Ravindra has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/60020 )

Change subject: soc/intel/common/cse: Update help text for CSE_OEMP_FILE ......................................................................

soc/intel/common/cse: Update help text for CSE_OEMP_FILE

The OEM may create and sign an Audio component to extend the Audio capability provided by Intel.The manifest is then signed, and the signature and public key are entered into the header of the manifest to create the final signed component binary. This creates a secure verification mechanism where firmware verifies that the OEM Key Manifest was signed with a key owned by a trusted owner. Once OEM KM is authenticated, each public key hash stored within the OEM KM is able to authenticate the corresponding FW binary.

BUG=b:207820413 TEST:none

Signed-off-by: ravindr1 ravindra@intel.com Change-Id: Id52b51ab1c910d70b7897eb31add8287b5b0166f --- M src/soc/intel/common/block/cse/Kconfig 1 file changed, 6 insertions(+), 0 deletions(-)

git pull ssh://review.coreboot.org:29418/coreboot refs/changes/20/60020/1

diff --git a/src/soc/intel/common/block/cse/Kconfig b/src/soc/intel/common/block/cse/Kconfig index 055927b..2e2ad9b 100644 --- a/src/soc/intel/common/block/cse/Kconfig +++ b/src/soc/intel/common/block/cse/Kconfig @@ -183,5 +183,11 @@ config CSE_OEMP_FILE string "Name of OEM KM file" default "oem_km.bin" + help + OEM Key Manifest plays a central part in the signing mechanism. + It lists the public key hashes used for authenticating the OEM-created + binaries to be loaded. This binary is generated by signing with the + public key owned by the trusted owner. This file is expected to be + the part of the asset_generation/signing/outputs.

endif