[coreboot-gerrit] Change in coreboot[master]: intel/security - Add BootGuard support/Documentation

Christopher Meis has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/55512 )

Change subject: intel/security - Add BootGuard support/Documentation ......................................................................

intel/security - Add BootGuard support/Documentation

src/intel/security - Add Kconfig and Makefile for Intel Bootguard Documentation - Add Documentation about Intel BootGuard

Change-Id: I1521bb1893d5a7a2fb5b8676cd37baab29051a2f Signed-off-by: Christopher Meis christopher.meis@9elements.com --- M Documentation/security/intel/acm.md A Documentation/security/intel/bootguard.md M src/security/intel/Kconfig M src/security/intel/Makefile.inc A src/security/intel/bg/Kconfig A src/security/intel/bg/Makefile.inc A src/security/intel/bg/cmos.c 7 files changed, 494 insertions(+), 1 deletion(-)

git pull ssh://review.coreboot.org:29418/coreboot refs/changes/12/55512/1

diff --git a/Documentation/security/intel/acm.md b/Documentation/security/intel/acm.md index b7dfacd..f1f9e33 100644 --- a/Documentation/security/intel/acm.md +++ b/Documentation/security/intel/acm.md @@ -15,12 +15,14 @@

## Retrieving ACMs

-The ACMs can be downloaded on Intel's website: +The ACMs for TXT can be downloaded on Intel's website: [Intel Trusted Execution Technology](https://software.intel.com/en-us/articles/intel-trusted-execution-technology)

If you want to extract the BLOB from vendor firmware you can search for the string ``LCP_POLICY_DATA`` or ``TXT``.

+BootGuard ACMs are not publicly distributed and need a signed Non-Disclosure-Agreement(NDA) with Intel Corp. + ## Header

Every ACM has a fixed size header: diff --git a/Documentation/security/intel/bootguard.md b/Documentation/security/intel/bootguard.md new file mode 100644 index 0000000..94983f2 --- /dev/null +++ b/Documentation/security/intel/bootguard.md @@ -0,0 +1,66 @@ +# Intel BootGuard + +Intel BootGuard introduces a hardware based anchor of trust. + +It consists of five different parts: + +1. Hash of Key Manifest(KM) public signing key fused into Field Programming Fuse(FPF). + (Trust-Anchor/Root-of-Trust) in the chipset. +2. KM signed with the KM private signing key. KM contains the hash of Bootpolicy + Manifest(BPM) public signing key. +3. BPM signed with BPM private signing key. BPM contains platform specific configuration + information. (IBB information, hashes of IBB, etc.) +4. BootGuard Authenticated Code Module [ACM] +5. Firmware Interface Table[FIT] entries of KM, BPM and ACM. + +Intel BootGuard requirements: + +1. Intel Flash Image Tool (requires NDA with Intel Corp.) +2. Intel BootGuard requires signed **Authenticated Code Module** ([ACM]s), provided + by Intel. (requires NDA with Intel Corp.) +3. Intel BootGuard requres **CPU and Chipset** support (supported since Intel Haswell) + +## Authenticated Code Modules + +The ACMs are Intel digitally signed modules that contain code to be run +before the traditional x86 CPU reset vector. + +ACMs for Intel BootGuard are not distributed publicly, so a signed NDA with Intel Corp. is required. + +More details can be found here: [ACM] + +## For developers +### Configuring Intel BootGuard in Kconfig +Enable ``INTEL_BG_SUPPORT`` for general usage. + +### Generate KM and BPM +Enable ``INTEL_BG_GENERATE_BPM`` and ``INTEL_BG_GENERATE_KM`` if a new Key Manifest and +Bootpolicy Manifest should be generated. + +If the options stay disabled you need to provide paths for ``INTEL_BG_KEY_MANIFEST_BINARY`` +and ``INTEL_BG_BOOT_POLICY_MANIFEST_BINARY``. + + + +#### Generate KM and BPM with json config +Set ``INTEL_BG_BG_PROV_CFG_FILE`` with path of the json configuration file. For further information about +how to generate a configuration json file and its content see: [Intel-Sec-Tools](../../../3rdparty/intel-sec-tools/cmd/bg/README.md) + +#### Generate KM and BPM with args +Key Manifest options: +- INTEL_BG_KM_VERSION +- INTEL_BG_KM_SVN +- INTEL_BG_KM_ID + +Bootpolicy Manifest options: +- INTEL_BG_BPM_VERSION +- INTEL_BG_BPM_SVN +- INTEL_BG_ACM_SVN +- INTEL_BG_NUM_NEM_PAGES +- INTEL_BG_PBET +- INTEL_BG_IBB_FLAGS + +For further information on these options see Intel document #557867. + +### Key paths for KM and BPM private key +Set ``INTEL_BG_KM_PRIV_KEY_FILE`` and ``INTEL_BG_BPM_PRIV_KEY_FILE`` paths. \ No newline at end of file diff --git a/src/security/intel/Kconfig b/src/security/intel/Kconfig index 0609a45..4e60a5a 100644 --- a/src/security/intel/Kconfig +++ b/src/security/intel/Kconfig @@ -3,3 +3,4 @@ source "src/security/intel/txt/Kconfig" source "src/security/intel/stm/Kconfig" source "src/security/intel/cbnt/Kconfig" +source "src/security/intel/bg/Kconfig" diff --git a/src/security/intel/Makefile.inc b/src/security/intel/Makefile.inc index 20aea27..6878a5f 100644 --- a/src/security/intel/Makefile.inc +++ b/src/security/intel/Makefile.inc @@ -1,3 +1,4 @@ subdirs-y += txt subdirs-y += stm subdirs-y += cbnt +subdirs-y += bg diff --git a/src/security/intel/bg/Kconfig b/src/security/intel/bg/Kconfig new file mode 100644 index 0000000..d817883 --- /dev/null +++ b/src/security/intel/bg/Kconfig @@ -0,0 +1,257 @@ +# SPDX-License-Identifier: GPL-2.0-only + +config INTEL_BG_SUPPORT + bool "Intel Boot Guard support" + default n + select INTEL_TXT + depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE + # With Boot Guard the bootblock is set up as a Boot Guard IBB and needs a fixed size + select FIXED_BOOTBLOCK_SIZE + help + Enables Intel Boot Guard Support. This will enable one to add a + Key Manifest (KM) and a Boot Policy Manifest (BPM) to the + filesystem. It will also wrap a FIT around the firmware and + update appropriate entries. + +if INTEL_BG_SUPPORT + +config INTEL_CBNT_LOGGING + bool "Enable verbose BG logging" + help + Print more BG related debug output. + Use in pre-production environments only! + +config INTEL_BG_GENERATE_KM + bool "Generate Key Manifest (KM)" + default y + select INTEL_BG_NEED_KM_PUB_KEY + select INTEL_BG_NEED_KM_PRIV_KEY if !INTEL_BG_KM_ONLY_UNSIGNED + select INTEL_BG_NEED_BPM_PUB_KEY if !INTEL_BG_BG_PROV_KM_USE_CFG_FILE + help + Select y to generate the Key Manifest (KM). + Select n to include a KM binary. + +config INTEL_BG_KM_ONLY_UNSIGNED + bool "Only unsigned key manifest (KM)" + depends on INTEL_BG_GENERATE_KM + help + Skip signing the KM. + The resulting unsigned KM will be placed at build/km_unsigned.bin. + The resulting coreboot image will not be functional with BG. + After the unsigned KM is signed externally you can either rebuild + coreboot using that binary or add it to cbfs and fit: + "$ cbfstool build/coreboot.rom add -f km.bin -n key_manifest.bin -t raw -a 16" + "$ ifittool -r COREBOOT -a -n key_manifest.bin -t 11 -s 12 -f build/coreboot.rom" + '-s 12' where 12 is CONFIG_CPU_INTEL_NUM_FIT_ENTRIES. + +config INTEL_BG_BG_PROV_KM_USE_CFG_FILE + bool "KM: use a BG json config file" + depends on INTEL_BG_GENERATE_KM + default y + help + Select y to generate KM from a json config file. + Select n to generate KM from Kconfig options + +config INTEL_BG_GENERATE_BPM + bool "Generate Boot Policy Manifest (BPM)" + default y + select INTEL_BG_NEED_BPM_PRIV_KEY if !INTEL_BG_BPM_ONLY_UNSIGNED + help + Select y to generate the Boot Policy Manifest (BPM). + Select n to include a BPM binary. + +config INTEL_BG_BPM_ONLY_UNSIGNED + bool "Only unsigned boot policy manifest (BPM)" + depends on INTEL_BG_GENERATE_BPM + help + Skip signing the BPM. + The resulting unsigned BPM will be placed at build/bpm_unsigned.bin. + The resulting coreboot image will not be functional with BG. + After the unsigned BPM is signed externally you can add it to cbfs + and fit: + "$ cbfstool build/coreboot.rom add -f bpm.bin -n boot_policy_manifest.bin -t raw -a 16" + "$ ifittool -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s 12 -f build/coreboot.rom" + '-s 12' where 12 is CONFIG_CPU_INTEL_NUM_FIT_ENTRIES. + +config INTEL_BG_BG_PROV_BPM_USE_CFG_FILE + bool "BPM: use a BG json config file" + depends on INTEL_BG_GENERATE_BPM + default y + help + Select y to generate BPM from a json config file. + Select n to generate BPM from Kconfig options + +config INTEL_BG_BG_PROV_CFG_FILE + string "BG json config file" + depends on INTEL_BG_BG_PROV_KM_USE_CFG_FILE || INTEL_BG_BG_PROV_BPM_USE_CFG_FILE + help + Location of the bg-prov json config file. + Either get a sample JSON config file: + $ bg-prov template + Or extract it from a working configuration: + $ bg-prov read-config + +config INTEL_BG_PROV_EXTERNAL_BIN + bool "Use an external bg-prov binary" + default n + depends on INTEL_BG_GENERATE_BPM || INTEL_BG_GENERATE_KM + help + Building bg-prov requires godeps which makes it impossible to build + it in an offline environment. A solution is to use an external binary. + +config INTEL_BG_PROV_EXTERNAL_BIN_PATH + string "bg-prov path" + depends on INTEL_BG_PROV_EXTERNAL_BIN + help + Path to the bg-prov binary. + +config INTEL_BG_NEED_KM_PUB_KEY + bool + +config INTEL_BG_NEED_KM_PRIV_KEY + bool + +config INTEL_BG_KM_PUB_KEY_FILE + string "Key manifest (KM) public key" + depends on INTEL_BG_NEED_KM_PUB_KEY && !INTEL_BG_NEED_KM_PRIV_KEY + help + Location of the key manifest (KM) public key file in .pem format. + +config INTEL_BG_KM_PRIV_KEY_FILE + string "Key manifest (KM) private key" + depends on INTEL_BG_NEED_KM_PRIV_KEY + help + Location of the key manifest (KM) private key file in .pem format. + +config INTEL_BG_NEED_BPM_PUB_KEY + bool + +config INTEL_BG_NEED_BPM_PRIV_KEY + bool + +config INTEL_BG_BPM_PUB_KEY_FILE + string "Boot policy manifest (BPM) public key" + depends on INTEL_BG_NEED_BPM_PUB_KEY && !INTEL_BG_NEED_BPM_PRIV_KEY + help + Location of the boot policy manifest (BPM) public key file in .pem format. + +config INTEL_BG_BPM_PRIV_KEY_FILE + string "Boot policy manifest (BPM) private key" + depends on INTEL_BG_NEED_BPM_PRIV_KEY + help + Location of the boot policy manifest (BPM) private key file in .pem format. + + +if !INTEL_BG_BG_PROV_KM_USE_CFG_FILE && INTEL_BG_GENERATE_KM + +menu "KM options" + +config INTEL_BG_KM_VERSION + int "KM version" + default 1 + help + Version of the Key Manifest defined by the Platform Manufacturer. + The actual value is transparent to Boot Guard and is not processed by Boot Guard. + +config INTEL_BG_KM_SVN + int "KM security Version Number" + range 0 15 + default 0 + help + This value is determined by the Platform Manufacturer. + Boot Guard uses this to compare it to the Key Manifest + Revocation Value (Revocation.KMSVN) in FPF. + + If KMSVN < Revocation.KMSVN, the KM will be revoked. It will trigger ENF (the + enforcement policy). + IF KMSVN > Revocation.KMSVN, the Revocation.KMSVN will be set to the KMSVN. + + Note: Once the value reaches 0Fh, revocation saturates and one can no longer + revoke newer KMs. + +config INTEL_BG_KM_ID + int "KM ID" + default 1 + help + This identifies the Key Manifest to be used for a platform. + This must match the Key Manifest Identifier programmed in + the field programmable fuses. + +endmenu + +endif # !INTEL_BG_BG_PROV_KM_USE_CFG_FILE + +if !INTEL_BG_BG_PROV_BPM_USE_CFG_FILE && INTEL_BG_GENERATE_BPM +menu "BPM options" + +config INTEL_BG_BPM_VERSION + int "BPM version" + default 1 + help + Version of the Key Manifest defined by the Platform Manufacturer. + The actual value is transparent to Boot Guard and is not processed by Boot Guard. + +config INTEL_BG_BPM_SVN + int "BPM Security Version Number" + default 0 + help + This value is determined by the Platform Manufacturer. + +config INTEL_BG_ACM_SVN + int "S-ACM Security Version Number" + default 2 + help + This defines the minimum version the S-ACM must have. + +config INTEL_BG_NUM_NEM_PAGES + int "NEM Stack Size" + default 64 + help + Set the amount of 4K pages of CAR required. + +config INTEL_BG_PBET + int "PBET value in s" + default 15 + help + Protect BIOS Environment Timer (PBET) value. + Factor used by CSE to compute PBE timer value. + Actual PBE timer value is set by CSE using formula: + PBE timer value = 5 sec + PBETValue. + +config INTEL_BG_IBB_FLAGS + int "IBB flags" + default 7 + help + IBB Control flags. + 3: Don't extend PCR 0 + 7: extend PCR 7 + +config INTEL_BG_SINIT_SVN + int "SINIT ACM security version number" + default 0 + help + Minimum required version for the SINIT ACM. + +config INTEL_BG_PD_INTERVAL + int + default 60 + help + Duration of Power Down in 5 sec increments. + +endmenu + +endif # !INTEL_BG_BG_PROV_BPM_USE_CFG_FILE + +config INTEL_BG_KEY_MANIFEST_BINARY + string "KM (Key Manifest) binary location" + depends on !INTEL_BG_GENERATE_KM + help + Location of the Key Manifest (KM) + +config INTEL_BG_BOOT_POLICY_MANIFEST_BINARY + string "BPM (Boot Policy Manifest) binary location" + depends on !INTEL_BG_GENERATE_BPM + help + Location of the Boot Policy Manifest (BPM) + +endif # INTEL_BG_SUPPORT diff --git a/src/security/intel/bg/Makefile.inc b/src/security/intel/bg/Makefile.inc new file mode 100644 index 0000000..5a23e83 --- /dev/null +++ b/src/security/intel/bg/Makefile.inc @@ -0,0 +1,150 @@ +ifeq ($(CONFIG_INTEL_BG_SUPPORT),y) + +all-y += ../cbnt/logging.c +ramstage-y += cmos.c + +# As specified in Intel Boot Guard BIOS +# Specification, document number # 558294 +PK_HASH_ALG_SHA256:=11 + +# The private key also contains the public key, so use that if a private key is provided. +ifeq ($(CONFIG_INTEL_BG_NEED_KM_PRIV_KEY),y) +$(obj)/km_pub.pem: $(call strip_quotes, $(CONFIG_INTEL_BG_KM_PRIV_KEY_FILE)) + openssl pkey -in $< -pubout > $@ +else ifeq ($(CONFIG_INTEL_BG_NEED_KM_PUB_KEY),y) +$(obj)/km_pub.pem: $(call strip_quotes, $(CONFIG_INTEL_BG_KM_PUB_KEY_FILE)) + cp $< $@ +endif + +# The private key also contains the public key, so use that if a private key is provided. +ifeq ($(CONFIG_INTEL_BG_NEED_BPM_PRIV_KEY),y) +$(obj)/bpm_pub.pem: $(call strip_quotes, $(CONFIG_INTEL_BG_BPM_PRIV_KEY_FILE)) + openssl pkey -in $< -pubout > $@ +else ifeq ($(CONFIG_INTEL_BG_NEED_BPM_PUB_KEY),y) +$(obj)/bpm_pub.pem: $(call strip_quotes, $(CONFIG_INTEL_BG_BPM_PUB_KEY_FILE)) + cp $< $@ +endif + +BG_PROV:=$(obj)/bg-prov +BG_CFG:=$(obj)/bg.json + +ifneq ($(CONFIG_INTEL_BG_PROV_EXTERNAL_BIN),y) +$(BG_PROV): + printf " BG_PROV building tool\n" + cd 3rdparty/intel-sec-tools; \ + GO111MODULE=on go mod download; \ + GO111MODULE=on go mod verify; \ + GO111MODULE=on go build -o $(top)/$@ cmd/bg-prov/*.go +else +$(BG_PROV): $(call strip_quotes, $(CONFIG_INTEL_BG_PROV_EXTERNAL_BIN_PATH)) + cp $< $@ +endif + +$(BG_CFG): $(call strip_quotes, $(CONFIG_INTEL_BG_BG_PROV_CFG_FILE)) + cp $(CONFIG_INTEL_BG_BG_PROV_CFG_FILE) $@ + +ifeq ($(CONFIG_INTEL_BG_GENERATE_BPM),y) +ifeq ($(CONFIG_INTEL_BG_BG_PROV_BPM_USE_CFG_FILE),y) +$(obj)/bpm_unsigned.bin: $(obj)/coreboot.rom $(BG_PROV) $(BG_CFG) + printf " BG_PROV creating unsigned BPM using config file\n" + $(BG_PROV) bpm-gen $@ $< --config=$(BG_CFG) --cut +else +$(obj)/bpm_unsigned.bin: $(obj)/coreboot.rom $(BG_PROV) + printf " BG_PROV creating unsigned BPM\n" + $(BG_PROV) bpm-gen $@ $< --pmbpmversion=$(CONFIG_INTEL_BG_BPM_VERSION) \ + --svn=$(CONFIG_INTEL_BG_BPM_SVN) \ + --acmsvn=$(CONFIG_INTEL_BG_ACM_SVN) \ + --nems=$(CONFIG_INTEL_BG_NUM_NEM_PAGES) \ + --pbet=$(CONFIG_INTEL_BG_PBET) \ + --ibbflags=$(CONFIG_INTEL_BG_IBB_FLAGS) \ + --entrypoint=$(shell printf "%d" 0xfffffff0) \ + --out=$(obj)/bpm_cfg.json +endif + +ifeq ($(CONFIG_INTEL_BG_BPM_ONLY_UNSIGNED),y) +build_complete:: $(obj)/bpm_unsigned.bin + @printf "\n** WARNING **\n" + @printf "Build generated an unsigned BPM image: build/bpm_unsigned.bin.\n" + @printf "The resulting image will not work with BG.\n" + @printf "After you have externally signed the image you can add it to the coreboot image:\n" + @printf "$$ cbfstool build/coreboot.rom add -f bpm.bin -n boot_policy_manifest.bin -t raw -a 16\n" + @printf "$$ ifittool -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s 12 -f build/coreboot.rom\n" +else +$(obj)/bpm.bin: $(obj)/bpm_unsigned.bin $(BG_PROV) $(call strip_quotes, $(CONFIG_INTEL_BG_BPM_PRIV_KEY_FILE)) + printf " BG_PROV signing real BPM\n" + $(BG_PROV) bpm-sign $< $@ $(CONFIG_INTEL_BG_BPM_PRIV_KEY_FILE) "" + +# Add BPM at the end of the build when all files have been added +files_added:: $(obj)/bpm.bin + printf " BG Adding BPM\n" + $(CBFSTOOL) $(obj)/coreboot.rom add -f $< -n boot_policy_manifest.bin -b 0xffff1000 -t raw + printf " IFITTOOL Adding BPM\n" + $(IFITTOOL) -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $(obj)/coreboot.rom + +endif # CONFIG_INTEL_BG_BPM_ONLY_UNSIGNED + +else # CONFIG_INTEL_BG_GENERATE_BPM + +ifneq ($(CONFIG_INTEL_BG_BOOT_POLICY_MANIFEST_BINARY),"") +cbfs-files-y += boot_policy_manifest.bin +boot_policy_manifest.bin-file := $(CONFIG_INTEL_BG_BOOT_POLICY_MANIFEST_BINARY) +boot_policy_manifest.bin-type := raw +#boot_policy_manifest.bin-align := 0x10 +boot_policy_manifest.bin-position := 0xffff1000 + +$(call add_intermediate, add_bpm_fit, $(IFITTOOL) set_fit_ptr) + $(IFITTOOL) -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $< +endif +endif # CONFIG_INTEL_BG_GENERATE_BPM + +ifeq ($(CONFIG_INTEL_BG_GENERATE_KM),y) +ifeq ($(CONFIG_INTEL_BG_BG_PROV_KM_USE_CFG_FILE),y) +$(obj)/km_unsigned.bin: $(obj)/km_pub.pem $(BG_PROV) $(BG_CFG) + printf " BG_PROV creating unsigned KM using config file\n" + $(BG_PROV) km-gen $@ $< --config=$(BG_CFG) +else +$(obj)/km_unsigned.bin: $(obj)/km_pub.pem $(obj)/bpm_pub.pem $(BG_PROV) + printf " BG_PROV creating unsigned KM\n" + $(BG_PROV) km-gen $@ $< --kmversion=$(CONFIG_INTEL_BG_KM_VERSION) \ + --svn=$(CONFIG_INTEL_BG_KM_SVN) \ + --id=$(CONFIG_INTEL_BG_KM_ID) \ + --bpmpubkey=$(obj)/bpm_pub.pem \ + --bpmhashalgo=$(PK_HASH_ALG_SHA256) \ + --out=$(obj)/km_cfg.json +endif + +$(obj)/km.bin: $(obj)/km_unsigned.bin $(BG_PROV) $(call strip_quotes, $(CONFIG_INTEL_BG_KM_PRIV_KEY_FILE)) + printf " BG_PROV signing KM\n" + $(BG_PROV) km-sign $< $@ $(CONFIG_INTEL_BG_KM_PRIV_KEY_FILE) "" + +KM_FILE=$(obj)/km.bin +else +KM_FILE=$(CONFIG_INTEL_BG_KEY_MANIFEST_BINARY) +endif + +ifneq ($(KM_FILE),"") +ifeq ($(CONFIG_INTEL_BG_KM_ONLY_UNSIGNED),y) +$(call add_intermediate, gen_unsigned_km, $(obj)/km_unsigned.bin) + @printf "Generating unsgined KM\n" + +build_complete:: + @printf "\n** WARNING **\n" + @printf "Build generated an unsigned KM image: build/km_unsiged.bin.\n" + @printf "The resulting image will not work with BG.\n" + @printf "After you have externally signed the image you can add it to the coreboot image:\n" + @printf "$$ cbfstool build/coreboot.rom add -f km.bin -n key_manifest.bin -t raw -a 16\n" + @printf "$$ ifittool -r COREBOOT -a -n key_manifest.bin -t 11 -s 12 -f build/coreboot.rom\n" + +else +cbfs-files-y += key_manifest.bin +key_manifest.bin-file := $(KM_FILE) +key_manifest.bin-type := raw +#key_manifest.bin-align := 0x10 +key_manifest.bin-position := 0xffff2000 + +$(call add_intermediate, add_km_fit, $(IFITTOOL) set_fit_ptr) + $(IFITTOOL) -r COREBOOT -a -n key_manifest.bin -t 11 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $< +endif + +endif # CONFIG_INTEL_BG_KM_ONLY_UNSIGNED +endif # CONFIG_INTEL_BG_SUPPORT diff --git a/src/security/intel/bg/cmos.c b/src/security/intel/bg/cmos.c new file mode 100644 index 0000000..318828b --- /dev/null +++ b/src/security/intel/bg/cmos.c @@ -0,0 +1,16 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ + +/* + * Address of the MRC status byte in CMOS. Should be reserved + * in mainboards' cmos.layout and not covered by checksum. + */ + +#if CONFIG(USE_OPTION_TABLE) +#include "option_table.h" +#if CMOS_VSTART_cbnt_cmos != CONFIG_INTEL_CBNT_CMOS_OFFSET * 8 +#error "CMOS start for CBNT CMOS is not correct, check your cmos.layout" +#endif +#if CMOS_VLEN_cbnt_cmos != 16 +#error "CMOS length for CBNT CMOS bytes are not correct, check your cmos.layout" +#endif +#endif