Arthur Heymans has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/46456 )
Change subject: soc/intel/cbnt: Stitch in ACMs in the coreboot image ......................................................................
soc/intel/cbnt: Stitch in ACMs in the coreboot image
Actual support CbNT will be added later on.
Change-Id: Icc35c5e6c74d002efee43cc05ecc8023e00631e0 Signed-off-by: Arthur Heymans arthur@aheymans.xyz --- M Makefile.inc M src/cpu/intel/fit/Kconfig M src/security/intel/Kconfig M src/security/intel/Makefile.inc A src/security/intel/cbnt/Kconfig A src/security/intel/cbnt/Makefile.inc M src/security/intel/txt/Kconfig M src/security/intel/txt/Makefile.inc 8 files changed, 72 insertions(+), 1 deletion(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/56/46456/1
diff --git a/Makefile.inc b/Makefile.inc index b5b81f0..29721b4 100644 --- a/Makefile.inc +++ b/Makefile.inc @@ -726,6 +726,16 @@
endif
+ifeq ($(CONFIG_INTEL_CBNT_SUPPORT),y) + +CBNTIBB := --cbnt + +else + +CBNTIBB := + +endif # CONFIG_INTEL_CBNT_SUPPORT + ifeq ($(CONFIG_COMPRESS_BOOTBLOCK),y)
$(objcbfs)/bootblock.lz4: $(objcbfs)/bootblock.elf $(objutil)/cbfstool/cbfs-compression-tool @@ -1057,6 +1067,7 @@ ifeq ($(CONFIG_INTEL_ADD_TOP_SWAP_BOOTBLOCK),y) TS_OPTIONS := -j $(CONFIG_INTEL_TOP_SWAP_BOOTBLOCK_SIZE) endif + ifneq ($(CONFIG_UPDATE_IMAGE),y) $(obj)/coreboot.pre: $(objcbfs)/bootblock.bin $$(prebuilt-files) $(CBFSTOOL) $(IFITTOOL) $$(cpu_ucode_cbfs_file) $(obj)/fmap.fmap $(obj)/fmap.desc $(CBFSTOOL) $@.tmp create -M $(obj)/fmap.fmap -r $(shell cat $(obj)/fmap.desc) @@ -1066,6 +1077,7 @@ -n bootblock \ -t bootblock \ $(TXTIBB) \ + $(CBNTIBB) \ -b -$(call file-size,$(objcbfs)/bootblock.bin) $(cbfs-autogen-attributes) \ $(TS_OPTIONS) else # ifeq ($(CONFIG_ARCH_X86),y) diff --git a/src/cpu/intel/fit/Kconfig b/src/cpu/intel/fit/Kconfig index fa10802..9ea867e 100644 --- a/src/cpu/intel/fit/Kconfig +++ b/src/cpu/intel/fit/Kconfig @@ -5,7 +5,7 @@
config CPU_INTEL_NUM_FIT_ENTRIES int - default 16 if INTEL_TXT + default 16 if INTEL_TXT || INTEL_CBNT_SUPPORT default 4 depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE help diff --git a/src/security/intel/Kconfig b/src/security/intel/Kconfig index 9cdd8a6..0609a45 100644 --- a/src/security/intel/Kconfig +++ b/src/security/intel/Kconfig @@ -2,3 +2,4 @@
source "src/security/intel/txt/Kconfig" source "src/security/intel/stm/Kconfig" +source "src/security/intel/cbnt/Kconfig" diff --git a/src/security/intel/Makefile.inc b/src/security/intel/Makefile.inc index e00802a..20aea27 100644 --- a/src/security/intel/Makefile.inc +++ b/src/security/intel/Makefile.inc @@ -1,2 +1,3 @@ subdirs-y += txt subdirs-y += stm +subdirs-y += cbnt diff --git a/src/security/intel/cbnt/Kconfig b/src/security/intel/cbnt/Kconfig new file mode 100644 index 0000000..568b7e5 --- /dev/null +++ b/src/security/intel/cbnt/Kconfig @@ -0,0 +1,27 @@ +# SPDX-License-Identifier: GPL-2.0-only + +config INTEL_CBNT_SUPPORT + bool "Intel CBnT support" + default n + depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE + #depends on PLATFORM_HAS_DRAM_CLEAR + select INTEL_TXT_SUPPORT + help + Enables Intel Converged Bootguard and Trusted Execution Technology + Support. This will enable one to add a Key Manifest (KM) and a Boot + Policy Manifest (BPM) to the filesystem. It will also wrap a FIT around + the firmware and update appropriate entries. + +if INTEL_CBNT_SUPPORT + +config INTEL_CBNT_KEY_MANIFEST_BINARY + string "KM (Key Manifest) binary location" + help + Location of the Key Manifest (KM) + +config INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY + string "BPM (Boot Policy Manifest) binary location" + help + Location of the Boot Policy Manifest (BPM) + +endif # INTEL_CBNT_SUPPORT diff --git a/src/security/intel/cbnt/Makefile.inc b/src/security/intel/cbnt/Makefile.inc new file mode 100644 index 0000000..70c2353 --- /dev/null +++ b/src/security/intel/cbnt/Makefile.inc @@ -0,0 +1,25 @@ +ifeq ($(CONFIG_INTEL_CBNT_SUPPORT),y) + +ifneq ($(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY),"") +cbfs-files-y += boot_policy_manifest.bin +boot_policy_manifest.bin-file := $(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY) +boot_policy_manifest.bin-type := raw +boot_policy_manifest.bin-alignment := 0x10 + +INTERMEDIATE+=add_bpm_fit +add_bpm_fit: $(obj)/coreboot.pre $(IFITTOOL) + $(IFITTOOL) -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $< +endif + +ifneq ($(CONFIG_INTEL_CBNT_KEY_MANIFEST_BINARY),"") +cbfs-files-y += key_manifest.bin +key_manifest.bin-file := $(CONFIG_INTEL_CBNT_KEY_MANIFEST_BINARY) +key_manifest.bin-type := raw +key_manifest.bin-alignment := 0x10 + +INTERMEDIATE+=add_km_fit +add_km_fit: $(obj)/coreboot.pre $(IFITTOOL) + $(IFITTOOL) -r COREBOOT -a -n key_manifest.bin -t 11 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $< +endif + +endif # CONFIG_INTEL_CBNT_SUPPORT \ No newline at end of file diff --git a/src/security/intel/txt/Kconfig b/src/security/intel/txt/Kconfig index 70aa695..6ee8960 100644 --- a/src/security/intel/txt/Kconfig +++ b/src/security/intel/txt/Kconfig @@ -37,6 +37,7 @@
config INTEL_TXT_BIOSACM_ALIGNMENT hex + default 0x40000 if INTEL_CBNT_SUPPORT default 0x20000 # 128 KiB help Exceptions are Ivy and Sandy Bridge with 64 KiB and Purley with 256 KiB diff --git a/src/security/intel/txt/Makefile.inc b/src/security/intel/txt/Makefile.inc index 712ab58..ff0dcdf 100644 --- a/src/security/intel/txt/Makefile.inc +++ b/src/security/intel/txt/Makefile.inc @@ -29,6 +29,8 @@ $(IFITTOOL) -r COREBOOT -a -n $(CONFIG_INTEL_TXT_CBFS_BIOS_ACM) -t 2 \ -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
+# CbNT does not use FIT for IBB +ifneq ($(CONFIG_INTEL_CBNT_SUPPORT),y) # Initial BootBlock files ibb-files := $(foreach file,$(cbfs-files), \ $(if $(shell echo '$(call extract_nth,7,$(file))'|grep -- --ibb), \ @@ -41,6 +43,8 @@ $(foreach file, $(ibb-files), $(shell $(IFITTOOL) -f $< -a -n $(file) -t 7 \ -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -r COREBOOT)) true
+endif # INTEL_CBNT_SUPPORT + endif # CPU_INTEL_FIRMWARE_INTERFACE_TABLE
endif # INTEL_TXT
Hello Philipp Deppenwiese, build bot (Jenkins), Patrick Georgi, Martin Roth, Christian Walter, Angel Pons, Patrick Rudolph,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/46456
to look at the new patch set (#3).
Change subject: soc/intel/cbnt: Stitch in ACMs in the coreboot image ......................................................................
soc/intel/cbnt: Stitch in ACMs in the coreboot image
Actual support CbNT will be added later on.
Change-Id: Icc35c5e6c74d002efee43cc05ecc8023e00631e0 Signed-off-by: Arthur Heymans arthur@aheymans.xyz --- M Makefile.inc M src/cpu/intel/fit/Kconfig M src/security/intel/Kconfig M src/security/intel/Makefile.inc A src/security/intel/cbnt/Kconfig A src/security/intel/cbnt/Makefile.inc M src/security/intel/txt/Kconfig M src/security/intel/txt/Makefile.inc 8 files changed, 72 insertions(+), 1 deletion(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/56/46456/3
Hello Philipp Deppenwiese, build bot (Jenkins), Patrick Georgi, Martin Roth, Christian Walter, Angel Pons, Patrick Rudolph,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/46456
to look at the new patch set (#4).
Change subject: soc/intel/cbnt: Stitch in ACMs in the coreboot image ......................................................................
soc/intel/cbnt: Stitch in ACMs in the coreboot image
Actual support CbNT will be added later on.
Change-Id: Icc35c5e6c74d002efee43cc05ecc8023e00631e0 Signed-off-by: Arthur Heymans arthur@aheymans.xyz --- M Makefile.inc M src/cpu/intel/fit/Kconfig M src/security/intel/Kconfig M src/security/intel/Makefile.inc A src/security/intel/cbnt/Kconfig A src/security/intel/cbnt/Makefile.inc M src/security/intel/txt/Kconfig M src/security/intel/txt/Makefile.inc 8 files changed, 72 insertions(+), 1 deletion(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/56/46456/4
Hello Philipp Deppenwiese, build bot (Jenkins), Patrick Georgi, Martin Roth, Christian Walter, Angel Pons, Patrick Rudolph,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/46456
to look at the new patch set (#5).
Change subject: soc/intel/cbnt: Stitch in ACMs in the coreboot image ......................................................................
soc/intel/cbnt: Stitch in ACMs in the coreboot image
Actual support CbNT will be added later on.
Change-Id: Icc35c5e6c74d002efee43cc05ecc8023e00631e0 Signed-off-by: Arthur Heymans arthur@aheymans.xyz --- M Makefile.inc M src/cpu/intel/fit/Kconfig M src/security/intel/Kconfig M src/security/intel/Makefile.inc A src/security/intel/cbnt/Kconfig A src/security/intel/cbnt/Makefile.inc M src/security/intel/txt/Kconfig M src/security/intel/txt/Makefile.inc 8 files changed, 72 insertions(+), 1 deletion(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/56/46456/5
Angel Pons has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/46456 )
Change subject: soc/intel/cbnt: Stitch in ACMs in the coreboot image ......................................................................
Patch Set 11: Code-Review+1
(3 comments)
https://review.coreboot.org/c/coreboot/+/46456/11//COMMIT_MSG Commit Message:
https://review.coreboot.org/c/coreboot/+/46456/11//COMMIT_MSG@7 PS11, Line 7: soc nit: sec
https://review.coreboot.org/c/coreboot/+/46456/11/src/security/intel/txt/Kco... File src/security/intel/txt/Kconfig:
https://review.coreboot.org/c/coreboot/+/46456/11/src/security/intel/txt/Kco... PS11, Line 55: default 0x40000 if INTEL_CBNT_SUPPORT Is this a CBnT-specific constraint, or is this needed because it is Xeon-SP?
https://review.coreboot.org/c/coreboot/+/46456/11/src/security/intel/txt/Mak... File src/security/intel/txt/Makefile.inc:
https://review.coreboot.org/c/coreboot/+/46456/11/src/security/intel/txt/Mak... PS11, Line 32: CbNT nit: CBnT
Christian Walter has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/46456 )
Change subject: soc/intel/cbnt: Stitch in ACMs in the coreboot image ......................................................................
Patch Set 11: Code-Review+2
(1 comment)
https://review.coreboot.org/c/coreboot/+/46456/11/src/security/intel/txt/Kco... File src/security/intel/txt/Kconfig:
https://review.coreboot.org/c/coreboot/+/46456/11/src/security/intel/txt/Kco... PS11, Line 55: default 0x40000 if INTEL_CBNT_SUPPORT
Is this a CBnT-specific constraint, or is this needed because it is Xeon-SP?
CBnT specific.
Angel Pons has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/46456 )
Change subject: soc/intel/cbnt: Stitch in ACMs in the coreboot image ......................................................................
Patch Set 11: Code-Review+2
(1 comment)
https://review.coreboot.org/c/coreboot/+/46456/11/src/security/intel/txt/Kco... File src/security/intel/txt/Kconfig:
https://review.coreboot.org/c/coreboot/+/46456/11/src/security/intel/txt/Kco... PS11, Line 55: default 0x40000 if INTEL_CBNT_SUPPORT
CBnT specific.
Ack
Angel Pons has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/46456 )
Change subject: soc/intel/cbnt: Stitch in ACMs in the coreboot image ......................................................................
Patch Set 11:
(1 comment)
https://review.coreboot.org/c/coreboot/+/46456/11//COMMIT_MSG Commit Message:
https://review.coreboot.org/c/coreboot/+/46456/11//COMMIT_MSG@9 PS11, Line 9: CbNT nit: CBnT (Converged Bootguard 'n' TXT)
Patrick Georgi has uploaded a new patch set (#14) to the change originally created by Arthur Heymans. ( https://review.coreboot.org/c/coreboot/+/46456 )
Change subject: sec/intel/cbnt: Stitch in ACMs in the coreboot image ......................................................................
sec/intel/cbnt: Stitch in ACMs in the coreboot image
Actual support CBnT will be added later on.
Change-Id: Icc35c5e6c74d002efee43cc05ecc8023e00631e0 Signed-off-by: Arthur Heymans arthur@aheymans.xyz --- M Makefile.inc M src/cpu/intel/fit/Kconfig M src/security/intel/Kconfig M src/security/intel/Makefile.inc A src/security/intel/cbnt/Kconfig A src/security/intel/cbnt/Makefile.inc M src/security/intel/txt/Kconfig M src/security/intel/txt/Makefile.inc 8 files changed, 72 insertions(+), 1 deletion(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/56/46456/14
Patrick Georgi has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/46456 )
Change subject: sec/intel/cbnt: Stitch in ACMs in the coreboot image ......................................................................
Patch Set 14:
(3 comments)
https://review.coreboot.org/c/coreboot/+/46456/11//COMMIT_MSG Commit Message:
https://review.coreboot.org/c/coreboot/+/46456/11//COMMIT_MSG@7 PS11, Line 7: soc
nit: sec
Done
https://review.coreboot.org/c/coreboot/+/46456/11//COMMIT_MSG@9 PS11, Line 9: CbNT
nit: CBnT (Converged Bootguard 'n' TXT)
Done
https://review.coreboot.org/c/coreboot/+/46456/11/src/security/intel/txt/Mak... File src/security/intel/txt/Makefile.inc:
https://review.coreboot.org/c/coreboot/+/46456/11/src/security/intel/txt/Mak... PS11, Line 32: CbNT
nit: CBnT
Done
Angel Pons has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/46456 )
Change subject: sec/intel/cbnt: Stitch in ACMs in the coreboot image ......................................................................
Patch Set 14: Code-Review+2
Patrick Georgi has submitted this change. ( https://review.coreboot.org/c/coreboot/+/46456 )
Change subject: sec/intel/cbnt: Stitch in ACMs in the coreboot image ......................................................................
sec/intel/cbnt: Stitch in ACMs in the coreboot image
Actual support CBnT will be added later on.
Change-Id: Icc35c5e6c74d002efee43cc05ecc8023e00631e0 Signed-off-by: Arthur Heymans arthur@aheymans.xyz Reviewed-on: https://review.coreboot.org/c/coreboot/+/46456 Reviewed-by: Angel Pons th3fanbus@gmail.com Tested-by: build bot (Jenkins) no-reply@coreboot.org --- M Makefile.inc M src/cpu/intel/fit/Kconfig M src/security/intel/Kconfig M src/security/intel/Makefile.inc A src/security/intel/cbnt/Kconfig A src/security/intel/cbnt/Makefile.inc M src/security/intel/txt/Kconfig M src/security/intel/txt/Makefile.inc 8 files changed, 72 insertions(+), 1 deletion(-)
Approvals: build bot (Jenkins): Verified Angel Pons: Looks good to me, approved
diff --git a/Makefile.inc b/Makefile.inc index b3868a5..69ac747 100644 --- a/Makefile.inc +++ b/Makefile.inc @@ -732,6 +732,16 @@
endif
+ifeq ($(CONFIG_INTEL_CBNT_SUPPORT),y) + +CBNTIBB := --cbnt + +else + +CBNTIBB := + +endif # CONFIG_INTEL_CBNT_SUPPORT + ifeq ($(CONFIG_COMPRESS_BOOTBLOCK),y)
$(objcbfs)/bootblock.lz4: $(objcbfs)/bootblock.elf $(objutil)/cbfstool/cbfs-compression-tool @@ -1063,6 +1073,7 @@ ifeq ($(CONFIG_INTEL_ADD_TOP_SWAP_BOOTBLOCK),y) TS_OPTIONS := -j $(CONFIG_INTEL_TOP_SWAP_BOOTBLOCK_SIZE) endif + ifneq ($(CONFIG_UPDATE_IMAGE),y) $(obj)/coreboot.pre: $(objcbfs)/bootblock.bin $$(prebuilt-files) $(CBFSTOOL) $(IFITTOOL) $$(cpu_ucode_cbfs_file) $(obj)/fmap.fmap $(obj)/fmap.desc $(CBFSTOOL) $@.tmp create -M $(obj)/fmap.fmap -r $(shell cat $(obj)/fmap.desc) @@ -1072,6 +1083,7 @@ -n bootblock \ -t bootblock \ $(TXTIBB) \ + $(CBNTIBB) \ -b -$(call file-size,$(objcbfs)/bootblock.bin) $(cbfs-autogen-attributes) \ $(TS_OPTIONS) else # ifeq ($(CONFIG_ARCH_X86),y) diff --git a/src/cpu/intel/fit/Kconfig b/src/cpu/intel/fit/Kconfig index fa10802..9ea867e 100644 --- a/src/cpu/intel/fit/Kconfig +++ b/src/cpu/intel/fit/Kconfig @@ -5,7 +5,7 @@
config CPU_INTEL_NUM_FIT_ENTRIES int - default 16 if INTEL_TXT + default 16 if INTEL_TXT || INTEL_CBNT_SUPPORT default 4 depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE help diff --git a/src/security/intel/Kconfig b/src/security/intel/Kconfig index 9cdd8a6..0609a45 100644 --- a/src/security/intel/Kconfig +++ b/src/security/intel/Kconfig @@ -2,3 +2,4 @@
source "src/security/intel/txt/Kconfig" source "src/security/intel/stm/Kconfig" +source "src/security/intel/cbnt/Kconfig" diff --git a/src/security/intel/Makefile.inc b/src/security/intel/Makefile.inc index e00802a..20aea27 100644 --- a/src/security/intel/Makefile.inc +++ b/src/security/intel/Makefile.inc @@ -1,2 +1,3 @@ subdirs-y += txt subdirs-y += stm +subdirs-y += cbnt diff --git a/src/security/intel/cbnt/Kconfig b/src/security/intel/cbnt/Kconfig new file mode 100644 index 0000000..f13f6ec --- /dev/null +++ b/src/security/intel/cbnt/Kconfig @@ -0,0 +1,27 @@ +# SPDX-License-Identifier: GPL-2.0-only + +config INTEL_CBNT_SUPPORT + bool "Intel CBnT support" + default n + depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE + #depends on PLATFORM_HAS_DRAM_CLEAR + select INTEL_TXT + help + Enables Intel Converged Bootguard and Trusted Execution Technology + Support. This will enable one to add a Key Manifest (KM) and a Boot + Policy Manifest (BPM) to the filesystem. It will also wrap a FIT around + the firmware and update appropriate entries. + +if INTEL_CBNT_SUPPORT + +config INTEL_CBNT_KEY_MANIFEST_BINARY + string "KM (Key Manifest) binary location" + help + Location of the Key Manifest (KM) + +config INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY + string "BPM (Boot Policy Manifest) binary location" + help + Location of the Boot Policy Manifest (BPM) + +endif # INTEL_CBNT_SUPPORT diff --git a/src/security/intel/cbnt/Makefile.inc b/src/security/intel/cbnt/Makefile.inc new file mode 100644 index 0000000..f2e5c76 --- /dev/null +++ b/src/security/intel/cbnt/Makefile.inc @@ -0,0 +1,25 @@ +ifeq ($(CONFIG_INTEL_CBNT_SUPPORT),y) + +ifneq ($(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY),"") +cbfs-files-y += boot_policy_manifest.bin +boot_policy_manifest.bin-file := $(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY) +boot_policy_manifest.bin-type := raw +boot_policy_manifest.bin-align := 0x10 + +INTERMEDIATE+=add_bpm_fit +add_bpm_fit: $(obj)/coreboot.pre $(IFITTOOL) + $(IFITTOOL) -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $< +endif + +ifneq ($(CONFIG_INTEL_CBNT_KEY_MANIFEST_BINARY),"") +cbfs-files-y += key_manifest.bin +key_manifest.bin-file := $(CONFIG_INTEL_CBNT_KEY_MANIFEST_BINARY) +key_manifest.bin-type := raw +key_manifest.bin-align := 0x10 + +INTERMEDIATE+=add_km_fit +add_km_fit: $(obj)/coreboot.pre $(IFITTOOL) + $(IFITTOOL) -r COREBOOT -a -n key_manifest.bin -t 11 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $< +endif + +endif # CONFIG_INTEL_CBNT_SUPPORT diff --git a/src/security/intel/txt/Kconfig b/src/security/intel/txt/Kconfig index 80be7c2..f9e4bc4 100644 --- a/src/security/intel/txt/Kconfig +++ b/src/security/intel/txt/Kconfig @@ -52,6 +52,7 @@
config INTEL_TXT_BIOSACM_ALIGNMENT hex + default 0x40000 if INTEL_CBNT_SUPPORT default 0x20000 # 128 KiB help Exceptions are Ivy and Sandy Bridge with 64 KiB and Purley with 256 KiB diff --git a/src/security/intel/txt/Makefile.inc b/src/security/intel/txt/Makefile.inc index eab47b9..77a5f69 100644 --- a/src/security/intel/txt/Makefile.inc +++ b/src/security/intel/txt/Makefile.inc @@ -33,6 +33,8 @@ $(IFITTOOL) -r COREBOOT -a -n $(CONFIG_INTEL_TXT_CBFS_BIOS_ACM) -t 2 \ -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
+# CBnT does not use FIT for IBB +ifneq ($(CONFIG_INTEL_CBNT_SUPPORT),y) # Initial BootBlock files ibb-files := $(foreach file,$(cbfs-files), \ $(if $(shell echo '$(call extract_nth,7,$(file))'|grep -- --ibb), \ @@ -45,6 +47,8 @@ $(foreach file, $(ibb-files), $(shell $(IFITTOOL) -f $< -a -n $(file) -t 7 \ -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -r COREBOOT)) true
+endif # INTEL_CBNT_SUPPORT + endif # CPU_INTEL_FIRMWARE_INTERFACE_TABLE
endif # INTEL_TXT