Sachin Agrawal has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/36682 )
Change subject: [WIP]soc/intel/car: Add support for bootguard CAR ......................................................................
Patch Set 1:
Patch Set 1:
Patch Set 1:
Patch Set 1:
@Subrata I tried to test this but miserably failed :D I have an unfused/uncommited SoC here. The main problem seems to be that I don't know how to create a valid Manifest.
My understanding of the process is:
- Build coreboot bios region image
- Create a manifest and import it to the image using the Manifest Extension Utility
- Sign the manifest with the MEU
- Set the bootguard policy in FIT and add the pubkey hash
- add the signed bios image
- Build the final image with FIT
Can you confirm/correct this, please?
In summary, BtGuard role is to verify IBB (code which initializes memory), load it into NEM and pass control to Coreboot entry point.
1)Coreboot needs to define which CBFS's constitutes IBB. bootblock, fsp-m, verstage, romstage, etc ? 2)We need to create FIT table with Type 7 entry and include those CBFS's. FIT spec is here (https://www.intel.com/content/dam/www/public/us/en/documents/guides/fit-bios...). 3)We need to invoke Intel BpmGen tool to create BtGuard Policy Manifest(BPM) and BtGuard Key Manifests(KM). BpmGen tool will use above FIT table to create BPM which will contain the cumulative hash of IBB. KM will contain the hash of key which is used for signing BPM. 4)Build the final image using FIT and set appropriate BtGuard policy and the hash of the public key which was used for signing KM.
Thanks to 9elements 1) and 2) are already done if you enable Intel TXT. 3) Should be easy to implement in coreboot if there'd be some public spec.
Unfortunately, I am not aware of if there are any public specs which provides BPM/KM details. Although, Slimboot code does contain the definitions of those data structures. https://github.com/slimbootloader/slimbootloader/blob/5e10bd1e0761c7581d9233...