From 6362df3f5ef6ebe4e1228962bcd09273cd57ce57 Mon Sep 17 00:00:00 2001 From: Arthur Heymans Date: Wed, 17 Mar 2021 12:23:20 +0100 Subject: security/intel/cbnt: Add option to generate an unsigned BPM Change-Id: Ic1b941f06b44bd3067e5b071af8f7a02499d7827 Signed-off-by: Arthur Heymans Reviewed-on: https://review.coreboot.org/c/coreboot/+/51573 Reviewed-by: Christian Walter Reviewed-by: Angel Pons Tested-by: build bot (Jenkins) --- src/security/intel/cbnt/Kconfig | 15 ++++++++++++++- src/security/intel/cbnt/Makefile.inc | 12 ++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) (limited to 'src/security') diff --git a/src/security/intel/cbnt/Kconfig b/src/security/intel/cbnt/Kconfig index 7df09b4b1ba3..c01821231179 100644 --- a/src/security/intel/cbnt/Kconfig +++ b/src/security/intel/cbnt/Kconfig @@ -50,11 +50,24 @@ config INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE config INTEL_CBNT_GENERATE_BPM bool "Generate Boot Policy Manifest (BPM)" default y - select INTEL_CBNT_NEED_BPM_PRIV_KEY + select INTEL_CBNT_NEED_BPM_PRIV_KEY if !INTEL_CBNT_BPM_ONLY_UNSIGNED help Select y to generate the Boot Policy Manifest (BPM). Select n to include a BPM binary. +config INTEL_CBNT_BPM_ONLY_UNSIGNED + bool "Only unsigned boot policy manifest (BPM)" + depends on INTEL_CBNT_GENERATE_BPM + help + Skip signing the BPM. + The resulting unsigned BPM will be placed at build/bpm_unsigned.bin. + The resulting coreboot image will not be functional with CBnT. + After the unsigned BPM is signed externally you can add it to cbfs + and fit: + "$ cbfstool build/coreboot.rom add -f bpm.bin -n boot_policy_manifest.bin -t raw -a 16" + "$ ifittool -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s 12 -f build/coreboot.rom" + '-s 12' where 12 is CONFIG_CPU_INTEL_NUM_FIT_ENTRIES. + config INTEL_CBNT_BG_PROV_CFG_FILE string "CBnT json config file" depends on INTEL_CBNT_BG_PROV_KM_USE_CFG_FILE || INTEL_CBNT_GENERATE_BPM diff --git a/src/security/intel/cbnt/Makefile.inc b/src/security/intel/cbnt/Makefile.inc index b73a7eac3543..0ea9ed0b0b88 100644 --- a/src/security/intel/cbnt/Makefile.inc +++ b/src/security/intel/cbnt/Makefile.inc @@ -38,6 +38,15 @@ $(obj)/bpm_unsigned.bin: $(obj)/coreboot.rom $(BG_PROV) $(CBNT_CFG) printf " BG_PROV creating unsigned BPM using config file\n" $(BG_PROV) bpm-gen $@ $< --config=$(CBNT_CFG) --cut +ifeq ($(CONFIG_INTEL_CBNT_BPM_ONLY_UNSIGNED),y) +build_complete:: $(obj)/bpm_unsigned.bin + @printf "\n** WARNING **\n" + @printf "Build generated an unsigned BPM image: build/bpm_unsigned.bin.\n" + @printf "The resulting image will not work with CBnT.\n" + @printf "After you have externally signed the image you can add it to the coreboot image:\n" + @printf "$$ cbfstool build/coreboot.rom add -f bpm.bin -n boot_policy_manifest.bin -t raw -a 16\n" + @printf "$$ ifittool -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s 12 -f build/coreboot.rom\n" +else $(obj)/bpm.bin: $(obj)/bpm_unsigned.bin $(BG_PROV) $(call strip_quotes, $(CONFIG_INTEL_CBNT_BPM_PRIV_KEY_FILE)) printf " BG_PROV signing real BPM\n" $(BG_PROV) bpm-sign $< $@ $(CONFIG_INTEL_CBNT_BPM_PRIV_KEY_FILE) "" @@ -49,7 +58,10 @@ files_added:: $(obj)/bpm.bin printf " IFITTOOL Adding BPM\n" $(IFITTOOL) -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $(obj)/coreboot.rom +endif # CONFIG_INTEL_CBNT_BPM_ONLY_UNSIGNED + else # CONFIG_INTEL_CBNT_GENERATE_BPM + ifneq ($(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY),"") cbfs-files-y += boot_policy_manifest.bin boot_policy_manifest.bin-file := $(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY) -- cgit v1.2.3