Hi Michal, mind pointing me to the tooling you make for *creating* these manifests?
Am Di., 9. Feb. 2021 um 11:46 Uhr schrieb Michal Zygowski < michal.zygow...@3mdeb.com>: > Hi, > > On 09.02.2021 11:02, Arthur Heymans wrote: > > Hi > > > > To make Intel CBnT (Converged Bootguard and TXT) useful in coreboot some > > tooling is required to generate both a Key Manifest (A signed binary, > > that is checked > > against a key fused into the ME, holding keys that OEM can use to sign > the BPM) > > and a Boot Policy Manifest (signed binary, has a digest of IBBs, > > Initial Boot Blocks). > > At the moment these are included as binaries by the build system. > > > > Obviously this only works if the IBB hasn't changed. If it changed, you'd > > need to regenerate the BPM. 9elements has written some open source > tooling > > (BSD-3 clause) to generate both KM and BPM. The code for this tool is > not yet > > public as it was written using NDA documentation. Intel is currently > reviewing > > this to allow us to make it public, but this takes time. It will be > > part of the 3rdparty/intel-sec-tools > > submodule. > > What is the diff between BtG and CBnT manifests format? Is the work that > we (3mdeb) did, not usable? > > Best regards, > > -- > Michał Żygowski > Firmware Engineer > https://3mdeb.com | @3mdeb_com > _______________________________________________ > coreboot mailing list -- coreboot@coreboot.org > To unsubscribe send an email to coreboot-le...@coreboot.org >
_______________________________________________ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-le...@coreboot.org