Nico Huber has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/36682 )
Change subject: [WIP]soc/intel/car: Add support for bootguard CAR ......................................................................
Patch Set 1:
> > @Subrata I tried to test this but miserably failed :D I have an unfused/uncommited SoC here. The main problem seems to be that I don't know how to create a valid Manifest. > > > > My understanding of the process is: > > - Build coreboot bios region image > > - Create a manifest and import it to the image using the Manifest Extension Utility > > - Sign the manifest with the MEU > > - Set the bootguard policy in FIT and add the pubkey hash > > - add the signed bios image > > - Build the final image with FIT > > > > Can you confirm/correct this, please? > > In summary, BtGuard role is to verify IBB (code which initializes memory), load it into NEM and pass control to Coreboot entry point. > > 1)Coreboot needs to define which CBFS's constitutes IBB. bootblock, fsp-m, verstage, romstage, etc ? > 2)We need to create FIT table with Type 7 entry and include those CBFS's. FIT spec is here (https://www.intel.com/content/dam/www/public/us/en/documents/guides/fit-bios...). > 3)We need to invoke Intel BpmGen tool to create BtGuard Policy Manifest(BPM) and BtGuard Key Manifests(KM). > BpmGen tool will use above FIT table to create BPM which will contain the cumulative hash of IBB. KM will contain the hash of key which is used for signing BPM. > 4)Build the final image using FIT and set appropriate BtGuard policy and the hash of the public key which was used for signing KM.
Thanks to 9elements 1) and 2) are already done if you enable Intel TXT. 3) Should be easy to implement in coreboot if there'd be some public spec.
Unfortunately, I am not aware of if there are any public specs which provides BPM/KM details. Although, Slimboot code does contain the definitions of those data structures. https://github.com/slimbootloader/slimbootloader/blob/5e10bd1e0761c7581d9233...
Got it but then why isn't the document disclosed publicly. I mean the most stuff is already disclosed by slimmbootloader right ?
Also, can Intel test our CAR changes and give us feedback if Boot Guard works with it?
Well, for APL there is some document out there which describes how to enable BG with the MEU and FIT tool. For Skylake MEU does not provide signing, so there must be some other tool... but I couldn't find anything :/
@Michael : For SKL BtG enablement, you need access to BpmGen tool. Please request from your Intel rep.
So Intel wants us to a) have a proprietary blob in coreboot b) implement an opensource alternative but doesn't provide a way for testing? Well, then let's choose option c) drop FSP-T and do not implement BootGuard due to missing testing abilities.
I guess what Michael wants to tell us is that he just wanted to help but can't, because he has no Intel representative. So some- body @Intel will have to test this.