drivers/wifi: Remove unnecessary data structure copy

[coreboot2.git] / src / security / intel / cbnt / Kconfig

# SPDX-License-Identifier: GPL-2.0-only

config INTEL_CBNT_SUPPORT
        bool "Intel CBnT support"
        default n
        depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE
        #depends on PLATFORM_HAS_DRAM_CLEAR
        select INTEL_TXT
        # With CBnT the bootblock is set up as a CBnT IBB and needs a fixed size
        select TPM_MEASURED_BOOT_INIT_BOOTBLOCK if TPM_MEASURED_BOOT
        help
          Enables Intel Converged Bootguard and Trusted Execution Technology
          Support. This will enable one to add a Key Manifest (KM) and a Boot
          Policy Manifest (BPM) to the filesystem. It will also wrap a FIT around
          the firmware and update appropriate entries.

if INTEL_CBNT_SUPPORT

config INTEL_CBNT_LOGGING
        bool "Enable verbose CBnT logging"
        help
          Print more CBnT related debug output.
          Use in pre-production environments only!

config INTEL_CBNT_GENERATE_KM
        bool "Generate Key Manifest (KM)"
        default y
        select INTEL_CBNT_NEED_KM_PUB_KEY
        select INTEL_CBNT_NEED_KM_PRIV_KEY if !INTEL_CBNT_KM_ONLY_UNSIGNED
        select INTEL_CBNT_NEED_BPM_PUB_KEY if !INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE
        help
          Select y to generate the Key Manifest (KM).
          Select n to include a KM binary.

config INTEL_CBNT_KM_ONLY_UNSIGNED
        bool "Only unsigned key manifest (KM)"
        depends on INTEL_CBNT_GENERATE_KM
        help
          Skip signing the KM.
          The resulting unsigned KM will be placed at build/km_unsigned.bin.
          The resulting coreboot image will not be functional with CBnT.
          After the unsigned KM is signed externally you can either rebuild
          coreboot using that binary or add it to cbfs and fit:
          "$ cbfstool build/coreboot.rom add -f km.bin -n key_manifest.bin -t raw -a 16"
          "$ ifittool -r COREBOOT -a -n key_manifest.bin -t 11 -s 12 -f build/coreboot.rom"
          '-s 12' where 12 is CONFIG_CPU_INTEL_NUM_FIT_ENTRIES.

config INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE
        bool "KM: use a CBnT json config file"
        depends on INTEL_CBNT_GENERATE_KM
        default y
        help
          Select y to generate KM from a json config file.
          Select n to generate KM from Kconfig options

config INTEL_CBNT_GENERATE_BPM
        bool "Generate Boot Policy Manifest (BPM)"
        default y
        select INTEL_CBNT_NEED_BPM_PRIV_KEY if !INTEL_CBNT_BPM_ONLY_UNSIGNED
        help
          Select y to generate the Boot Policy Manifest (BPM).
          Select n to include a BPM binary.

config INTEL_CBNT_BPM_ONLY_UNSIGNED
        bool "Only unsigned boot policy manifest (BPM)"
        depends on INTEL_CBNT_GENERATE_BPM
        help
          Skip signing the BPM.
          The resulting unsigned BPM will be placed at build/bpm_unsigned.bin.
          The resulting coreboot image will not be functional with CBnT.
          After the unsigned BPM is signed externally you can add it to cbfs
          and fit:
          "$ cbfstool build/coreboot.rom add -f bpm.bin -n boot_policy_manifest.bin -t raw -a 16"
          "$ ifittool -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s 12 -f build/coreboot.rom"
          '-s 12' where 12 is CONFIG_CPU_INTEL_NUM_FIT_ENTRIES.

config INTEL_CBNT_CBNT_PROV_BPM_USE_CFG_FILE
        bool "BPM: use a CBnT json config file"
        depends on INTEL_CBNT_GENERATE_BPM
        default y
        help
          Select y to generate BPM from a json config file.
          Select n to generate BPM from Kconfig options

config INTEL_CBNT_CBNT_PROV_CFG_FILE
        string "CBnT json config file"
        depends on INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE || INTEL_CBNT_CBNT_PROV_BPM_USE_CFG_FILE
        help
          Location of the bg-prov json config file.
          Either get a sample JSON config file:
          $ bg-prov template
          Or extract it from a working configuration:
          $ bg-prov read-config

config INTEL_CBNT_PROV_EXTERNAL_BIN
        bool "Use an external cbnt-prov binary"
        default n
        depends on INTEL_CBNT_GENERATE_BPM || INTEL_CBNT_GENERATE_KM
        help
          Building cbnt-prov requires godeps which makes it impossible to build
          it in an offline environment. A solution is to use an external binary.

config INTEL_CBNT_PROV_EXTERNAL_BIN_PATH
        string "cbnt-prov path"
        depends on INTEL_CBNT_PROV_EXTERNAL_BIN
        help
          Path to the cbnt-prov binary.

config INTEL_CBNT_NEED_KM_PUB_KEY
        bool

config INTEL_CBNT_NEED_KM_PRIV_KEY
        bool

config INTEL_CBNT_KM_PUB_KEY_FILE
        string "Key manifest (KM) public key"
        depends on INTEL_CBNT_NEED_KM_PUB_KEY && !INTEL_CBNT_NEED_KM_PRIV_KEY
        help
          Location of the key manifest (KM) public key file in .pem format.

config INTEL_CBNT_KM_PRIV_KEY_FILE
        string "Key manifest (KM) private key"
        depends on INTEL_CBNT_NEED_KM_PRIV_KEY
        help
          Location of the key manifest (KM) private key file in .pem format.

config INTEL_CBNT_NEED_BPM_PUB_KEY
        bool

config INTEL_CBNT_NEED_BPM_PRIV_KEY
        bool

config INTEL_CBNT_BPM_PUB_KEY_FILE
        string "Boot policy manifest (BPM) public key"
        depends on INTEL_CBNT_NEED_BPM_PUB_KEY && !INTEL_CBNT_NEED_BPM_PRIV_KEY
        help
          Location of the boot policy manifest (BPM) public key file in .pem format.

config INTEL_CBNT_BPM_PRIV_KEY_FILE
        string "Boot policy manifest (BPM) private key"
        depends on INTEL_CBNT_NEED_BPM_PRIV_KEY
        help
          Location of the boot policy manifest (BPM) private key file in .pem format.

if !INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE && INTEL_CBNT_GENERATE_KM

menu "KM options"

config INTEL_CBNT_KM_REVISION
        int "KM revision"
        default 1
        help
          Version of the Key Manifest defined by the Platform Manufacturer.
          The actual value is transparent to Boot Guard and is not processed by Boot Guard.

config INTEL_CBNT_KM_SVN
        int "KM security Version Number"
        range 0 15
        default 0
        help
          This value is determined by the Platform Manufacturer.
          Boot Guard uses this to compare it to the Key Manifest
          Revocation Value (Revocation.KMSVN) in FPF.

          If KMSVN < Revocation.KMSVN, the KM will be revoked. It will trigger ENF (the
          enforcement policy).
          IF KMSVN > Revocation.KMSVN, the Revocation.KMSVN will be set to the KMSVN.

          Note: Once the value reaches 0Fh, revocation saturates and one can no longer
          revoke newer KMs.

config INTEL_CBNT_KM_ID
        int "KM ID"
        default 1
        help
          This identifies the Key Manifest to be used for a platform.
          This must match the Key Manifest Identifier programmed in
          the field programmable fuses.

endmenu

endif # !INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE

if !INTEL_CBNT_CBNT_PROV_BPM_USE_CFG_FILE && INTEL_CBNT_GENERATE_BPM
menu "BPM options"

config INTEL_CBNT_BPM_REVISION
        int "BPM revision"
        default 1
        help
          Version of the Key Manifest defined by the Platform Manufacturer.
          The actual value is transparent to Boot Guard and is not processed by Boot Guard.

config INTEL_CBNT_BPM_SVN
        int "BPM Security Version Number"
        default 0
        help
          This value is determined by the Platform Manufacturer.

config INTEL_CBNT_ACM_SVN
        int "S-ACM Security Version Number"
        default 2
        help
          This defines the minimum version the S-ACM must have.

config INTEL_CBNT_NUM_NEM_PAGES
        int
        default 32
        help
          Set the amount of 4K pages of CAR required.

config INTEL_CBNT_PBET
        int "PBET value in s"
        default 15
        help
          Protect BIOS Environment Timer (PBET) value.
          Factor used by CSE to compute PBE timer value.
          Actual PBE timer value is set by CSE using formula:
          PBE timer value = 5 sec + PBETValue.

config INTEL_CBNT_IBB_FLAGS
        int "IBB flags"
        default 7
        help
          IBB Control flags.
          3: Don't extend PCR 0
          7: extend PCR 7

config INTEL_CBNT_SINIT_SVN
        int "SINIT ACM security version number"
        default 0
        help
          Minimum required version for the SINIT ACM.

config INTEL_CBNT_PD_INTERVAL
        int
        default 60
        help
          Duration of Power Down in 5 sec increments.

endmenu

endif # !INTEL_CBNT_CBNT_PROV_BPM_USE_CFG_FILE

config INTEL_CBNT_KEY_MANIFEST_BINARY
        string "KM (Key Manifest) binary location"
        depends on !INTEL_CBNT_GENERATE_KM
        help
          Location of the Key Manifest (KM)

config INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY
        string "BPM (Boot Policy Manifest) binary location"
        depends on !INTEL_CBNT_GENERATE_BPM
        help
          Location of the Boot Policy Manifest (BPM)

config INTEL_CBNT_CMOS_OFFSET
        hex
        default 0x7e
        help
          Address in RTC CMOS used by CBNT. Uses 2 bytes. If using an option table
          adapt the cmos.layout accordingly. The bytes should not be checksummed.

endif # INTEL_CBNT_SUPPORT