Christian Walter has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/45470 )

Change subject: security/intel/cbnt: Add basic CBnT Driver and Kconfig ......................................................................

security/intel/cbnt: Add basic CBnT Driver and Kconfig

Also modify fit.c tooling a little bit.

Change-Id: Ie1f6b0b4a8e12cc93b5cec8b9d78294b433decc9 Signed-off-by: Christian Walter christian.walter@9elements.com --- M Makefile.inc M src/security/intel/Kconfig M src/security/intel/Makefile.inc A src/security/intel/cbnt/Kconfig A src/security/intel/cbnt/Makefile.inc A src/security/intel/cbnt/cbnt.h A src/security/intel/cbnt/cbnt_logging.c A src/security/intel/cbnt/cbnt_register.h M util/cbfstool/fit.c 9 files changed, 340 insertions(+), 5 deletions(-)

git pull ssh://review.coreboot.org:29418/coreboot refs/changes/70/45470/1

diff --git a/Makefile.inc b/Makefile.inc index 9d27743..3e2fc6f 100644 --- a/Makefile.inc +++ b/Makefile.inc @@ -1135,7 +1135,6 @@ $(IFITTOOL) -f $@.tmp -a -n cpu_microcode_blob.bin -t 1 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) \ -r COREBOOT endif - $(IFITTOOL) -f $@.tmp -D -r COREBOOT

# Second FIT in TOP_SWAP bootblock ifeq ($(CONFIG_INTEL_ADD_TOP_SWAP_BOOTBLOCK),y) @@ -1155,10 +1154,34 @@ $(IFITTOOL) -f $@.tmp -a -n cpu_microcode_blob.bin -t 1 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) \ $(TS_OPTIONS) -r COREBOOT endif - $(IFITTOOL) -f $@.tmp -D $(TS_OPTIONS) -r COREBOOT

endif

+# Stich in BPM and KM +ifeq ($(CONFIG_INTEL_CBNT_SUPPORT),y) +ifneq ($(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY),"") + $(CBFSTOOL) $@.tmp add -n boot_policy_manifest.bin -f $(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY) -t raw -a 16 + $(IFITTOOL) -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $@.tmp +endif +ifneq ($(CONFIG_INTEL_CBNT_KEY_MANIFEST_BINARY),"") + $(CBFSTOOL) $@.tmp add -n key_manifest.bin -f $(CONFIG_INTEL_CBNT_KEY_MANIFEST_BINARY) -t raw -a 16 + $(IFITTOOL) -r COREBOOT -a -n key_manifest.bin -t 11 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $@.tmp +endif + +#Stich in ACMs +ifneq ($(CONFIG_INTEL_CBNT_BIOS_ACM_FILE),"") + $(CBFSTOOL) $@.tmp add -n txt_bios_acm.bin -f $(CONFIG_INTEL_CBNT_BIOS_ACM_FILE) -t raw -a $(CONFIG_INTEL_CBNT_BIOSACM_ALIGNMENT) + $(IFITTOOL) -r COREBOOT -a -n txt_bios_acm.bin -t 2 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $@.tmp +endif # CONFIG_INTEL_CBNT_BIOS_ACM_FILE + +ifneq ($(CONFIG_INTEL_CBNT_SINIT_ACM_FILE),"") +# $(CBFSTOOL) $@.tmp add -n txt_sinit_acm.bin -f $(CONFIG_INTEL_CBNT_SINIT_ACM_FILE) -t raw -a 16 +endif # CONFIG_INTEL_CBNT_SINIT_ACM_FILE +endif # CONFIG_INTEL_CBNT_SUPPORT + + $(IFITTOOL) -f $@.tmp -D -r COREBOOT + + endif # !CONFIG_UPDATE_IMAGE endif # CONFIG_CPU_INTEL_FIRMWARE_INTERFACE_TABLE mv $@.tmp $@ diff --git a/src/security/intel/Kconfig b/src/security/intel/Kconfig index 9cdd8a6..0609a45 100644 --- a/src/security/intel/Kconfig +++ b/src/security/intel/Kconfig @@ -2,3 +2,4 @@

source "src/security/intel/txt/Kconfig" source "src/security/intel/stm/Kconfig" +source "src/security/intel/cbnt/Kconfig" diff --git a/src/security/intel/Makefile.inc b/src/security/intel/Makefile.inc index e00802a..20aea27 100644 --- a/src/security/intel/Makefile.inc +++ b/src/security/intel/Makefile.inc @@ -1,2 +1,3 @@ subdirs-y += txt subdirs-y += stm +subdirs-y += cbnt diff --git a/src/security/intel/cbnt/Kconfig b/src/security/intel/cbnt/Kconfig new file mode 100644 index 0000000..1b38cf6 --- /dev/null +++ b/src/security/intel/cbnt/Kconfig @@ -0,0 +1,44 @@ +# SPDX-License-Identifier: GPL-2.0-only + +config INTEL_CBNT_SUPPORT + bool "Intel CBnT support" + default n + help + Enables Intel Converged Bootguard and Trusted Execution Technology + Support. This will enable one to add a Key Manifest (KM) and a Boot + Policy Manifest (BPM) to the filesystem. It will also wrap a FIT around + the firmware and update appropriate entries. + + depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE + #depends on PLATFORM_HAS_DRAM_CLEAR + +if INTEL_CBNT_SUPPORT + +config INTEL_CBNT_BIOS_ACM_FILE + string "BIOS ACM file location" + help + Location of the BIOS ACM (Startup ACM or S-ACM) file needed for CBnT + +config INTEL_CBNT_SINIT_ACM_FILE + string "SINIT ACM file location" + help + Location of the SINIT ACM file needed for CBnT + +config INTEL_CBNT_KEY_MANIFEST_BINARY + string "KM (Key Manifest) binary location" + help + Location of the Key Manifest (KM) + +config INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY + string "BPM (Boot Policy Manifest) binary location" + help + Location of the Boot Policy Manifest (BPM) + +config INTEL_CBNT_BIOSACM_ALIGNMENT + hex + default 0x40000 # 256 KiB + help + Exceptions are Ivy and Sandy Bridge with 64 KiB and Purley with 256 KiB + alignment size. If necessary, override from platform-specific Kconfig. + +endif # INTEL_CBNT_SUPPORT diff --git a/src/security/intel/cbnt/Makefile.inc b/src/security/intel/cbnt/Makefile.inc new file mode 100644 index 0000000..fce8162 --- /dev/null +++ b/src/security/intel/cbnt/Makefile.inc @@ -0,0 +1,6 @@ +ifeq ($(CONFIG_INTEL_CBNT_SUPPORT),y) + +romstage-y += cbnt_logging.c +ramstage-y += cbnt_logging.c + +endif # CONFIG_INTEL_CBNT_SUPPORT \ No newline at end of file diff --git a/src/security/intel/cbnt/cbnt.h b/src/security/intel/cbnt/cbnt.h new file mode 100644 index 0000000..a28b210 --- /dev/null +++ b/src/security/intel/cbnt/cbnt.h @@ -0,0 +1,3 @@ +// SPDX-License-Identifier: GPL-2.0-only + +void cbnt_logging_dump_early_information(void); \ No newline at end of file diff --git a/src/security/intel/cbnt/cbnt_logging.c b/src/security/intel/cbnt/cbnt_logging.c new file mode 100644 index 0000000..398672b --- /dev/null +++ b/src/security/intel/cbnt/cbnt_logging.c @@ -0,0 +1,168 @@ +// SPDX-License-Identifier: GPL-2.0-only + +#include <console/console.h> +#include <cpu/x86/msr.h> +#include <arch/mmio.h> +#include <bootstate.h> +#include "cbnt.h" +#include "cbnt_register.h" +#include <device/pci_ops.h> + +#include <delay.h> + +void cbnt_logging_dump_early_information(void) { + printk(BIOS_INFO, "CBNT: =========== Intel CBNT ===========\n"); + + /* + msr_t pbec_msr = rdmsr(BOOT_GUARD_PBEC); + printk(BIOS_INFO, "Protect BIOS Environment Control MSR:\n"); + printk(BIOS_INFO, "StopPBET: "); + (pbec_msr.lo & 0x1) + ? printk(BIOS_INFO, "Ok\n") : printk(BIOS_INFO, "Not safe\n"); + */ + msr_t sacm_info_msr = rdmsr(MSR_BOOT_GUARD_SACM_INFO); + uint64_t sacm_info = ((uint64_t)sacm_info_msr.hi << 32) + | (sacm_info_msr.lo); + printk(BIOS_INFO, "CBNT:\tBoot Guard S-ACM Info MSR:\n"); + printk(BIOS_DEBUG, "CBNT:\tRaw SACM Info:\t\t%llx\n", sacm_info); + + // Print NEM Status + printk(BIOS_INFO, "CBNT:\tNEM Status:\t\t"); + (sacm_info & BTG_SACM_INFO_NEM_ENABLED) + ? printk(BIOS_INFO, "Enabled\n") : printk(BIOS_INFO, "Not enabled\n"); + + // Print TPM Type + switch (sacm_info & BTG_SACM_INFO_TPM_TYPE) + { + case BTG_SACM_INFO_NO_TPM: + printk(BIOS_INFO, "CBNT:\tTPM Type:\t\tNo TPM\n"); + break; + case BTG_SACM_INFO_TPM1_2: + printk(BIOS_INFO, "CBNT:\tTPM Type:\t\tTPM 1.2\n"); + break; + case BTG_SACM_INFO_TPM2_0: + printk(BIOS_INFO, "CBNT:\tTPM Type:\t\tTPM 2.0\n"); + break; + case BTG_SACM_INFO_PTT: + printk(BIOS_INFO, "CBNT:\tTPM Type:\t\tPTT\n"); + break; + default: + printk(BIOS_ERR, "CBNT:\tTPM Type:\t\tUnknown Type\n"); + break; + } + + // TPM Success + if (sacm_info & BTG_SACM_INFO_TPM_SUCCESS) + printk(BIOS_INFO, "CBNT:\tBtG ACM:\t\tTPM commands successful\n"); + else + printk(BIOS_INFO, "CBNT:\tBtG ACM:\t\tTPM commands errored\n"); + + // FACB Bit + printk(BIOS_INFO, "CBNT:\tForce Anchor Boot Bit:\t"); + (sacm_info & BTG_SACM_INFO_FACB) + ? printk(BIOS_INFO, "set\n") : printk(BIOS_INFO, "not set\n"); + + // Measured Boot + printk(BIOS_INFO, "CBNT:\tMeasured Boot:\t\t"); + (sacm_info & BTG_SACM_INFO_MEASURED_BOOT) + ? printk(BIOS_INFO, "on\n") : printk(BIOS_INFO, "off\n"); + + // Verfied Boot + printk(BIOS_INFO, "CBNT:\tVerified Boot:\t\t"); + (sacm_info & BTG_SACM_INFO_VERIFIED_BOOT) + ? printk(BIOS_INFO, "on\n") : printk(BIOS_INFO, "off\n"); + + // Revoked + (sacm_info & BTG_SACM_INFO_MODULE_REVOKED) + ? printk(BIOS_INFO, "CBNT:\tOne ore more ") : printk(BIOS_INFO, "CBNT:\tNone "); + printk(BIOS_INFO, "of the BtG components have been revoked.\n"); + + // Btg Capable + printk(BIOS_INFO, "CBNT:\tCPU Bootguard Cap.:\t"); + (sacm_info & BTG_SACM_INFO_MODULE_REVOKED) + ? printk(BIOS_INFO, "Yes\n") : printk(BIOS_INFO, "No\n"); + +} + +static void cbnt_logging_dump_acm_information(void *unused) { + mdelay(10000); + + cbnt_logging_dump_early_information(); + + uint64_t didvid = read64((void *)CBNT_DIDVID); + printk(BIOS_DEBUG, "CBNT:\tDIDVID:\t\t\t0x%llx\n", didvid); + + uint64_t bootstatus = read64((void *)CBNT_BOOTSTATUS); + printk(BIOS_DEBUG, "CBNT:\tBOOTSTATUS:\t\t0x%llx\n", bootstatus); + + uint64_t sacm_status = read64((void *)CBNT_SACM_STATUS); + printk(BIOS_DEBUG, "\n\nCBNT:\tS-ACM_STATUS Raw:\t0x%llx\n", sacm_status); + + // Check if register is valid + if (!(sacm_status & CBNT_SACM_STATUS_VALID)) { + printk(BIOS_ERR, "------------------------------------------------\n"); + printk(BIOS_ERR, "\tS-ACM Status Register is not valid!\n"); + printk(BIOS_ERR, "\tNone of the following values can be trusted.\n"); + printk(BIOS_ERR, "------------------------------------------------\n"); + } + + printk(BIOS_INFO, "CBNT:\tACM_Started:\t\t\t0x%llx\n", (sacm_status & CBNT_SACM_STATUS_SACM_STARTED)); + printk(BIOS_INFO, "CBNT:\tModule Type:\t\t\t"); + if (sacm_status & CBNT_SACM_STATUS_MODULE_TYPE) + printk(BIOS_INFO, "SINIT\n"); + else + printk(BIOS_INFO, "BIOS ACM\n"); + printk(BIOS_INFO, "CBNT:\tClass Code:\t\t\t0x%02llx\n", + (sacm_status & (CBNT_SACM_STATUS_CLASS_CODE)) >> CBNT_SACM_STATUS_CLASS_CODE_OS); + printk(BIOS_INFO, "CBNT:\tMajor Error Code:\t\t0x%02llx\n", + (sacm_status & (CBNT_SACM_STATUS_MAJOR_ERR)) >> CBNT_SACM_STATUS_MAJOR_ERR_OS); + printk(BIOS_INFO, "CBNT:\tMinor Error Code:\t\t0x%03llx\n", + (sacm_status & (CBNT_SACM_STATUS_MINOR_ERR)) >> CBNT_SACM_STATUS_MINOR_ERR_OS); + printk(BIOS_INFO, "\nCBNT:\tIntel ME HFSTS Register\n"); + + // Read ME Configuration from PCI Device + uint32_t hfsts = pci_read_config32(PCH_DEV_CSE, INTEL_ME_HFSTS6); + printk(BIOS_INFO, "CBNT:\t++ HFSTS6 ++\n", (hfsts >> 0) & 0x1); + + // Read ME Configuration from PCI Device + uint32_t hfsts1 = pci_read_config32(PCH_DEV_CSE, INTEL_ME_HFSTS1); + printk(BIOS_INFO, "CBNT:\t++ HFSTS1 ++\n"); + printk(BIOS_INFO, "CBNT:\tCurrent State:\t\t%x\n", (hfsts1 >> 0) & 0xf); + + uint32_t hfsts2 = pci_read_config32(PCH_DEV_CSE, INTEL_ME_HFSTS2); + printk(BIOS_INFO, "CBNT:\t++ HFSTS2 ++\n"); + + uint32_t hfsts3 = pci_read_config32(PCH_DEV_CSE, INTEL_ME_HFSTS3); + printk(BIOS_INFO, "CBNT:\t++ HFSTS3 ++\n"); + + uint32_t hfsts4 = pci_read_config32(PCH_DEV_CSE, INTEL_ME_HFSTS4); + printk(BIOS_INFO, "CBNT:\t++ HFSTS4 ++\n"); + + uint32_t hfsts5 = pci_read_config32(PCH_DEV_CSE, INTEL_ME_HFSTS5); + printk(BIOS_INFO, "CBNT:\t++ HFSTS5 ++\n"); + + uint32_t hfsts = pci_read_config32(PCH_DEV_CSE, INTEL_ME_HFSTS6); + printk(BIOS_INFO, "CBNT:\t++ HFSTS6 ++\n"); + printk(BIOS_INFO, "CBNT:\tForceACMBootPolicy:\t\t%x\n", (hfsts >> 0) & 0x1); + printk(BIOS_INFO, "CBNT:\tCPUDebugDisabled:\t\t%x\n", (hfsts >> 1) & 0x1); + printk(BIOS_INFO, "CBNT:\tBSPInitDisabled:\t\t%x\n", (hfsts >> 2) & 0x1); + printk(BIOS_INFO, "CBNT:\tProtectBIOSEnvironment:\t\t%x\n", (hfsts >> 3) & 0x1); + printk(BIOS_INFO, "CBNT:\tBypassBootPolicy:\t\t%x\n", (hfsts >> 4) & 0x1); + printk(BIOS_INFO, "CBNT:\tBootPolicyInvalid:\t\t%x\n", (hfsts >> 5) & 0x1); + printk(BIOS_INFO, "CBNT:\tErrorEnforcementPolicy:\t\t%x\n", (hfsts >> 6) & 0x3); + printk(BIOS_INFO, "CBNT:\tMeasuredBootPolicy:\t\t%x\n", (hfsts >> 8) & 0x1); + printk(BIOS_INFO, "CBNT:\tVerifiedBootPolicy:\t\t%x\n", (hfsts >> 9) & 0x1); + printk(BIOS_INFO, "CBNT:\tACMSVN:\t\t\t\t%x\n", (hfsts >> 10) & 0xf); + printk(BIOS_INFO, "CBNT:\tKMSVN:\t\t\t\t%x\n", (hfsts >> 14) & 0xf); + printk(BIOS_INFO, "CBNT:\tBPMSVN:\t\t\t\t%x\n", (hfsts >> 18) & 0xf); + printk(BIOS_INFO, "CBNT:\tKMID:\t\t\t\t%x\n", (hfsts >> 22) & 0xf); + printk(BIOS_INFO, "CBNT:\tBootPolicyManifestExecStatus:\t%x\n", (hfsts >> 26) & 0xf); + printk(BIOS_INFO, "CBNT:\tError:\t\t\t\t%x\n", (hfsts >> 27) & 0x1); + printk(BIOS_INFO, "CBNT:\tBootGuardDisable:\t\t%x\n", (hfsts >> 28) & 0x1); + printk(BIOS_INFO, "CBNT:\tFPFDisable:\t\t\t%x\n", (hfsts >> 29) & 0x1); + printk(BIOS_INFO, "CBNT:\tFPFLock:\t\t\t%x\n", (hfsts >> 30) & 0x1); + printk(BIOS_INFO, "CBNT:\tTXTSupported:\t\t\t%x\n", (hfsts >> 31) & 0x1); + +} + +BOOT_STATE_INIT_ENTRY(BS_DEV_INIT, BS_ON_EXIT, cbnt_logging_dump_acm_information, NULL); \ No newline at end of file diff --git a/src/security/intel/cbnt/cbnt_register.h b/src/security/intel/cbnt/cbnt_register.h new file mode 100644 index 0000000..5640e7f --- /dev/null +++ b/src/security/intel/cbnt/cbnt_register.h @@ -0,0 +1,80 @@ +// SPDX-License-Identifier: GPL-2.0-only +#include <device/pci_def.h> + +#define _PCH_DEVFN(slot, func) PCI_DEVFN(PCH_DEV_SLOT_ ## slot, func) + +#if !defined(__SIMPLE_DEVICE__) +#include <device/device.h> +#define _PCH_DEV(slot, func) pcidev_path_on_root_debug(_PCH_DEVFN(slot, func), __func__) +#else +#define _PCH_DEV(slot, func) PCI_DEV(0, PCH_DEV_SLOT_ ## slot, func) +#endif + + +#define INTEL_ME_HFSTS1 0x40 +#define INTEL_ME_HFSTS2 0x48 +#define INTEL_ME_HFSTS3 0x60 +#define INTEL_ME_HFSTS4 0x64 +#define INTEL_ME_HFSTS5 0x68 +#define INTEL_ME_HFSTS6 0x6c + +// MSRs +#define BOOT_GUARD_PBEC 0x139 +#define MSR_BOOT_GUARD_SACM_INFO 0x13A + +// MSR_BOOT_GUARD_SACM_INFO +#define BTG_SACM_INFO_BTG_CAP (1 << 32) +#define BTG_SACM_INFO_MODULE_REVOKED (1 << 7) +#define BTG_SACM_INFO_VERIFIED_BOOT (1 << 6) +#define BTG_SACM_INFO_MEASURED_BOOT (1 << 5) +#define BTG_SACM_INFO_FACB (1 << 4) +#define BTG_SACM_INFO_TPM_SUCCESS (1 << 3) +#define BTG_SACM_INFO_TPM_TYPE (3 << 1) +#define BTG_SACM_INFO_NEM_ENABLED (1 << 0) + +#define BTG_SACM_INFO_NO_TPM 0 +#define BTG_SACM_INFO_TPM1_2 1 +#define BTG_SACM_INFO_TPM2_0 2 +#define BTG_SACM_INFO_PTT 3 + +// CBnT Base Address +#define CBNT_BASE_ADDRESS 0xFED30000 + +#define CBNT_SACM_STATUS (CBNT_BASE_ADDRESS + 0x328) + +// CBNT_SACM_STATUS +#define CBNT_SACM_STATUS_VALID (1 << 31) +#define CBNT_SACM_STATUS_MINOR_ERR (0xfff << 16) +#define CBNT_SACM_STATUS_MINOR_ERR_OS 16 +#define CBNT_SACM_STATUS_SACM_STARTED (1 << 15) +#define CBNT_SACM_STATUS_MAJOR_ERR (0x1f << 10) +#define CBNT_SACM_STATUS_MAJOR_ERR_OS 10 +#define CBNT_SACM_STATUS_CLASS_CODE (0x3f << 4) +#define CBNT_SACM_STATUS_CLASS_CODE_OS 4 +#define CBNT_SACM_STATUS_MODULE_TYPE (0xf << 0) + +#define CBNT_SACM_POLICY_STATUS 0x378 + +// CBNT_SACM_POLICY_STATUS + +#define CBNT_DIDVID (CBNT_BASE_ADDRESS + 0x110) + + +#define CBNT_BOOTSTATUS (CBNT_BASE_ADDRESS + 0xA0) + +// CBNT_BOOTSTATUS +#define CBNT_BTST_SACM_SUCCESS (1 << 63) +#define CBNT_BTST_CPU_ERROR (1 << 62) +#define CBNT_BTST_TXT_POLICY_DIS (1 << 60) +#define CBNT_BTST_BIOS_TRUSTED (1 << 59) +#define CBNT_BTST_BTG_FAILED (1 << 48) +#define CBNT_BTST_MEMORY_PD_EXEC (1 << 47) +#define CBNT_BTST_PFR_STARTUP_SUCCESS (1 << 33) +#define CBNT_BTST_BLOCK_BOOT_EN (1 << 32) +#define CBNT_BTST_BTG_STARTUP_SUCCESS (1 << 31) +#define CBNT_BTST_TXT_STARTUP_SUCCESS (1 << 30) + + +#define PCH_DEV_SLOT_CSE 0x16 +#define PCH_DEV_CSE _PCH_DEV(CSE, 0) + diff --git a/util/cbfstool/fit.c b/util/cbfstool/fit.c index e7aa8d7..5b6ae5d 100644 --- a/util/cbfstool/fit.c +++ b/util/cbfstool/fit.c @@ -111,7 +111,8 @@ if(fit_entry_type(entry) == FIT_TYPE_BOOT_POLICY || fit_entry_type(entry) == FIT_TYPE_KEY_MANIFEST) return; - + printf("Entry is %x\n", fit_entry_type(entry)); + printf("Shifting %x\n", size_bytes); /* Size is multiples of 16 bytes. */ entry->size_reserved = (size_bytes >> 4) & 0xffffff; } @@ -464,11 +465,14 @@ { entry->address = boot_policy_addr; /* Boot Policy Manifest size is not multiple of 16 bytes */ - fit_entry_update_size(entry, boot_policy_size << 4); + //fit_entry_update_size(entry, boot_policy_size << 4); entry->type_checksum_valid = FIT_TYPE_BOOT_POLICY; entry->version = FIT_TXT_VERSION; entry->checksum = 0; + entry->size_reserved = boot_policy_size << 4; fit_entry_add_size(&fit->header, sizeof(struct fit_entry)); + entry->size_reserved = (entry->size_reserved & 0xff00) + ((entry->size_reserved - (entry->size_reserved & 0xff00)) >> 4); + entry->size_reserved = swab32(entry->size_reserved) >> 16; }

/* @@ -482,12 +486,17 @@ uint32_t key_manifest_size) { entry->address = key_manifest_addr; + /* Key Manifest size is not multiple of 16 bytes */ - fit_entry_update_size(entry, key_manifest_size << 4); + //fit_entry_update_size(entry, key_manifest_size << 4); + //entry->size_reserved = key_manifest_size << 4; entry->type_checksum_valid = FIT_TYPE_KEY_MANIFEST; entry->version = FIT_TXT_VERSION; entry->checksum = 0; + entry->size_reserved = key_manifest_size << 4; fit_entry_add_size(&fit->header, sizeof(struct fit_entry)); + entry->size_reserved = (entry->size_reserved & 0xff00) + ((entry->size_reserved - (entry->size_reserved & 0xff00)) >> 4); + entry->size_reserved = swab32(entry->size_reserved) >> 16; }

/* Special case for ucode CBFS file, as it might contain more than one ucode */