Hi Michal,
mind pointing me to the tooling you make for *creating* these manifests?
Am Di., 9. Feb. 2021 um 11:46 Uhr schrieb Michal Zygowski < michal.zygowski@3mdeb.com>:
Hi,
On 09.02.2021 11:02, Arthur Heymans wrote:
Hi
To make Intel CBnT (Converged Bootguard and TXT) useful in coreboot some tooling is required to generate both a Key Manifest (A signed binary, that is checked against a key fused into the ME, holding keys that OEM can use to sign
the BPM)
and a Boot Policy Manifest (signed binary, has a digest of IBBs, Initial Boot Blocks). At the moment these are included as binaries by the build system.
Obviously this only works if the IBB hasn't changed. If it changed, you'd need to regenerate the BPM. 9elements has written some open source
tooling
(BSD-3 clause) to generate both KM and BPM. The code for this tool is
not yet
public as it was written using NDA documentation. Intel is currently
reviewing
this to allow us to make it public, but this takes time. It will be part of the 3rdparty/intel-sec-tools submodule.
What is the diff between BtG and CBnT manifests format? Is the work that we (3mdeb) did, not usable?
Best regards,
-- Michał Żygowski Firmware Engineer https://3mdeb.com | @3mdeb_com _______________________________________________ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-leave@coreboot.org