Philipp Deppenwiese has submitted this change and it was merged. ( https://review.coreboot.org/c/coreboot/+/34585 )
Change subject: security/intel: Add TXT infrastructure ......................................................................
security/intel: Add TXT infrastructure
* Add Kconfig to enable TXT * Add possibility to add BIOS and SINIT ACMs * Set default BIOS ACM alignment * Increase FIT space if TXT is enabled
The following commits depend on the basic Kconfig infrastructure. Intel TXT isn't supported until all following commits are merged.
Change-Id: I5f0f956d2b7ba43d4e7e0062803c6d8ba569a052 Signed-off-by: Patrick Rudolph patrick.rudolph@9elements.com Reviewed-on: https://review.coreboot.org/c/coreboot/+/34585 Tested-by: build bot (Jenkins) no-reply@coreboot.org Reviewed-by: David Hendricks david.hendricks@gmail.com --- M Documentation/security/intel/txt.md M src/cpu/intel/fit/Kconfig M src/security/Kconfig M src/security/Makefile.inc A src/security/intel/Kconfig A src/security/intel/Makefile.inc A src/security/intel/txt/Kconfig A src/security/intel/txt/Makefile.inc M src/soc/intel/cannonlake/Kconfig M src/soc/intel/skylake/Kconfig 10 files changed, 109 insertions(+), 3 deletions(-)
Approvals: build bot (Jenkins): Verified David Hendricks: Looks good to me, approved
diff --git a/Documentation/security/intel/txt.md b/Documentation/security/intel/txt.md index f67b639..f80a731 100644 --- a/Documentation/security/intel/txt.md +++ b/Documentation/security/intel/txt.md @@ -90,11 +90,11 @@
## For developers ### Configuring Intel TXT in Kconfig -Enable ``TEE_INTEL_TXT`` and set the following: +Enable ``INTEL_TXT`` and set the following:
-``TEE_INTEL_TXT_BIOSACM_FILE`` to the path of the BIOS ACM provided by Intel +``INTEL_TXT_BIOSACM_FILE`` to the path of the BIOS ACM provided by Intel
-``TEE_INTEL_TXT_SINITACM_FILE`` to the path of the SINIT ACM provided by Intel +``INTEL_TXT_SINITACM_FILE`` to the path of the SINIT ACM provided by Intel ### Print TXT status as early as possible Add platform code to print the TXT status as early as possible, as the register is cleared on cold reset. diff --git a/src/cpu/intel/fit/Kconfig b/src/cpu/intel/fit/Kconfig index e48dca9..fa10802 100644 --- a/src/cpu/intel/fit/Kconfig +++ b/src/cpu/intel/fit/Kconfig @@ -5,6 +5,7 @@
config CPU_INTEL_NUM_FIT_ENTRIES int + default 16 if INTEL_TXT default 4 depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE help diff --git a/src/security/Kconfig b/src/security/Kconfig index 8a1531a..4e08bbd 100644 --- a/src/security/Kconfig +++ b/src/security/Kconfig @@ -15,3 +15,4 @@ source "src/security/vboot/Kconfig" source "src/security/tpm/Kconfig" source "src/security/memory/Kconfig" +source "src/security/intel/Kconfig" diff --git a/src/security/Makefile.inc b/src/security/Makefile.inc index f62413e..fd78438 100644 --- a/src/security/Makefile.inc +++ b/src/security/Makefile.inc @@ -1,3 +1,4 @@ subdirs-y += vboot subdirs-y += tpm subdirs-y += memory +subdirs-y += intel diff --git a/src/security/intel/Kconfig b/src/security/intel/Kconfig new file mode 100644 index 0000000..333e385 --- /dev/null +++ b/src/security/intel/Kconfig @@ -0,0 +1,20 @@ +## This file is part of the coreboot project. +## +## Copyright (C) 2019 9elements Agency GmbH +## Copyright (C) 2019 Facebook Inc. +## +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; version 2 of the License. +## +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. +## + +menu "Intel" + +source "src/security/intel/txt/Kconfig" + +endmenu # Intel diff --git a/src/security/intel/Makefile.inc b/src/security/intel/Makefile.inc new file mode 100644 index 0000000..9388d3f --- /dev/null +++ b/src/security/intel/Makefile.inc @@ -0,0 +1 @@ +subdirs-y += txt diff --git a/src/security/intel/txt/Kconfig b/src/security/intel/txt/Kconfig new file mode 100644 index 0000000..011a41c --- /dev/null +++ b/src/security/intel/txt/Kconfig @@ -0,0 +1,54 @@ +## This file is part of the coreboot project. +## +## Copyright (C) 2019 9elements Agency GmbH +## Copyright (C) 2019 Facebook Inc. +## +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; version 2 of the License. +## +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. +## + +config INTEL_TXT + bool "Intel TXT support" + default n + select MRC_SETTINGS_PROTECT if CACHE_MRC_SETTINGS + select ENABLE_VMX if CPU_INTEL_COMMON + select AP_IN_SIPI_WAIT + depends on (TPM1 || TPM2) + depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE + depends on PLATFORM_HAS_DRAM_CLEAR + depends on SOC_INTEL_FSP_BROADWELL_DE || SOC_INTEL_COMMON_BLOCK_SA + +if INTEL_TXT + +config INTEL_TXT_BIOSACM_FILE + string "BIOS ACM file" + default "3rdparty/blobs/soc/intel/fsp_broadwell_de/biosacm.bin" if SOC_INTEL_FSP_BROADWELL_DE + default "3rdparty/blobs/soc/intel/skylake/biosacm.bin" if SOC_INTEL_COMMON_SKYLAKE_BASE + help + Intel TXT BIOS ACM file. This file can be obtained by privileged + access to Intel resources. Or for some platforms found inside the + blob repository. + +config INTEL_TXT_SINITACM_FILE + string "SINIT ACM file" + default "3rdparty/blobs/soc/intel/fsp_broadwell_de/sinitacm.bin" if SOC_INTEL_FSP_BROADWELL_DE + default "3rdparty/blobs/soc/intel/skylake/sinitacm.bin" if SOC_INTEL_COMMON_SKYLAKE_BASE + help + Intel TXT SINIT ACM file. This file can be obtained by privileged + access to Intel resources. Or for some platforms found inside the + blob repository. + +config INTEL_TXT_BIOSACM_ALIGNMENT + hex + default 0x20000 # 128KB + help + Exceptions are Ivy- and Sandy Bridge with 64KB and Purely with 256KB + alignment size. Please overwrite it SoC specific. + +endif diff --git a/src/security/intel/txt/Makefile.inc b/src/security/intel/txt/Makefile.inc new file mode 100644 index 0000000..d24026a --- /dev/null +++ b/src/security/intel/txt/Makefile.inc @@ -0,0 +1,20 @@ +ifeq ($(CONFIG_INTEL_TXT),y) + +cbfs-files-y += txt_bios_acm.bin +txt_bios_acm.bin-file := $(CONFIG_INTEL_TXT_BIOSACM_FILE) +txt_bios_acm.bin-type := raw +txt_bios_acm.bin-align := $(CONFIG_INTEL_TXT_BIOSACM_ALIGNMENT) + +ifneq ($(CONFIG_INTEL_TXT_SINITACM_FILE),"") +cbfs-files-y += txt_sinit_acm.bin +txt_sinit_acm.bin-file := $(CONFIG_INTEL_TXT_SINITACM_FILE) +txt_sinit_acm.bin-type := raw +txt_sinit_acm.bin-align := 0x10 +txt_sinit_acm.bin-compression := lzma +endif + +INTERMEDIATE+=add_acm_fit +add_acm_fit: $(obj)/coreboot.pre $(IFITTOOL) + $(IFITTOOL) -r COREBOOT -a -n txt_bios_acm.bin -t 2 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $< + +endif diff --git a/src/soc/intel/cannonlake/Kconfig b/src/soc/intel/cannonlake/Kconfig index a0107d5..d949fff 100644 --- a/src/soc/intel/cannonlake/Kconfig +++ b/src/soc/intel/cannonlake/Kconfig @@ -318,4 +318,8 @@ hex default 0xe00
+config INTEL_TXT_BIOSACM_ALIGNMENT + hex + default 0x40000 # 256KB + endif diff --git a/src/soc/intel/skylake/Kconfig b/src/soc/intel/skylake/Kconfig index 13c1517..9cb8d45 100644 --- a/src/soc/intel/skylake/Kconfig +++ b/src/soc/intel/skylake/Kconfig @@ -302,4 +302,8 @@ string default "sklkbl"
+config INTEL_TXT_BIOSACM_ALIGNMENT + hex + default 0x40000 # 256KB + endif