Patch Set 1:

@Subrata I tried to test this but miserably failed :D I have an unfused/uncommited SoC here. The main problem seems to be that I don't know how to create a valid Manifest.

My understanding of the process is:

• Build coreboot bios region image
• Create a manifest and import it to the image using the Manifest Extension Utility
• Sign the manifest with the MEU
• Set the bootguard policy in FIT and add the pubkey hash
• add the signed bios image
• Build the final image with FIT

Can you confirm/correct this, please?

In summary, BtGuard role is to verify IBB (code which initializes memory), load it into NEM and pass control to Coreboot entry point.

1)Coreboot needs to define which CBFS's constitutes IBB. bootblock, fsp-m, verstage, romstage, etc ?
2)We need to create FIT table with Type 7 entry and include those CBFS's. FIT spec is here (https://www.intel.com/content/dam/www/public/us/en/documents/guides/fit-bios-specification.pdf). 
3)We need to invoke Intel BpmGen tool to create BtGuard Policy Manifest(BPM) and BtGuard Key Manifests(KM). 
  BpmGen tool will use above FIT table to create BPM which will contain the cumulative hash of IBB. KM will contain the hash of key which is used for signing BPM.
4)Build the final image using FIT and set appropriate BtGuard policy and the hash of the public key which was used for signing KM.

View Change

To view, visit change 36682. To unsubscribe, or for help writing mail filters, visit settings.