Attention is currently required from: Christopher Meis, Michał Żygowski, Patrick Rudolph. Arthur Heymans has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/55513 )

Change subject: intel/fit - Prepare for BootGuard support ......................................................................

Patch Set 1:

(1 comment)

File src/cpu/intel/fit/Makefile.inc:

https://review.coreboot.org/c/coreboot/+/55513/comment/fd89a162_c1d33a7a PS1, Line 16: intel_fit-position := 0xffff0000 # Set position for BootGuard

I can confirm KBL had the top 4MB restriction for those blobs. If any of the components was out of the range, it just didn't boot with the profile 5.

I noticed the issues too with profile 3.

BTW: why don't you reuse what I already sent for review earlier? https://review.coreboot.org/q/topic:%22intel_bootguard%22+(status:open%20OR%...) I clearly see you duplicate some of the work done there.

The worked seemed stale (close to 1y old) and some of it did not apply to coreboot master (e.g. FIT is not inside the bootblock anymore). I think the most problematic thing in that patch series was the incompatible license of code used in the tooling (https://review.coreboot.org/c/coreboot/+/43403/comment/7132a7ca_7c94f095/). The tooling also outputs the wrong hash to put inside the ME. We therefore decided to build upon our cbnt provisioning tool and with relatively little effort we got that working for bootguard too.