Gitiles
Code Review Sign In
review.coreboot.org / coreboot / f362bbd5c7ce5d96f4bed3adee9a8f3ccc2728e8 / . / src / security / intel / cbnt / Kconfig
blob: c430123fcb1d5001d84220465e17acddc1e6bf86 [file] [log] [blame]
# SPDX-License-Identifier: GPL-2.0-only
config INTEL_CBNT_SUPPORT
bool "Intel CBnT support"
default n
depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE
#depends on PLATFORM_HAS_DRAM_CLEAR
select INTEL_TXT
# With CBnT the bootblock is set up as a CBnT IBB and needs a fixed size
select TPM_MEASURED_BOOT_INIT_BOOTBLOCK if TPM_MEASURED_BOOT
help
Enables Intel Converged Bootguard and Trusted Execution Technology
Support. This will enable one to add a Key Manifest (KM) and a Boot
Policy Manifest (BPM) to the filesystem. It will also wrap a FIT around
the firmware and update appropriate entries.
if INTEL_CBNT_SUPPORT
config INTEL_CBNT_LOGGING
bool "Enable verbose CBnT logging"
help
Print more CBnT related debug output.
Use in pre-production environments only!
config INTEL_CBNT_GENERATE_KM
bool "Generate Key Manifest (KM)"
default y
select INTEL_CBNT_NEED_KM_PUB_KEY
select INTEL_CBNT_NEED_KM_PRIV_KEY if !INTEL_CBNT_KM_ONLY_UNSIGNED
select INTEL_CBNT_NEED_BPM_PUB_KEY if !INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE
help
Select y to generate the Key Manifest (KM).
Select n to include a KM binary.
config INTEL_CBNT_KM_ONLY_UNSIGNED
bool "Only unsigned key manifest (KM)"
depends on INTEL_CBNT_GENERATE_KM
help
Skip signing the KM.
The resulting unsigned KM will be placed at build/km_unsigned.bin.
The resulting coreboot image will not be functional with CBnT.
After the unsigned KM is signed externally you can either rebuild
coreboot using that binary or add it to cbfs and fit:
"$ cbfstool build/coreboot.rom add -f km.bin -n key_manifest.bin -t raw -a 16"
"$ ifittool -r COREBOOT -a -n key_manifest.bin -t 11 -s 12 -f build/coreboot.rom"
'-s 12' where 12 is CONFIG_CPU_INTEL_NUM_FIT_ENTRIES.
config INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE
bool "KM: use a CBnT json config file"
depends on INTEL_CBNT_GENERATE_KM
default y
help
Select y to generate KM from a json config file.
Select n to generate KM from Kconfig options
config INTEL_CBNT_GENERATE_BPM
bool "Generate Boot Policy Manifest (BPM)"
default y
select INTEL_CBNT_NEED_BPM_PRIV_KEY if !INTEL_CBNT_BPM_ONLY_UNSIGNED
help
Select y to generate the Boot Policy Manifest (BPM).
Select n to include a BPM binary.
config INTEL_CBNT_BPM_ONLY_UNSIGNED
bool "Only unsigned boot policy manifest (BPM)"
depends on INTEL_CBNT_GENERATE_BPM
help
Skip signing the BPM.
The resulting unsigned BPM will be placed at build/bpm_unsigned.bin.
The resulting coreboot image will not be functional with CBnT.
After the unsigned BPM is signed externally you can add it to cbfs
and fit:
"$ cbfstool build/coreboot.rom add -f bpm.bin -n boot_policy_manifest.bin -t raw -a 16"
"$ ifittool -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s 12 -f build/coreboot.rom"
'-s 12' where 12 is CONFIG_CPU_INTEL_NUM_FIT_ENTRIES.
config INTEL_CBNT_CBNT_PROV_BPM_USE_CFG_FILE
bool "BPM: use a CBnT json config file"
depends on INTEL_CBNT_GENERATE_BPM
default y
help
Select y to generate BPM from a json config file.
Select n to generate BPM from Kconfig options
config INTEL_CBNT_CBNT_PROV_CFG_FILE
string "CBnT json config file"
depends on INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE || INTEL_CBNT_CBNT_PROV_BPM_USE_CFG_FILE
help
Location of the bg-prov json config file.
Either get a sample JSON config file:
$ bg-prov template
Or extract it from a working configuration:
$ bg-prov read-config
config INTEL_CBNT_PROV_EXTERNAL_BIN
bool "Use an external cbnt-prov binary"
default n
depends on INTEL_CBNT_GENERATE_BPM || INTEL_CBNT_GENERATE_KM
help
Building cbnt-prov requires godeps which makes it impossible to build
it in an offline environment. A solution is to use an external binary.
config INTEL_CBNT_PROV_EXTERNAL_BIN_PATH
string "cbnt-prov path"
depends on INTEL_CBNT_PROV_EXTERNAL_BIN
help
Path to the cbnt-prov binary.
config INTEL_CBNT_NEED_KM_PUB_KEY
bool
config INTEL_CBNT_NEED_KM_PRIV_KEY
bool
config INTEL_CBNT_KM_PUB_KEY_FILE
string "Key manifest (KM) public key"
depends on INTEL_CBNT_NEED_KM_PUB_KEY && !INTEL_CBNT_NEED_KM_PRIV_KEY
help
Location of the key manifest (KM) public key file in .pem format.
config INTEL_CBNT_KM_PRIV_KEY_FILE
string "Key manifest (KM) private key"
depends on INTEL_CBNT_NEED_KM_PRIV_KEY
help
Location of the key manifest (KM) private key file in .pem format.
config INTEL_CBNT_NEED_BPM_PUB_KEY
bool
config INTEL_CBNT_NEED_BPM_PRIV_KEY
bool
config INTEL_CBNT_BPM_PUB_KEY_FILE
string "Boot policy manifest (BPM) public key"
depends on INTEL_CBNT_NEED_BPM_PUB_KEY && !INTEL_CBNT_NEED_BPM_PRIV_KEY
help
Location of the boot policy manifest (BPM) public key file in .pem format.
config INTEL_CBNT_BPM_PRIV_KEY_FILE
string "Boot policy manifest (BPM) private key"
depends on INTEL_CBNT_NEED_BPM_PRIV_KEY
help
Location of the boot policy manifest (BPM) private key file in .pem format.
if !INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE && INTEL_CBNT_GENERATE_KM
menu "KM options"
config INTEL_CBNT_KM_REVISION
int "KM revision"
default 1
help
Version of the Key Manifest defined by the Platform Manufacturer.
The actual value is transparent to Boot Guard and is not processed by Boot Guard.
config INTEL_CBNT_KM_SVN
int "KM security Version Number"
range 0 15
default 0
help
This value is determined by the Platform Manufacturer.
Boot Guard uses this to compare it to the Key Manifest
Revocation Value (Revocation.KMSVN) in FPF.
If KMSVN < Revocation.KMSVN, the KM will be revoked. It will trigger ENF (the
enforcement policy).
IF KMSVN > Revocation.KMSVN, the Revocation.KMSVN will be set to the KMSVN.
Note: Once the value reaches 0Fh, revocation saturates and one can no longer
revoke newer KMs.
config INTEL_CBNT_KM_ID
int "KM ID"
default 1
help
This identifies the Key Manifest to be used for a platform.
This must match the Key Manifest Identifier programmed in
the field programmable fuses.
endmenu
endif # !INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE
if !INTEL_CBNT_CBNT_PROV_BPM_USE_CFG_FILE && INTEL_CBNT_GENERATE_BPM
menu "BPM options"
config INTEL_CBNT_BPM_REVISION
int "BPM revision"
default 1
help
Version of the Key Manifest defined by the Platform Manufacturer.
The actual value is transparent to Boot Guard and is not processed by Boot Guard.
config INTEL_CBNT_BPM_SVN
int "BPM Security Version Number"
default 0
help
This value is determined by the Platform Manufacturer.
config INTEL_CBNT_ACM_SVN
int "S-ACM Security Version Number"
default 2
help
This defines the minimum version the S-ACM must have.
config INTEL_CBNT_NUM_NEM_PAGES
int
default 32
help
Set the amount of 4K pages of CAR required.
config INTEL_CBNT_PBET
int "PBET value in s"
default 15
help
Protect BIOS Environment Timer (PBET) value.
Factor used by CSE to compute PBE timer value.
Actual PBE timer value is set by CSE using formula:
PBE timer value = 5 sec + PBETValue.
config INTEL_CBNT_IBB_FLAGS
int "IBB flags"
default 7
help
IBB Control flags.
3: Don't extend PCR 0
7: extend PCR 7
config INTEL_CBNT_SINIT_SVN
int "SINIT ACM security version number"
default 0
help
Minimum required version for the SINIT ACM.
config INTEL_CBNT_PD_INTERVAL
int
default 60
help
Duration of Power Down in 5 sec increments.
endmenu
endif # !INTEL_CBNT_CBNT_PROV_BPM_USE_CFG_FILE
config INTEL_CBNT_KEY_MANIFEST_BINARY
string "KM (Key Manifest) binary location"
depends on !INTEL_CBNT_GENERATE_KM
help
Location of the Key Manifest (KM)
config INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY
string "BPM (Boot Policy Manifest) binary location"
depends on !INTEL_CBNT_GENERATE_BPM
help
Location of the Boot Policy Manifest (BPM)
config INTEL_CBNT_CMOS_OFFSET
hex
default 0x7e
help
Address in RTC CMOS used by CBNT. Uses 2 bytes. If using an option table
adapt the cmos.layout accordingly. The bytes should not be checksummed.
endif # INTEL_CBNT_SUPPORT