summaryrefslogtreecommitdiff
path: root/src/security/intel
diff options
context:
space:
mode:
authorArthur Heymans <arthur@aheymans.xyz>2021-02-19 17:14:23 +0100
committerPatrick Georgi <pgeorgi@google.com>2021-03-19 11:23:21 +0000
commiteeacd8349c1bf208acf393e10e72a6da413a67ef (patch)
tree163bb72d760965393c421865f5b174ca843cb459 /src/security/intel
parente9e4e54e27d7d6ff987f694d183534a7f1713c04 (diff)
downloadcoreboot-eeacd8349c1bf208acf393e10e72a6da413a67ef.tar.xz
cpu/intel/fit: Add the FIT table as a separate CBFS file
With CBnT a digest needs to be made of the IBB, Initial BootBlock, in this case the bootblock. After that a pointer to the BPM, Boot Policy Manifest, containing the IBB digest needs to be added to the FIT table. If the fit table is inside the IBB, updating it with a pointer to the BPM, would make the digest invalid. The proper solution is to move the FIT table out of the bootblock. The FIT table itself does not need to be covered by the digest as it just contains pointers to structures that can by verified by the hardware itself, such as microcode and ACMs (Authenticated Code Modules). Change-Id: I352e11d5f7717147a877be16a87e9ae35ae14856 Signed-off-by: Arthur Heymans <arthur@aheymans.xyz> Reviewed-on: https://review.coreboot.org/c/coreboot/+/50926 Reviewed-by: Patrick Rudolph <patrick.rudolph@9elements.com> Reviewed-by: Christian Walter <christian.walter@9elements.com> Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Diffstat (limited to 'src/security/intel')
-rw-r--r--src/security/intel/cbnt/Makefile.inc4
-rw-r--r--src/security/intel/txt/Makefile.inc4
2 files changed, 4 insertions, 4 deletions
diff --git a/src/security/intel/cbnt/Makefile.inc b/src/security/intel/cbnt/Makefile.inc
index b612a81655..b8ea702df2 100644
--- a/src/security/intel/cbnt/Makefile.inc
+++ b/src/security/intel/cbnt/Makefile.inc
@@ -6,7 +6,7 @@ boot_policy_manifest.bin-file := $(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY
boot_policy_manifest.bin-type := raw
boot_policy_manifest.bin-align := 0x10
-$(call add_intermediate, add_bpm_fit, $(IFITTOOL))
+$(call add_intermediate, add_bpm_fit, $(IFITTOOL) set_fit_ptr)
$(IFITTOOL) -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
endif
@@ -16,7 +16,7 @@ key_manifest.bin-file := $(CONFIG_INTEL_CBNT_KEY_MANIFEST_BINARY)
key_manifest.bin-type := raw
key_manifest.bin-align := 0x10
-$(call add_intermediate, add_km_fit, $(IFITTOOL))
+$(call add_intermediate, add_km_fit, $(IFITTOOL) set_fit_ptr)
$(IFITTOOL) -r COREBOOT -a -n key_manifest.bin -t 11 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
endif
diff --git a/src/security/intel/txt/Makefile.inc b/src/security/intel/txt/Makefile.inc
index cdcbd40660..d3323417c0 100644
--- a/src/security/intel/txt/Makefile.inc
+++ b/src/security/intel/txt/Makefile.inc
@@ -28,7 +28,7 @@ endif
ifeq ($(CONFIG_CPU_INTEL_FIRMWARE_INTERFACE_TABLE),y)
-$(call add_intermediate, add_acm_fit, $(IFITTOOL))
+$(call add_intermediate, add_acm_fit, $(IFITTOOL) set_fit_ptr)
$(IFITTOOL) -r COREBOOT -a -n $(CONFIG_INTEL_TXT_CBFS_BIOS_ACM) -t 2 \
-s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
@@ -41,7 +41,7 @@ ibb-files := $(foreach file,$(cbfs-files), \
ibb-files += bootblock
-$(call add_intermediate, add_ibb_fit, $(IFITTOOL))
+$(call add_intermediate, add_ibb_fit, $(IFITTOOL) set_fit_ptr)
$(foreach file, $(ibb-files), $(shell $(IFITTOOL) -f $< -a -n $(file) -t 7 \
-s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -r COREBOOT)) true