Hi
To make Intel CBnT (Converged Bootguard and TXT) useful in coreboot some tooling is required to generate both a Key Manifest (A signed binary, that is checked against a key fused into the ME, holding keys that OEM can use to sign the BPM) and a Boot Policy Manifest (signed binary, has a digest of IBBs, Initial Boot Blocks). At the moment these are included as binaries by the build system.
Obviously this only works if the IBB hasn't changed. If it changed, you'd need to regenerate the BPM. 9elements has written some open source tooling (BSD-3 clause) to generate both KM and BPM. The code for this tool is not yet public as it was written using NDA documentation. Intel is currently reviewing this to allow us to make it public, but this takes time. It will be part of the 3rdparty/intel-sec-tools submodule.
My question to the community is if it would be ok to allow for the build system integration code for KM and BPM generation to be integrated into the master branch before the code to the tooling is made public. CBnT is an optional feature on Intel hardware and is implemented as an optional feature in coreboot. The tool is standalone and coreboot can still be built fine without it.
At the moment coreboot has code for xeon_sp in the master branch without a public FSP too, with the promise that it will be publicly released later on by Intel. Compared to that the situation would be a little better: we propose to add a binary tool (it's written in go so it's automatically build as a static binary) to the blobs repo under a licence similar to the one used for Intel FSP and MCU (allows redistribution). We hope to remove it ASAP from there and build it from source from 3rdparty/intel-sec-tools.
We'd like to develop as close as possible to the coreboot master branch, so we hope that this is an acceptable solution to the community.
So TL;DR: - Is (temporarily) adding a tool to the blobs repo ok? - Is integrating an (optional) not yet open tool into the build system ok?
Let me know what you think.
Kind regards.
Arthur Heymans
9elements GmbH, Kortumstraße 19-21, 44787 Bochum, Germany Email: arthur.heymans@9elements.com Phone: +49 234 68 94 188 Mobile: +32 478499445
Sitz der Gesellschaft: Bochum Handelsregister: Amtsgericht Bochum, HRB 17519 Geschäftsführung: Sebastian Deutsch, Eray Basar
Datenschutzhinweise nach Art. 13 DSGVO