Christopher Meis has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/55516 )
Change subject: security/intel/txt - ACM handling for BootGuard ......................................................................
security/intel/txt - ACM handling for BootGuard
THIS IS WIP
Change-Id: I9cdd1aba1d7a32de3d48d1a2cd1a79d497dcbb23 Signed-off-by: Christopher Meis christopher.meis@9elements.com --- M Documentation/security/intel/txt.md M configs/config.asrock_b85m_pro4.tpm2_txt_placeholder_acms M configs/config.purism_librem15_v4.txt_build_test M src/security/intel/Makefile.inc A src/security/intel/acm/Kconfig M src/security/intel/bg/Kconfig M src/security/intel/bg/Makefile.inc M src/security/intel/cbnt/Kconfig M src/security/intel/cbnt/Makefile.inc M src/security/intel/txt/Kconfig M src/security/intel/txt/Makefile.inc 11 files changed, 142 insertions(+), 28 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/16/55516/1
diff --git a/Documentation/security/intel/txt.md b/Documentation/security/intel/txt.md index f80a731..e62d782 100644 --- a/Documentation/security/intel/txt.md +++ b/Documentation/security/intel/txt.md @@ -92,9 +92,9 @@ ### Configuring Intel TXT in Kconfig Enable ``INTEL_TXT`` and set the following:
-``INTEL_TXT_BIOSACM_FILE`` to the path of the BIOS ACM provided by Intel +``INTEL_BIOS_ACM_FILE`` to the path of the BIOS ACM provided by Intel
-``INTEL_TXT_SINITACM_FILE`` to the path of the SINIT ACM provided by Intel +``INTEL_SINIT_ACM_FILE`` to the path of the SINIT ACM provided by Intel ### Print TXT status as early as possible Add platform code to print the TXT status as early as possible, as the register is cleared on cold reset. diff --git a/configs/config.asrock_b85m_pro4.tpm2_txt_placeholder_acms b/configs/config.asrock_b85m_pro4.tpm2_txt_placeholder_acms index 4edeb0c..87d8a9a 100644 --- a/configs/config.asrock_b85m_pro4.tpm2_txt_placeholder_acms +++ b/configs/config.asrock_b85m_pro4.tpm2_txt_placeholder_acms @@ -5,6 +5,6 @@ CONFIG_BOARD_ASROCK_B85M_PRO4=y CONFIG_TPM2=y CONFIG_INTEL_TXT=y -CONFIG_INTEL_TXT_BIOSACM_FILE="3rdparty/blobs/cpu/intel/stm/stm.bin" -CONFIG_INTEL_TXT_SINITACM_FILE="3rdparty/blobs/cpu/intel/stm/stm.bin" +CONFIG_INTEL_BIOS_ACM_FILE="3rdparty/blobs/cpu/intel/stm/stm.bin" +CONFIG_INTEL_SINIT_ACM_FILE="3rdparty/blobs/cpu/intel/stm/stm.bin" CONFIG_INTEL_TXT_LOGGING=y diff --git a/configs/config.purism_librem15_v4.txt_build_test b/configs/config.purism_librem15_v4.txt_build_test index f2de8bc..24fde94 100644 --- a/configs/config.purism_librem15_v4.txt_build_test +++ b/configs/config.purism_librem15_v4.txt_build_test @@ -3,6 +3,6 @@ CONFIG_VENDOR_PURISM=y CONFIG_BOARD_PURISM_LIBREM15_V4=y CONFIG_INTEL_TXT=y -CONFIG_INTEL_TXT_BIOSACM_FILE="3rdparty/blobs/cpu/intel/stm/stm.bin" -CONFIG_INTEL_TXT_SINITACM_FILE="3rdparty/blobs/cpu/intel/stm/stm.bin" +CONFIG_INTEL_BIOS_ACM_FILE="3rdparty/blobs/cpu/intel/stm/stm.bin" +CONFIG_INTEL_SINIT_ACM_FILE="3rdparty/blobs/cpu/intel/stm/stm.bin" CONFIG_INTEL_TXT_LOGGING=y diff --git a/src/security/intel/Makefile.inc b/src/security/intel/Makefile.inc index 6878a5f..1637f73 100644 --- a/src/security/intel/Makefile.inc +++ b/src/security/intel/Makefile.inc @@ -2,3 +2,4 @@ subdirs-y += stm subdirs-y += cbnt subdirs-y += bg +subdurs-y += acm diff --git a/src/security/intel/acm/Kconfig b/src/security/intel/acm/Kconfig new file mode 100644 index 0000000..c3849ae --- /dev/null +++ b/src/security/intel/acm/Kconfig @@ -0,0 +1,61 @@ +# SPDX-License-Identifier: GPL-2.0-only + +config INTEL_BIOS_ACM_REQUIRED + bool + default n + depends on INTEL_TXT_SUPPORT || INTEL_BG_SUPPORT + help + Enables selection of Authenticated Code Module required by Intel + TXT and Intel BootGuard. + +if INTEL_BIOS_ACM_REQUIRED + +config INTEL_BIOS_ACM_FILE + string "BIOS ACM file" + default "3rdparty/blobs/soc/intel/skylake/biosacm.bin" if SOC_INTEL_COMMON_SKYLAKE_BASE + help + Intel TXT or Intel BootGuard BIOS ACM file. This file can be obtained through privileged + access to Intel resources. Or for some platforms found inside the + blob repository. + +endif + +config INTEL_S_ACM_REQUIRED + bool + default n + depends on INTEL_CBNT_SUPPORT + help + Intel CBnT S-ACM file. This file can be btained through privileged + access to Intel resources only. + +if INTEL_S_ACM_REQUIRED + +config INTEL_S_ACM_FILE + string "S-ACM file" + default "" + help + Intel CBnT S-ACM file. This file can be obtained through privileged + access to Intel resources. + +endif + +config INTEL_SINIT_ACM_REQUIRED + bool + default n + depends on INTEL_TXT || INTEL_BG_SUPPORT || INTEL_CBNT_SUPPORT + help + Enables selection if Authenticated Code Module required by Intel + +if INTEL_SINIT_ACM_REQUIRED + +config INTEL_SINIT_ACM_FILE + string "SINIT ACM file" + default "3rdparty/blobs/soc/intel/skylake/sinitacm.bin" if SOC_INTEL_COMMON_SKYLAKE_BASE + help + Intel TXT, BG or CBnT SINIT ACM file. This file can be obtained through privileged + access to Intel resources. Or for some platforms found inside the + blob repository. + +endif + + diff --git a/src/security/intel/bg/Kconfig b/src/security/intel/bg/Kconfig index d817883..dc56815 100644 --- a/src/security/intel/bg/Kconfig +++ b/src/security/intel/bg/Kconfig @@ -3,10 +3,11 @@ config INTEL_BG_SUPPORT bool "Intel Boot Guard support" default n - select INTEL_TXT depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE # With Boot Guard the bootblock is set up as a Boot Guard IBB and needs a fixed size select FIXED_BOOTBLOCK_SIZE + select INTEL_BIOS_ACM_REQUIRED + select INTEL_SINIT_ACM_REQUIRED help Enables Intel Boot Guard Support. This will enable one to add a Key Manifest (KM) and a Boot Policy Manifest (BPM) to the @@ -15,6 +16,8 @@
if INTEL_BG_SUPPORT
+source "src/security/intel/acm/Kconfig" + config INTEL_CBNT_LOGGING bool "Enable verbose BG logging" help @@ -141,6 +144,14 @@ help Location of the boot policy manifest (BPM) private key file in .pem format.
+config INTEL_BG_CBFS_BIOS_ACM + string + default "bg_s_acm.bin" + +config INTEL_BG_CBFS_SINIT_ACM + string + default "bg_sinit_acm.bin" +
if !INTEL_BG_BG_PROV_KM_USE_CFG_FILE && INTEL_BG_GENERATE_KM
diff --git a/src/security/intel/bg/Makefile.inc b/src/security/intel/bg/Makefile.inc index 5a23e83..e56e3c5 100644 --- a/src/security/intel/bg/Makefile.inc +++ b/src/security/intel/bg/Makefile.inc @@ -1,6 +1,27 @@ ifeq ($(CONFIG_INTEL_BG_SUPPORT),y)
-all-y += ../cbnt/logging.c +cbfs-files-y += $(CONFIG_INTEL_BG_CBFS_BIOS_ACM) +$(CONFIG_INTEL_BG_CBFS_BIOS_ACM)-file := $(CONFIG_INTEL_BIOS_ACM_FILE) +$(CONFIG_INTEL_BG_CBFS_BIOS_ACM)-type := raw +$(CONFIG_INTEL_BG_CBFS_BIOS_ACM)-position := 0xfff00000 + +ifneq ($(CONFIG_INTEL_SINIT_ACM_FILE),"") +cbfs-files-y += $(INTEL_CBNT_CBFS_SINIT_ACM) +$(CONFIG_INTEL_BG_CBFS_SINIT_ACM)-file := $(CONFIG_INTEL_SINIT_ACM_FILE) +$(CONFIG_INTEL_BG_CBFS_SINIT_ACM)-type := raw +$(CONFIG_INTEL_BG_CBFS_SINIT_ACM)-align := 0x10 +$(CONFIG_INTEL_BG_CBFS_SINIT_ACM)-compression := lzma +endif + +ifeq ($(CONFIG_CPU_INTEL_FIRMWARE_INTERFACE_TABLE),y) + +$(call add_intermediate, add_acm_fit, $(IFITTOOL) set_fit_ptr) + $(IFITTOOL) -r COREBOOT -a -n $(CONFIG_INTEL_BG_CBFS_BIOS_ACM) -t 2 \ + -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $< + +endif + + ramstage-y += cmos.c
# As specified in Intel Boot Guard BIOS diff --git a/src/security/intel/cbnt/Kconfig b/src/security/intel/cbnt/Kconfig index 9d48490..f3b4763 100644 --- a/src/security/intel/cbnt/Kconfig +++ b/src/security/intel/cbnt/Kconfig @@ -5,10 +5,11 @@ default n depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE #depends on PLATFORM_HAS_DRAM_CLEAR - select INTEL_TXT # With CBnT the bootblock is set up as a CBnT IBB and needs a fixed size select FIXED_BOOTBLOCK_SIZE select TPM_MEASURED_BOOT_INIT_BOOTBLOCK if TPM_MEASURED_BOOT + select INTEL_S_ACM_REQUIRED + select INTEL_SINIT_ACM_REQUIRED help Enables Intel Converged Bootguard and Trusted Execution Technology Support. This will enable one to add a Key Manifest (KM) and a Boot @@ -17,6 +18,8 @@
if INTEL_CBNT_SUPPORT
+source "src/security/intel/acm/Kconfig" + config INTEL_CBNT_GENERATE_KM bool "Generate Key Manifest (KM)" default y @@ -137,6 +140,14 @@ help Location of the boot policy manifest (BPM) private key file in .pem format.
+config INTEL_CBNT_CBFS_S_ACM + string + default "cbnt_s_acm.bin" + +config INTEL_CBNT_CBFS_SINIT_ACM + string + default "cbnt_sinit_acm.bin" + if !INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE && INTEL_CBNT_GENERATE_KM
menu "KM options" diff --git a/src/security/intel/cbnt/Makefile.inc b/src/security/intel/cbnt/Makefile.inc index 7215a63..73ba0e0 100644 --- a/src/security/intel/cbnt/Makefile.inc +++ b/src/security/intel/cbnt/Makefile.inc @@ -2,6 +2,27 @@
ramstage-y += cmos.c
+cbfs-files-y += $(CONFIG_INTEL_CBNT_CBFS_S_ACM) +$(CONFIG_INTEL_CBNT_CBFS_S_ACM)-file := $(CONFIG_INTEL_S_ACM_FILE) +$(CONFIG_INTEL_CBNT_CBFS_S_ACM)-type := raw +$(CONFIG_INTEL_CBNT_CBFS_S_ACM)-position := 0xfff00000 + +ifneq ($(CONFIG_INTEL_SINIT_ACM_FILE),"") +cbfs-files-y += $(INTEL_CBNT_CBFS_SINIT_ACM) +$(CONFIG_INTEL_TXT_CBFS_SINIT_ACM)-file := $(CONFIG_INTEL_SINIT_ACM_FILE) +$(CONFIG_INTEL_TXT_CBFS_SINIT_ACM)-type := raw +$(CONFIG_INTEL_TXT_CBFS_SINIT_ACM)-align := 0x10 +$(CONFIG_INTEL_TXT_CBFS_SINIT_ACM)-compression := lzma +endif + +ifeq ($(CONFIG_CPU_INTEL_FIRMWARE_INTERFACE_TABLE),y) + +$(call add_intermediate, add_acm_fit, $(IFITTOOL) set_fit_ptr) + $(IFITTOOL) -r COREBOOT -a -n $(CONFIG_INTEL_CBNT_CBFS_S_ACM) -t 2 \ + -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $< + +endif + # As specified in Intel Trusted Execution Technology and Boot Guard Server BIOS # Specification, document number # 558294 PK_HASH_ALG_SHA1:=4 diff --git a/src/security/intel/txt/Kconfig b/src/security/intel/txt/Kconfig index 3648925..b566209 100644 --- a/src/security/intel/txt/Kconfig +++ b/src/security/intel/txt/Kconfig @@ -7,6 +7,8 @@ select ENABLE_VMX if CPU_INTEL_COMMON select AP_IN_SIPI_WAIT select TPM_MEASURED_BOOT_INIT_BOOTBLOCK if TPM_MEASURED_BOOT + select INTEL_BIOS_ACM_REQUIRED + select INTEL_SINIT_ACM_REQUIRED depends on TPM depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE depends on PLATFORM_HAS_DRAM_CLEAR @@ -14,21 +16,7 @@
if INTEL_TXT
-config INTEL_TXT_BIOSACM_FILE - string "BIOS ACM file" - default "3rdparty/blobs/soc/intel/skylake/biosacm.bin" if SOC_INTEL_COMMON_SKYLAKE_BASE - help - Intel TXT BIOS ACM file. This file can be obtained through privileged - access to Intel resources. Or for some platforms found inside the - blob repository. - -config INTEL_TXT_SINITACM_FILE - string "SINIT ACM file" - default "3rdparty/blobs/soc/intel/skylake/sinitacm.bin" if SOC_INTEL_COMMON_SKYLAKE_BASE - help - Intel TXT SINIT ACM file. This file can be obtained through privileged - access to Intel resources. Or for some platforms found inside the - blob repository. +source "src/security/intel/acm/Kconfig"
config INTEL_TXT_DPR_SIZE int diff --git a/src/security/intel/txt/Makefile.inc b/src/security/intel/txt/Makefile.inc index d332341..4ac7f4f 100644 --- a/src/security/intel/txt/Makefile.inc +++ b/src/security/intel/txt/Makefile.inc @@ -14,13 +14,13 @@ ramstage-$(CONFIG_INTEL_TXT_LOGGING) += logging.c
cbfs-files-y += $(CONFIG_INTEL_TXT_CBFS_BIOS_ACM) -$(CONFIG_INTEL_TXT_CBFS_BIOS_ACM)-file := $(CONFIG_INTEL_TXT_BIOSACM_FILE) +$(CONFIG_INTEL_TXT_CBFS_BIOS_ACM)-file := $(CONFIG_INTEL_BIOS_ACM_FILE) $(CONFIG_INTEL_TXT_CBFS_BIOS_ACM)-type := raw $(CONFIG_INTEL_TXT_CBFS_BIOS_ACM)-align := $(CONFIG_INTEL_TXT_BIOSACM_ALIGNMENT)
ifneq ($(CONFIG_INTEL_TXT_SINITACM_FILE),"") cbfs-files-y += $(CONFIG_INTEL_TXT_CBFS_SINIT_ACM) -$(CONFIG_INTEL_TXT_CBFS_SINIT_ACM)-file := $(CONFIG_INTEL_TXT_SINITACM_FILE) +$(CONFIG_INTEL_TXT_CBFS_SINIT_ACM)-file := $(CONFIG_INTEL_SINIT_ACM_FILE) $(CONFIG_INTEL_TXT_CBFS_SINIT_ACM)-type := raw $(CONFIG_INTEL_TXT_CBFS_SINIT_ACM)-align := 0x10 $(CONFIG_INTEL_TXT_CBFS_SINIT_ACM)-compression := lzma @@ -33,7 +33,7 @@ -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
# CBnT does not use FIT for IBB -ifneq ($(CONFIG_INTEL_CBNT_SUPPORT),y) +ifneq ($(CONFIG_INTEL_BG_SUPPORT),y) # Initial BootBlock files ibb-files := $(foreach file,$(cbfs-files), \ $(if $(shell echo '$(call extract_nth,7,$(file))'|grep -- --ibb), \ @@ -45,7 +45,7 @@ $(foreach file, $(ibb-files), $(shell $(IFITTOOL) -f $< -a -n $(file) -t 7 \ -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -r COREBOOT)) true
-endif # INTEL_CBNT_SUPPORT +endif # INTEL_BG_SUPPORT
endif # CPU_INTEL_FIRMWARE_INTERFACE_TABLE
-
Christopher Meis (Code Review)