Michał Żygowski has uploaded this change for review.
security/intel/bootguard: Add Boot Guard IBB and ACM logic
Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
Change-Id: I50eb70ccdce6584329352a0480922162c162a4c6
---
M src/security/intel/Makefile.inc
M src/security/intel/bootguard/Kconfig
A src/security/intel/bootguard/Makefile.inc
3 files changed, 35 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/93/43393/1
diff --git a/src/security/intel/Makefile.inc b/src/security/intel/Makefile.inc
index e00802a..1590f26 100644
--- a/src/security/intel/Makefile.inc
+++ b/src/security/intel/Makefile.inc
@@ -1,2 +1,3 @@
subdirs-y += txt
subdirs-y += stm
+subdirs-y += bootguard
diff --git a/src/security/intel/bootguard/Kconfig b/src/security/intel/bootguard/Kconfig
index ebaf386..d1d6c3c 100644
--- a/src/security/intel/bootguard/Kconfig
+++ b/src/security/intel/bootguard/Kconfig
@@ -97,6 +97,14 @@
Include the Boot Guard Authenticated Code Module necessary to boot
Boot Guard enabled platform
+config BTG_ACM_LOCATION
+ hex "Boot Guard ACM location"
+ default 0xfffe0000
+ help
+ Specifies the location of Boot Guard ACM in CBFS. It should be 64k
+ or 128k aligned and reside in the top most 2MB under 4G for Kaby
+ Lake and earlier or top most 8MB under 4G for Coffe Lake and newer.
+
endmenu
endif
diff --git a/src/security/intel/bootguard/Makefile.inc b/src/security/intel/bootguard/Makefile.inc
new file mode 100644
index 0000000..d6ebbe3
--- /dev/null
+++ b/src/security/intel/bootguard/Makefile.inc
@@ -0,0 +1,26 @@
+ifeq ($(CONFIG_INTEL_BOOTGUARD),y)
+
+cbfs-files-y += boot_guard_acm.bin
+boot_guard_acm.bin-file := $(CONFIG_BTG_ACM_FILE)
+boot_guard_acm.bin-type := raw
+boot_guard_acm.bin-position := $(CONFIG_BTG_ACM_LOCATION)
+
+# Initial BootBlock files
+ibb-files := $(foreach file,$(cbfs-files), \
+ $(if $(shell echo '$(call extract_nth,7,$(file))'|grep -- --ibb), \
+ $(call extract_nth,2,$(file)),))
+
+ibb-files += bootblock
+
+INTERMEDIATE+=add_btg_acm_fit
+INTERMEDIATE+=add_ibb_fit
+
+add_btg_acm_fit: $(obj)/coreboot.pre $(IFITTOOL)
+ $(IFITTOOL) -r COREBOOT -a -n boot_guard_acm.bin -t 2 \
+ -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
+
+add_ibb_fit: $(obj)/coreboot.pre $(IFITTOOL)
+ $(foreach file, $(ibb-files), $(shell $(IFITTOOL) -f $< -a -n $(file) -t 7 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) \
+ -r COREBOOT)) true
+
+endif
To view, visit change 43393. To unsubscribe, or for help writing mail filters, visit settings.