Hi, On 09.02.2021 11:02, Arthur Heymans wrote: > Hi > > To make Intel CBnT (Converged Bootguard and TXT) useful in coreboot some > tooling is required to generate both a Key Manifest (A signed binary, > that is checked > against a key fused into the ME, holding keys that OEM can use to sign the > BPM) > and a Boot Policy Manifest (signed binary, has a digest of IBBs, > Initial Boot Blocks). > At the moment these are included as binaries by the build system. > > Obviously this only works if the IBB hasn't changed. If it changed, you'd > need to regenerate the BPM. 9elements has written some open source tooling > (BSD-3 clause) to generate both KM and BPM. The code for this tool is not yet > public as it was written using NDA documentation. Intel is currently reviewing > this to allow us to make it public, but this takes time. It will be > part of the 3rdparty/intel-sec-tools > submodule.
What is the diff between BtG and CBnT manifests format? Is the work that we (3mdeb) did, not usable? Best regards, -- Michał Żygowski Firmware Engineer https://3mdeb.com | @3mdeb_com _______________________________________________ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-le...@coreboot.org
