Michał Żygowski has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/43392 )
Change subject: security/intel: add Boot Guard menu ......................................................................
security/intel: add Boot Guard menu
Signed-off-by: Michał Żygowski michal.zygowski@3mdeb.com Change-Id: I8630c28643e3cb098eb6e544eb4b64bb1527582c --- M src/security/intel/Kconfig A src/security/intel/bootguard/Kconfig 2 files changed, 104 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/92/43392/1
diff --git a/src/security/intel/Kconfig b/src/security/intel/Kconfig index 9cdd8a6..69aed6b 100644 --- a/src/security/intel/Kconfig +++ b/src/security/intel/Kconfig @@ -2,3 +2,5 @@
source "src/security/intel/txt/Kconfig" source "src/security/intel/stm/Kconfig" +source "src/security/intel/bootguard/Kconfig" + diff --git a/src/security/intel/bootguard/Kconfig b/src/security/intel/bootguard/Kconfig new file mode 100644 index 0000000..ebaf386 --- /dev/null +++ b/src/security/intel/bootguard/Kconfig @@ -0,0 +1,102 @@ +# SPDX-License-Identifier: GPL-2.0-only + +config INTEL_BOOTGUARD + bool "Intel Boot Guard" + depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE + default n + +if INTEL_BOOTGUARD + +menu "Boot Guard" + +choice + prompt "Key Manifest source" + default KM_EXISTING + +config KM_EXISTING + bool "Use existing Key Manifest" + +config KM_BUILD + bool "Build Key Manifest from OEM root key" + +endchoice + +config KM_PRIV_KEY + string "Path to private RSA key for Key Manifest" + depends on KM_BUILD + default "OEM_root_key_private.pem" + +config KM_PM_VERSION + int "Platform Manufacturer's Key Manifest Version" + depends on KM_BUILD + default 0 + help + OEM-defined version number, not used by Boot Guard. + + +config KM_KEY_ID + int "Key ID (1-15, must be the same as in ME)" + depends on KM_BUILD + default 15 + +config KM_SVN + int "Key Manifest Revocation Value (use with care)" + depends on KM_BUILD + default 0 + help + This value will be compared with value saved in FPF. If this value + is higher, the FPF will be updated. If it is lower, KM will be + revoked. Saturates at 15, no more revocations will be possible. + You have been warned. + +config KM_FILE + string + prompt "Path to pre-built Key Manifest" if KM_EXISTING + default "key_manifest.bin" + +config BPM_PRIV_KEY + string "Path to private RSA key for Boot Policy Manifest" + default "BPM_key_private.pem" + +config BPM_FILE + string + default "boot_policy_manifest.bin" + +config BPM_PM_VERSION + int "Platform Manufacturer's Boot Policy Version" + default 0 + help + OEM-defined version number, not used by Boot Guard. + +config BPM_SVN + int "Boot Policy Revocation Value (use with care)" + default 0 + help + This value will be compared with value saved in FPF. If this value + is higher, the FPF will be updated. If it is lower, BPM will be + revoked. Saturates at 15, no more revocations will be possible. + You have been warned. + +config ACM_SVN + int "ACM Revocation Value (use with care)" + default 2 + help + This value will be compared with value saved in FPF. If this value + is higher and the same as the one saved in ACM, the FPF will be + updated. If it is lower, ACM will be revoked. Values lower than 2 + are reserved for development versions of ACM. All ACMs with their + internal SVN higher than the one in FPF will be authorized, so this + value doesn't need to be bumped for newer ACMs. Saturates at 15, no + more revocations will be possible. + You have been warned. + +config BTG_ACM_FILE + string "Path and filename of the Boot Guard ACM" + default "" + help + Include the Boot Guard Authenticated Code Module necessary to boot + Boot Guard enabled platform + +endmenu + +endif