Hi,

On 09.02.2021 11:02, Arthur Heymans wrote:
> Hi
>
> To make Intel CBnT (Converged Bootguard and TXT) useful in coreboot some
> tooling is required to generate both a Key Manifest (A signed binary,
> that is checked
> against a key fused into the ME, holding keys that OEM can use to sign the BPM)
> and a Boot Policy Manifest (signed binary, has a digest of IBBs,
> Initial Boot Blocks).
> At the moment these are included as binaries by the build system.
>
> Obviously this only works if the IBB hasn't changed. If it changed, you'd
> need to regenerate the BPM. 9elements has written some open source tooling
> (BSD-3 clause) to generate both KM and BPM. The code for this tool is not yet
> public as it was written using NDA documentation. Intel is currently reviewing
> this to allow us to make it public, but this takes time. It will be
> part of the 3rdparty/intel-sec-tools
> submodule.

What is the diff between BtG and CBnT manifests format? Is the work that
we (3mdeb) did, not usable?

Best regards,

--
Michał Żygowski
Firmware Engineer
https://3mdeb.com | @3mdeb_com
_______________________________________________
coreboot mailing list -- coreboot@coreboot.org
To unsubscribe send an email to coreboot-leave@coreboot.org