Hi,
On 09.02.2021 11:02, Arthur Heymans wrote:
Hi
To make Intel CBnT (Converged Bootguard and TXT) useful in coreboot some tooling is required to generate both a Key Manifest (A signed binary, that is checked against a key fused into the ME, holding keys that OEM can use to sign the BPM) and a Boot Policy Manifest (signed binary, has a digest of IBBs, Initial Boot Blocks). At the moment these are included as binaries by the build system.
Obviously this only works if the IBB hasn't changed. If it changed, you'd need to regenerate the BPM. 9elements has written some open source tooling (BSD-3 clause) to generate both KM and BPM. The code for this tool is not yet public as it was written using NDA documentation. Intel is currently reviewing this to allow us to make it public, but this takes time. It will be part of the 3rdparty/intel-sec-tools submodule.
What is the diff between BtG and CBnT manifests format? Is the work that we (3mdeb) did, not usable?
Best regards,