src/security/intel/cbnt/Kconfig

# SPDX-License-Identifier: GPL-2.0-only

config INTEL_CBNT_SUPPORT
	bool "Intel CBnT support"
	default n
	depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE
	#depends on PLATFORM_HAS_DRAM_CLEAR
	select INTEL_TXT
	# With CBnT the bootblock is set up as a CBnT IBB and needs a fixed size
	select TPM_MEASURED_BOOT_INIT_BOOTBLOCK if TPM_MEASURED_BOOT
	help
	  Enables Intel Converged Bootguard and Trusted Execution Technology
	  Support. This will enable one to add a Key Manifest (KM) and a Boot
	  Policy Manifest (BPM) to the filesystem. It will also wrap a FIT around
	  the firmware and update appropriate entries.

if INTEL_CBNT_SUPPORT

config INTEL_CBNT_LOGGING
	bool "Enable verbose CBnT logging"
	help
	  Print more CBnT related debug output.
	  Use in pre-production environments only!

config INTEL_CBNT_GENERATE_KM
	bool "Generate Key Manifest (KM)"
	default y
	select INTEL_CBNT_NEED_KM_PUB_KEY
	select INTEL_CBNT_NEED_KM_PRIV_KEY if !INTEL_CBNT_KM_ONLY_UNSIGNED
	select INTEL_CBNT_NEED_BPM_PUB_KEY if !INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE
	help
	  Select y to generate the Key Manifest (KM).
	  Select n to include a KM binary.

config INTEL_CBNT_KM_ONLY_UNSIGNED
	bool "Only unsigned key manifest (KM)"
	depends on INTEL_CBNT_GENERATE_KM
	help
	  Skip signing the KM.
	  The resulting unsigned KM will be placed at build/km_unsigned.bin.
	  The resulting coreboot image will not be functional with CBnT.
	  After the unsigned KM is signed externally you can either rebuild
	  coreboot using that binary or add it to cbfs and fit:
	  "$ cbfstool build/coreboot.rom add -f km.bin -n key_manifest.bin -t raw -a 16"
	  "$ ifittool -r COREBOOT -a -n key_manifest.bin -t 11 -s 12 -f build/coreboot.rom"
	  '-s 12' where 12 is CONFIG_CPU_INTEL_NUM_FIT_ENTRIES.

config INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE
	bool "KM: use a CBnT json config file"
	depends on INTEL_CBNT_GENERATE_KM
	default y
	help
	  Select y to generate KM from a json config file.
	  Select n to generate KM from Kconfig options

config INTEL_CBNT_GENERATE_BPM
	bool "Generate Boot Policy Manifest (BPM)"
	default y
	select INTEL_CBNT_NEED_BPM_PRIV_KEY if !INTEL_CBNT_BPM_ONLY_UNSIGNED
	help
	  Select y to generate the Boot Policy Manifest (BPM).
	  Select n to include a BPM binary.

config INTEL_CBNT_BPM_ONLY_UNSIGNED
	bool "Only unsigned boot policy manifest (BPM)"
	depends on INTEL_CBNT_GENERATE_BPM
	help
	  Skip signing the BPM.
	  The resulting unsigned BPM will be placed at build/bpm_unsigned.bin.
	  The resulting coreboot image will not be functional with CBnT.
	  After the unsigned BPM is signed externally you can add it to cbfs
	  and fit:
	  "$ cbfstool build/coreboot.rom add -f bpm.bin -n boot_policy_manifest.bin -t raw -a 16"
	  "$ ifittool -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s 12 -f build/coreboot.rom"
	  '-s 12' where 12 is CONFIG_CPU_INTEL_NUM_FIT_ENTRIES.

config INTEL_CBNT_CBNT_PROV_BPM_USE_CFG_FILE
	bool "BPM: use a CBnT json config file"
	depends on INTEL_CBNT_GENERATE_BPM
	default y
	help
	  Select y to generate BPM from a json config file.
	  Select n to generate BPM from Kconfig options

config INTEL_CBNT_CBNT_PROV_CFG_FILE
	string "CBnT json config file"
	depends on INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE || INTEL_CBNT_CBNT_PROV_BPM_USE_CFG_FILE
	help
	  Location of the bg-prov json config file.
	  Either get a sample JSON config file:
	  $ bg-prov template
	  Or extract it from a working configuration:
	  $ bg-prov read-config

config INTEL_CBNT_PROV_EXTERNAL_BIN
	bool "Use an external cbnt-prov binary"
	default n
	depends on INTEL_CBNT_GENERATE_BPM || INTEL_CBNT_GENERATE_KM
	help
	  Building cbnt-prov requires godeps which makes it impossible to build
	  it in an offline environment. A solution is to use an external binary.

config INTEL_CBNT_PROV_EXTERNAL_BIN_PATH
	string "cbnt-prov path"
	depends on INTEL_CBNT_PROV_EXTERNAL_BIN
	help
	  Path to the cbnt-prov binary.

config INTEL_CBNT_NEED_KM_PUB_KEY
	bool

config INTEL_CBNT_NEED_KM_PRIV_KEY
	bool

config INTEL_CBNT_KM_PUB_KEY_FILE
	string "Key manifest (KM) public key"
	depends on INTEL_CBNT_NEED_KM_PUB_KEY && !INTEL_CBNT_NEED_KM_PRIV_KEY
	help
	  Location of the key manifest (KM) public key file in .pem format.

config INTEL_CBNT_KM_PRIV_KEY_FILE
	string "Key manifest (KM) private key"
	depends on INTEL_CBNT_NEED_KM_PRIV_KEY
	help
	  Location of the key manifest (KM) private key file in .pem format.

config INTEL_CBNT_NEED_BPM_PUB_KEY
	bool

config INTEL_CBNT_NEED_BPM_PRIV_KEY
	bool

config INTEL_CBNT_BPM_PUB_KEY_FILE
	string "Boot policy manifest (BPM) public key"
	depends on INTEL_CBNT_NEED_BPM_PUB_KEY && !INTEL_CBNT_NEED_BPM_PRIV_KEY
	help
	  Location of the boot policy manifest (BPM) public key file in .pem format.

config INTEL_CBNT_BPM_PRIV_KEY_FILE
	string "Boot policy manifest (BPM) private key"
	depends on INTEL_CBNT_NEED_BPM_PRIV_KEY
	help
	  Location of the boot policy manifest (BPM) private key file in .pem format.

if !INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE && INTEL_CBNT_GENERATE_KM

menu "KM options"

config INTEL_CBNT_KM_REVISION
	int "KM revision"
	default 1
	help
	  Version of the Key Manifest defined by the Platform Manufacturer.
	  The actual value is transparent to Boot Guard and is not processed by Boot Guard.

config INTEL_CBNT_KM_SVN
	int "KM security Version Number"
	range 0 15
	default 0
	help
	  This value is determined by the Platform Manufacturer.
	  Boot Guard uses this to compare it to the Key Manifest
	  Revocation Value (Revocation.KMSVN) in FPF.

	  If KMSVN < Revocation.KMSVN, the KM will be revoked. It will trigger ENF (the
	  enforcement policy).
	  IF KMSVN > Revocation.KMSVN, the Revocation.KMSVN will be set to the KMSVN.

	  Note: Once the value reaches 0Fh, revocation saturates and one can no longer
	  revoke newer KMs.

config INTEL_CBNT_KM_ID
	int "KM ID"
	default 1
	help
	  This identifies the Key Manifest to be used for a platform.
	  This must match the Key Manifest Identifier programmed in
	  the field programmable fuses.

endmenu

endif # !INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE

if !INTEL_CBNT_CBNT_PROV_BPM_USE_CFG_FILE && INTEL_CBNT_GENERATE_BPM
menu "BPM options"

config INTEL_CBNT_BPM_REVISION
	int "BPM revision"
	default 1
	help
	  Version of the Key Manifest defined by the Platform Manufacturer.
	  The actual value is transparent to Boot Guard and is not processed by Boot Guard.

config INTEL_CBNT_BPM_SVN
	int "BPM Security Version Number"
	default 0
	help
	  This value is determined by the Platform Manufacturer.

config INTEL_CBNT_ACM_SVN
	int "S-ACM Security Version Number"
	default 2
	help
	  This defines the minimum version the S-ACM must have.

config INTEL_CBNT_NUM_NEM_PAGES
	int
	default 32
	help
	  Set the amount of 4K pages of CAR required.

config INTEL_CBNT_PBET
	int "PBET value in s"
	default 15
	help
	  Protect BIOS Environment Timer (PBET) value.
	  Factor used by CSE to compute PBE timer value.
	  Actual PBE timer value is set by CSE using formula:
	  PBE timer value = 5 sec + PBETValue.

config INTEL_CBNT_IBB_FLAGS
	int "IBB flags"
	default 7
	help
	  IBB Control flags.
	  3: Don't extend PCR 0
	  7: extend PCR 7

config INTEL_CBNT_SINIT_SVN
	int "SINIT ACM security version number"
	default 0
	help
	  Minimum required version for the SINIT ACM.

config INTEL_CBNT_PD_INTERVAL
	int
	default 60
	help
	  Duration of Power Down in 5 sec increments.

endmenu

endif # !INTEL_CBNT_CBNT_PROV_BPM_USE_CFG_FILE

config INTEL_CBNT_KEY_MANIFEST_BINARY
	string "KM (Key Manifest) binary location"
	depends on !INTEL_CBNT_GENERATE_KM
	help
	  Location of the Key Manifest (KM)

config INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY
	string "BPM (Boot Policy Manifest) binary location"
	depends on !INTEL_CBNT_GENERATE_BPM
	help
	  Location of the Boot Policy Manifest (BPM)

config INTEL_CBNT_CMOS_OFFSET
	hex
	default 0x7e
	help
	  Address in RTC CMOS used by CBNT. Uses 2 bytes. If using an option table
	  adapt the cmos.layout accordingly. The bytes should not be checksummed.

endif # INTEL_CBNT_SUPPORT