EXTERNAL_BIN |
| help |
| Path to the cbnt-prov binary. |
| |
| config INTEL_CBNT_NEED_KM_PUB_KEY |
| bool |
| |
| config INTEL_CBNT_NEED_KM_PRIV_KEY |
| bool |
| |
| config INTEL_CBNT_KM_PUB_KEY_FILE |
| string "Key manifest (KM) public key" |
| depends on INTEL_CBNT_NEED_KM_PUB_KEY && !INTEL_CBNT_NEED_KM_PRIV_KEY |
| help |
| Location of the key manifest (KM) public key file in .pem format. |
| |
| config INTEL_CBNT_KM_PRIV_KEY_FILE |
| string "Key manifest (KM) private key" |
| depends on INTEL_CBNT_NEED_KM_PRIV_KEY |
| help |
| Location of the key manifest (KM) private key file in .pem format. |
| |
| config INTEL_CBNT_NEED_BPM_PUB_KEY |
| bool |
| |
| config INTEL_CBNT_NEED_BPM_PRIV_KEY |
| bool |
| |
| config INTEL_CBNT_BPM_PUB_KEY_FILE |
| string "Boot policy manifest (BPM) public key" |
| depends on INTEL_CBNT_NEED_BPM_PUB_KEY && !INTEL_CBNT_NEED_BPM_PRIV_KEY |
| help |
| Location of the boot policy manifest (BPM) public key file in .pem format. |
| |
| config INTEL_CBNT_BPM_PRIV_KEY_FILE |
| string "Boot policy manifest (BPM) private key" |
| depends on INTEL_CBNT_NEED_BPM_PRIV_KEY |
| help |
| Location of the boot policy manifest (BPM) private key file in .pem format. |
| |
| if !INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE && INTEL_CBNT_GENERATE_KM |
| |
| menu "KM options" |
| |
| config INTEL_CBNT_KM_REVISION |
| int "KM revision" |
| default 1 |
| help |
| Version of the Key Manifest defined by the Platform Manufacturer. |
| The actual value is transparent to Boot Guard and is not processed by Boot Guard. |
| |
| config INTEL_CBNT_KM_SVN |
| int "KM security Version Number" |
| range 0 15 |
| default 0 |
| help |
| This value is determined by the Platform Manufacturer. |
| Boot Guard uses this to compare it to the Key Manifest |
| Revocation Value (Revocation.KMSVN) in FPF. |
| |
| If KMSVN < Revocation.KMSVN, the KM will be revoked. It will trigger ENF (the |
| enforcement policy). |
| IF KMSVN > Revocation.KMSVN, the Revocation.KMSVN will be set to the KMSVN. |
| |
| Note: Once the value reaches 0Fh, revocation saturates and one can no longer |
| revoke newer KMs. |
| |
| config INTEL_CBNT_KM_ID |
| int "KM ID" |
| default 1 |
| help |
| This identifies the Key Manifest to be used for a platform. |
| This must match the Key Manifest Identifier programmed in |
| the field programmable fuses. |
| |
| endmenu |
| |
| endif # !INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE |
| |
| if !INTEL_CBNT_CBNT_PROV_BPM_USE_CFG_FILE && INTEL_CBNT_GENERATE_BPM |
| menu "BPM options" |
| |
| config INTEL_CBNT_BPM_REVISION |
| int "BPM revision" |
| default 1 |
| help |
| Version of the Key Manifest defined by the Platform Manufacturer. |
| The actual value is transparent to Boot Guard and is not processed by Boot Guard. |
| |
| config INTEL_CBNT_BPM_SVN |
| int "BPM Security Version Number" |
| default 0 |
| help |
| This value is determined by the Platform Manufacturer. |
| |
| config INTEL_CBNT_ACM_SVN |
| int "S-ACM Security Version Number" |
| default 2 |
| help |
| This defines the minimum version the S-ACM must have. |
| |
| config INTEL_CBNT_NUM_NEM_PAGES |
| int |
| default 32 |
| help |
| Set the amount of 4K pages of CAR required. |
| |
| config INTEL_CBNT_PBET |
| int "PBET value in s" |
| default 15 |
| help |
| Protect BIOS Environment Timer (PBET) value. |
| Factor used by CSE to compute PBE timer value. |
| Actual PBE timer value is set by CSE using formula: |
| PBE timer value = 5 sec + PBETValue. |
| |
| config INTEL_CBNT_IBB_FLAGS |
| int "IBB flags" |
| default 7 |
| help |
| IBB Control flags. |
| 3: Don't extend PCR 0 |
| 7: extend PCR 7 |
| |
| config INTEL_CBNT_SINIT_SVN |
| int "SINIT ACM security version number" |
| default 0 |
| help |
| Minimum required version for the SINIT ACM. |
| |
| config INTEL_CBNT_PD_INTERVAL |
| int |
| default 60 |
| help |
| Duration of Power Down in 5 sec increments. |
| |
| endmenu |
| |
| endif # !INTEL_CBNT_CBNT_PROV_BPM_USE_CFG_FILE |
| |
| config INTEL_CBNT_KEY_MANIFEST_BINARY |
| string "KM (Key Manifest) binary location" |
| depends on !INTEL_CBNT_GENERATE_KM |
| help |
| Location of the Key Manifest (KM) |
| |
| config INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY |
| string "BPM (Boot Policy Manifest) binary location" |
| depends on !INTEL_CBNT_GENERATE_BPM |
| help |
| Location of the Boot Policy Manifest (BPM) |
| |
| config INTEL_CBNT_CMOS_OFFSET |
| hex |
| default 0x7e |
| help |
| Address in RTC CMOS used by CBNT. Uses 2 bytes. If using an option table |
| adapt the cmos.layout accordingly. The bytes should not be checksummed. |
| |
| endif # INTEL_CBNT_SUPPORT |