search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
soc/mediatek/mt8196: Add PMIC MT6373 driver
[coreboot2.git] / src / security / intel / cbnt / Makefile.mk
blobe912bf0726d36312d7bdfc0ccd6d4babeadbdb20
1 ## SPDX-License-Identifier: GPL-2.0-only
2
3 ifeq ($(CONFIG_INTEL_CBNT_SUPPORT),y)
4
5 all-y += logging.c
6 ramstage-y += cmos.c
7
8 # As specified in Intel Trusted Execution Technology and Boot Guard Server BIOS
9 # Specification, document number # 558294
10 PK_HASH_ALG_SHA1:=4
11 PK_HASH_ALG_SHA256:=11
12 PK_HASH_ALG_SHA384:=12
13
14 # The private key also contains the public key, so use that if a private key is provided.
15 ifeq ($(CONFIG_INTEL_CBNT_NEED_KM_PRIV_KEY),y)
16 $(obj)/km_pub.pem: $(call strip_quotes, $(CONFIG_INTEL_CBNT_KM_PRIV_KEY_FILE))
17 openssl pkey -in $< -pubout > $@
18 else ifeq ($(CONFIG_INTEL_CBNT_NEED_KM_PUB_KEY),y)
19 $(obj)/km_pub.pem: $(call strip_quotes, $(CONFIG_INTEL_CBNT_KM_PUB_KEY_FILE))
20 cp $< $@
21 endif
22
23 # The private key also contains the public key, so use that if a private key is provided.
24 ifeq ($(CONFIG_INTEL_CBNT_NEED_BPM_PRIV_KEY),y)
25 $(obj)/bpm_pub.pem: $(call strip_quotes, $(CONFIG_INTEL_CBNT_BPM_PRIV_KEY_FILE))
26 openssl pkey -in $< -pubout > $@
27 else ifeq ($(CONFIG_INTEL_CBNT_NEED_BPM_PUB_KEY),y)
28 $(obj)/bpm_pub.pem: $(call strip_quotes, $(CONFIG_INTEL_CBNT_BPM_PUB_KEY_FILE))
29 cp $< $@
30 endif
31
32 CBNT_PROV:=$(obj)/cbnt-prov
33 CBNT_CFG:=$(obj)/cbnt.json
34
35 ifneq ($(CONFIG_INTEL_CBNT_PROV_EXTERNAL_BIN),y)
36 $(CBNT_PROV):
37 printf " CBNT_PROV building tool\n"
38 cd 3rdparty/intel-sec-tools; \
39 GO111MODULE=on go build -o $(abspath $@) cmd/cbnt-prov/main.go cmd/cbnt-prov/cmd.go
40 else
41 $(CBNT_PROV): $(call strip_quotes, $(CONFIG_INTEL_CBNT_PROV_EXTERNAL_BIN_PATH))
42 cp $< $@
43 endif
44
45 $(CBNT_CFG): $(call strip_quotes, $(CONFIG_INTEL_CBNT_CBNT_PROV_CFG_FILE))
46 cp $(CONFIG_INTEL_CBNT_CBNT_PROV_CFG_FILE) $@
47
48 ifeq ($(CONFIG_INTEL_CBNT_GENERATE_BPM),y)
49 ifeq ($(CONFIG_INTEL_CBNT_CBNT_PROV_BPM_USE_CFG_FILE),y)
50 $(obj)/bpm_unsigned.bin: $(obj)/coreboot.pre $(CBNT_PROV) $(CBNT_CFG)
51 printf " CBNT_PROV creating unsigned BPM using config file\n"
52 $(CBNT_PROV) bpm-gen $@ $< --config=$(CBNT_CFG) --cut
53 else
54 $(obj)/bpm_unsigned.bin: $(obj)/coreboot.pre $(CBNT_PROV) set_fit_ptr
55 printf " CBNT_PROV creating unsigned BPM\n"
56 $(CBNT_PROV) bpm-gen $@ $< --revision=$(CONFIG_INTEL_CBNT_BPM_REVISION) \
57 --svn=$(CONFIG_INTEL_CBNT_BPM_SVN) \
58 --acmsvn=$(CONFIG_INTEL_CBNT_ACM_SVN) \
59 --nems=$(CONFIG_INTEL_CBNT_NUM_NEM_PAGES) \
60 --pbet=$(CONFIG_INTEL_CBNT_PBET) \
61 --ibbflags=$(CONFIG_INTEL_CBNT_IBB_FLAGS) \
62 --entrypoint=$(shell printf "%d" 0xfffffff0) \
63 --ibbhash=$(PK_HASH_ALG_SHA256),$(PK_HASH_ALG_SHA1),$(PK_HASH_ALG_SHA384) \
64 --sinitmin=$(CONFIG_INTEL_CBNT_SINIT_SVN) \
65 --txtflags=0 \
66 --powerdowninterval=$(CONFIG_INTEL_CBNT_PD_INTERVAL) \
67 --acpibaseoffset=$(shell printf "%d" $(CONFIG_INTEL_ACPI_BASE_ADDRESS)) \
68 --powermbaseoffset=$(shell printf "%d" $(CONFIG_INTEL_PCH_PWRM_BASE_ADDRESS)) \
69 --cmosoff0=$(shell printf "%d" $(CONFIG_INTEL_CBNT_CMOS_OFFSET)) \
70 --cmosoff1=$(call int-add, $(CONFIG_INTEL_CBNT_CMOS_OFFSET) 1) \
71 --cut \
72 --out=$(obj)/bpm_cfg.json
73 endif
74
75 ifeq ($(CONFIG_INTEL_CBNT_BPM_ONLY_UNSIGNED),y)
76 build_complete:: $(obj)/bpm_unsigned.bin
77
78 show_notices::
79 @printf "\n** WARNING **\n"
80 @printf "Build generated an unsigned BPM image: build/bpm_unsigned.bin.\n"
81 @printf "The resulting image will not work with CBnT.\n"
82 @printf "After you have externally signed the image you can add it to the coreboot image:\n"
83 @printf "$$ cbfstool build/coreboot.rom add -f bpm.bin -n boot_policy_manifest.bin -t raw -a 16\n"
84 @printf "$$ ifittool -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s 12 -f build/coreboot.rom\n"
85 else
86 $(obj)/bpm.bin: $(obj)/bpm_unsigned.bin $(CBNT_PROV) $(call strip_quotes, $(CONFIG_INTEL_CBNT_BPM_PRIV_KEY_FILE))
87 printf " CBNT_PROV signing real BPM\n"
88 $(CBNT_PROV) bpm-sign $< $@ $(CONFIG_INTEL_CBNT_BPM_PRIV_KEY_FILE) ""
89
90 # Add BPM at the end of the build when all files have been added
91 $(call add_intermediate, add_bpm, $(obj)/bpm.bin)
92 printf " CBNT Adding BPM\n"
93 -$(CBFSTOOL) $< remove -n boot_policy_manifest.bin 2>/dev/null
94 $(CBFSTOOL) $< add -f $(obj)/bpm.bin -n boot_policy_manifest.bin -a 0x10 -t raw
95
96 $(call add_intermediate, fit_bpm, set_fit_ptr add_bpm $(IFITTOOL))
97 printf " IFITTOOL Adding BPM\n"
98 $(IFITTOOL) -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
99
100 endif # CONFIG_INTEL_CBNT_BPM_ONLY_UNSIGNED
101
102 else # CONFIG_INTEL_CBNT_GENERATE_BPM
103
104 ifneq ($(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY),"")
105 cbfs-files-y += boot_policy_manifest.bin
106 boot_policy_manifest.bin-file := $(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY)
107 boot_policy_manifest.bin-type := raw
108 boot_policy_manifest.bin-align := 0x10
109
110 $(call add_intermediate, add_bpm_fit, $(IFITTOOL) set_fit_ptr)
111 $(IFITTOOL) -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
112 endif
113 endif # CONFIG_INTEL_CBNT_GENERATE_BPM
114
115 ifeq ($(CONFIG_INTEL_CBNT_GENERATE_KM),y)
116 ifeq ($(CONFIG_INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE),y)
117 $(obj)/km_unsigned.bin: $(obj)/km_pub.pem $(CBNT_PROV) $(CBNT_CFG)
118 printf " CBNT_PROV creating unsigned KM using config file\n"
119 $(CBNT_PROV) km-gen $@ $< --config=$(CBNT_CFG)
120 else
121 $(obj)/km_unsigned.bin: $(obj)/km_pub.pem $(obj)/bpm_pub.pem $(CBNT_PROV)
122 printf " CBNT_PROV creating unsigned KM\n"
123 $(CBNT_PROV) km-gen $@ $< --revision=$(CONFIG_INTEL_CBNT_KM_REVISION) \
124 --svn=$(CONFIG_INTEL_CBNT_KM_SVN) \
125 --id=$(CONFIG_INTEL_CBNT_KM_ID) \
126 --pkhashalg=$(PK_HASH_ALG_SHA256) \
127 --bpmpubkey=$(obj)/bpm_pub.pem \
128 --bpmhashalgo=$(PK_HASH_ALG_SHA256) \
129 --out=$(obj)/km_cfg.json
130 endif
131
132 $(obj)/km.bin: $(obj)/km_unsigned.bin $(CBNT_PROV) $(call strip_quotes, $(CONFIG_INTEL_CBNT_KM_PRIV_KEY_FILE))
133 printf " CBNT_PROV signing KM\n"
134 $(CBNT_PROV) km-sign $< $@ $(CONFIG_INTEL_CBNT_KM_PRIV_KEY_FILE) ""
135
136 KM_FILE=$(obj)/km.bin
137 else
138 KM_FILE=$(CONFIG_INTEL_CBNT_KEY_MANIFEST_BINARY)
139 endif
140
141 ifneq ($(KM_FILE),"")
142 ifeq ($(CONFIG_INTEL_CBNT_KM_ONLY_UNSIGNED),y)
143 $(call add_intermediate, gen_unsigned_km, $(obj)/km_unsigned.bin)
144 @printf "Generating unsgined KM\n"
145
146 show_notices::
147 @printf "\n** WARNING **\n"
148 @printf "Build generated an unsigned KM image: build/km_unsiged.bin.\n"
149 @printf "The resulting image will not work with CBnT.\n"
150 @printf "After you have externally signed the image you can add it to the coreboot image:\n"
151 @printf "$$ cbfstool build/coreboot.rom add -f km.bin -n key_manifest.bin -t raw -a 16\n"
152 @printf "$$ ifittool -r COREBOOT -a -n key_manifest.bin -t 11 -s 12 -f build/coreboot.rom\n"
153
154 else
155 cbfs-files-y += key_manifest.bin
156 key_manifest.bin-file := $(KM_FILE)
157 key_manifest.bin-type := raw
158 key_manifest.bin-align := 0x10
159
160 $(call add_intermediate, add_km_fit, $(IFITTOOL) set_fit_ptr)
161 $(IFITTOOL) -r COREBOOT -a -n key_manifest.bin -t 11 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
162 endif
163
164 endif # CONFIG_INTEL_CBNT_KM_ONLY_UNSIGNED
165 endif # CONFIG_INTEL_CBNT_SUPPORT
coreboot repo mirror