New subject: [S] Change in coreboot[master]: security/intel/bootguard: Add Boot Guard IBB and ACM logic

13 Jul 2020

Michał Żygowski has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/43393 )
Change subject: security/intel/bootguard: Add Boot Guard IBB and ACM logic
......................................................................
security/intel/bootguard: Add Boot Guard IBB and ACM logic
Signed-off-by: Michał Żygowski michal.zygowski@3mdeb.com
Change-Id: I50eb70ccdce6584329352a0480922162c162a4c6
---
M src/security/intel/Makefile.inc
M src/security/intel/bootguard/Kconfig
A src/security/intel/bootguard/Makefile.inc
3 files changed, 35 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/93/43393/1

diff --git a/src/security/intel/Makefile.inc b/src/security/intel/Makefile.inc
index e00802a..1590f26 100644
--- a/src/security/intel/Makefile.inc
+++ b/src/security/intel/Makefile.inc
@@ -1,2 +1,3 @@
 subdirs-y += txt
 subdirs-y += stm
+subdirs-y += bootguard
diff --git a/src/security/intel/bootguard/Kconfig b/src/security/intel/bootguard/Kconfig
index ebaf386..d1d6c3c 100644
--- a/src/security/intel/bootguard/Kconfig
+++ b/src/security/intel/bootguard/Kconfig
@@ -97,6 +97,14 @@
      Include the Boot Guard Authenticated Code Module necessary to boot
      Boot Guard enabled platform
+config BTG_ACM_LOCATION
+	hex "Boot Guard ACM location"
+	default 0xfffe0000
+	help
+	  Specifies the location of Boot Guard ACM in CBFS. It should be 64k
+	  or 128k aligned and reside in the top most 2MB under 4G for Kaby
+	  Lake and earlier or top most 8MB under 4G for Coffe Lake and newer.
+
 endmenu
endif
diff --git a/src/security/intel/bootguard/Makefile.inc b/src/security/intel/bootguard/Makefile.inc
new file mode 100644
index 0000000..d6ebbe3
--- /dev/null
+++ b/src/security/intel/bootguard/Makefile.inc
@@ -0,0 +1,26 @@
+ifeq ($(CONFIG_INTEL_BOOTGUARD),y)
+
+cbfs-files-y += boot_guard_acm.bin
+boot_guard_acm.bin-file := $(CONFIG_BTG_ACM_FILE)
+boot_guard_acm.bin-type := raw
+boot_guard_acm.bin-position := $(CONFIG_BTG_ACM_LOCATION)
+
+# Initial BootBlock files
+ibb-files := $(foreach file,$(cbfs-files), \
+        $(if $(shell echo '$(call extract_nth,7,$(file))'|grep -- --ibb), \
+                $(call extract_nth,2,$(file)),))
+
+ibb-files += bootblock
+
+INTERMEDIATE+=add_btg_acm_fit
+INTERMEDIATE+=add_ibb_fit
+
+add_btg_acm_fit: $(obj)/coreboot.pre $(IFITTOOL)
+	$(IFITTOOL) -r COREBOOT -a -n boot_guard_acm.bin -t 2 \
+		-s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
+
+add_ibb_fit: $(obj)/coreboot.pre $(IFITTOOL)
+	$(foreach file, $(ibb-files), $(shell $(IFITTOOL) -f $< -a -n $(file) -t 7 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) \
+		-r COREBOOT)) true
+
+endif
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/43393
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I50eb70ccdce6584329352a0480922162c162a4c6
Gerrit-Change-Number: 43393
Gerrit-PatchSet: 1
Gerrit-Owner: Michał Żygowski michal.zygowski@3mdeb.com
Gerrit-Reviewer: Martin Roth martinroth@google.com
Gerrit-Reviewer: Patrick Georgi pgeorgi@google.com
Gerrit-MessageType: newchange



    