Patrick Rudolph has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/34585 )

Change subject: security/intel: Add TXT infrastructure ......................................................................

security/intel: Add TXT infrastructure

* Add Kconfig to enable TXT * Add possibility to add BIOS and SINIT ACMs * Set default BIOS ACM alignment * Increase FIT space if TXT is enabled

The following commits depend on the basic Kconfig infrastructure. Intel TXT isn't supported until all following commits are merged.

Change-Id: I5f0f956d2b7ba43d4e7e0062803c6d8ba569a052 Signed-off-by: Patrick Rudolph patrick.rudolph@9elements.com --- M Documentation/security/intel/txt.md M src/cpu/intel/fit/Kconfig M src/security/Kconfig M src/security/Makefile.inc A src/security/intel/Kconfig A src/security/intel/Makefile.inc A src/security/intel/txt/Kconfig A src/security/intel/txt/Makefile.inc M src/soc/intel/cannonlake/Kconfig M src/soc/intel/skylake/Kconfig 10 files changed, 115 insertions(+), 3 deletions(-)

git pull ssh://review.coreboot.org:29418/coreboot refs/changes/85/34585/1

diff --git a/Documentation/security/intel/txt.md b/Documentation/security/intel/txt.md index f67b639..f80a731 100644 --- a/Documentation/security/intel/txt.md +++ b/Documentation/security/intel/txt.md @@ -90,11 +90,11 @@

## For developers ### Configuring Intel TXT in Kconfig -Enable ``TEE_INTEL_TXT`` and set the following: +Enable ``INTEL_TXT`` and set the following:

-``TEE_INTEL_TXT_BIOSACM_FILE`` to the path of the BIOS ACM provided by Intel +``INTEL_TXT_BIOSACM_FILE`` to the path of the BIOS ACM provided by Intel

-``TEE_INTEL_TXT_SINITACM_FILE`` to the path of the SINIT ACM provided by Intel +``INTEL_TXT_SINITACM_FILE`` to the path of the SINIT ACM provided by Intel ### Print TXT status as early as possible Add platform code to print the TXT status as early as possible, as the register is cleared on cold reset. diff --git a/src/cpu/intel/fit/Kconfig b/src/cpu/intel/fit/Kconfig index e48dca9..fa10802 100644 --- a/src/cpu/intel/fit/Kconfig +++ b/src/cpu/intel/fit/Kconfig @@ -5,6 +5,7 @@

config CPU_INTEL_NUM_FIT_ENTRIES int + default 16 if INTEL_TXT default 4 depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE help diff --git a/src/security/Kconfig b/src/security/Kconfig index 8a1531a..4e08bbd 100644 --- a/src/security/Kconfig +++ b/src/security/Kconfig @@ -15,3 +15,4 @@ source "src/security/vboot/Kconfig" source "src/security/tpm/Kconfig" source "src/security/memory/Kconfig" +source "src/security/intel/Kconfig" diff --git a/src/security/Makefile.inc b/src/security/Makefile.inc index f62413e..fd78438 100644 --- a/src/security/Makefile.inc +++ b/src/security/Makefile.inc @@ -1,3 +1,4 @@ subdirs-y += vboot subdirs-y += tpm subdirs-y += memory +subdirs-y += intel diff --git a/src/security/intel/Kconfig b/src/security/intel/Kconfig new file mode 100644 index 0000000..333e385 --- /dev/null +++ b/src/security/intel/Kconfig @@ -0,0 +1,20 @@ +## This file is part of the coreboot project. +## +## Copyright (C) 2019 9elements Agency GmbH +## Copyright (C) 2019 Facebook Inc. +## +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; version 2 of the License. +## +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. +## + +menu "Intel" + +source "src/security/intel/txt/Kconfig" + +endmenu # Intel diff --git a/src/security/intel/Makefile.inc b/src/security/intel/Makefile.inc new file mode 100644 index 0000000..9388d3f --- /dev/null +++ b/src/security/intel/Makefile.inc @@ -0,0 +1 @@ +subdirs-y += txt diff --git a/src/security/intel/txt/Kconfig b/src/security/intel/txt/Kconfig new file mode 100644 index 0000000..b6c5d19 --- /dev/null +++ b/src/security/intel/txt/Kconfig @@ -0,0 +1,55 @@ +## This file is part of the coreboot project. +## +## Copyright (C) 2019 9elements Agency GmbH +## Copyright (C) 2019 Facebook Inc. +## +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; version 2 of the License. +## +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. +## + +config INTEL_TXT + bool "Intel TXT support" + default n + select MRC_SETTINGS_PROTECT if CACHE_MRC_SETTINGS + select SOC_INTEL_COMMON_BLOCK_VMX if PLATFORM_USES_FSP2_0 + select AP_IN_SIPI_WAIT + depends on TSC_CONSTANT_RATE + depends on (TPM1 || TPM2) + depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE + depends on PLATFORM_HAS_DRAM_CLEAR + depends on SOC_INTEL_FSP_BROADWELL_DE || SOC_INTEL_COMMON_BLOCK_SA + +if INTEL_TXT + +config INTEL_TXT_BIOSACM_FILE + string "BIOS ACM file" + default "3rdparty/blobs/soc/intel/fsp_broadwell_de/biosacm.bin" if SOC_INTEL_FSP_BROADWELL_DE + default "3rdparty/blobs/soc/intel/skylake/biosacm.bin" if SOC_INTEL_COMMON_SKYLAKE_BASE + help + Intel TXT BIOS ACM file. This file can be obtained by privileged + access to intel resources. Or for some platforms found inside the + blob repository. + +config INTEL_TXT_SINITACM_FILE + string "SINIT ACM file" + default "3rdparty/blobs/soc/intel/fsp_broadwell_de/sinitacm.bin" if SOC_INTEL_FSP_BROADWELL_DE + default "3rdparty/blobs/soc/intel/skylake/sinitacm.bin" if SOC_INTEL_COMMON_SKYLAKE_BASE + help + Intel TXT SINIT ACM file. This file can be obtained by privileged + access to intel resources. Or for some platforms found inside the + blob repository. + +config INTEL_TXT_BIOSACM_ALIGNMENT + hex + default 0x20000 # 128KB + help + Exceptions are Ivy- and Sandybridge with 64KB and Purely with 256KB + alignment size. Please overwrite it SoC specific. + +endif diff --git a/src/security/intel/txt/Makefile.inc b/src/security/intel/txt/Makefile.inc new file mode 100644 index 0000000..f123510 --- /dev/null +++ b/src/security/intel/txt/Makefile.inc @@ -0,0 +1,25 @@ +ifeq ($(CONFIG_INTEL_TXT),y) + +cbfs-files-y += txt_bios_acm.bin +txt_bios_acm.bin-file := $(CONFIG_INTEL_TXT_BIOSACM_FILE) +txt_bios_acm.bin-type := raw +txt_bios_acm.bin-align := $(CONFIG_INTEL_TXT_BIOSACM_ALIGNMENT) + +cbfs-files-($(CONFIG_INTEL_FIT_BIOS_POLICY)) += txt_bios_policy.bin +txt_bios_policy.bin-file := $(objgenerated)/txt_bios_policy.bin +txt_bios_policy.bin-type := raw +txt_bios_policy.bin-align := 0x10 + +ifneq ($(CONFIG_INTEL_TXT_SINITACM_FILE),"") +cbfs-files-y += txt_sinit_acm.bin +txt_sinit_acm.bin-file := $(CONFIG_INTEL_TXT_SINITACM_FILE) +txt_sinit_acm.bin-type := raw +txt_sinit_acm.bin-align := 0x10 +txt_sinit_acm.bin-compression := lzma +endif + +INTERMEDIATE+=add_acm_fit +add_acm_fit: $(obj)/coreboot.pre $(IFITTOOL) + $(IFITTOOL) -r COREBOOT -a -n txt_bios_acm.bin -t 2 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $< + +endif diff --git a/src/soc/intel/cannonlake/Kconfig b/src/soc/intel/cannonlake/Kconfig index f859cd5..a63b829 100644 --- a/src/soc/intel/cannonlake/Kconfig +++ b/src/soc/intel/cannonlake/Kconfig @@ -319,4 +319,8 @@ hex default 0xe00

+config INTEL_TXT_BIOSACM_ALIGNMENT + hex + default 0x40000 # 256KB + endif diff --git a/src/soc/intel/skylake/Kconfig b/src/soc/intel/skylake/Kconfig index f36d5ca..310619e 100644 --- a/src/soc/intel/skylake/Kconfig +++ b/src/soc/intel/skylake/Kconfig @@ -309,4 +309,8 @@ string default "sklkbl"

+config INTEL_TXT_BIOSACM_ALIGNMENT + hex + default 0x40000 # 256KB + endif