bg-prov

command

v2.7.0 Latest Latest Go to latest Published: Feb 15, 2023 License: BSD-3-Clause Imports: 18 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/9elements/converged-security-suite

Links

Open Source Insights

README ¶

Intel BtG/CBnT Provisioning

This Golang utility supports the artifact generation to support Intel BootGuard and Trustes Execution Technology (CBnT)

Prerequisites for Usage

Supported OS: Any Linux distribution

How to compile

Get Golang >= 1.11 and export:

export GO111MODULE=on

or set it in front of every command. This environment variable actives moduled for GO 1.11

To download all dependencies run:

<GO111MODULE=on> go mod download

Verify all downloaded dependencies run:

<GO111MODULE=on> go mod verify

To build the test suite run:

<GO111MODULE=on> go build -o bg-prov cmd/bg-prov/*.go

Commandline subcommands:

Usage: bg-prov <command>

Intel BtG/CBnT provisioning tooling

Flags:
  -h, --help                           Show context-sensitive help.
      --debug                          Enable debug mode.
      --manifest-strict-order-check    Enable checking of manifest elements order

Commands:
  km-show         Prints Key Manifest binary in human-readable format
  km-gen-v-1      Generate v1 KM file based von json configuration
  km-gen-v-2      Generate v2 KM file based von json configuration
  km-sign         Sign key manifest with given key
  km-verify       Verify the signature of a given KM
  km-stitch       Stitches KM Signatue into unsigned KM
  km-export       Exports KM structures from BIOS image into file
  bpm-show        Prints Boot Policy Manifest binary in human-readable format
  bpm-gen-v-1     Generate v1 BPM file based von json configuration
  bpm-gen-v-2     Generate v2 BPM file based von json configuration
  bpm-sign        Sign Boot Policy Manifest with given key
  bpm-verify      Verify the signature of a given KM
  bpm-stitch      Stitches BPM Signatue into unsigned BPM
  bpm-export      Exports BPM structures from BIOS image into file
  acm-gen-v-0     Generate an ACM v0 module (usable only for unit-tests)
  acm-gen-v-3     Generate an ACM v3 module (usable only for unit-tests)
  acm-export      Exports ACM structures from BIOS image into file
  acm-show        Prints ACM binary in human-readable format
  fit-show        Prints the FIT Table of given BIOS image file
  show-all        Prints BPM, KM, FIT and ACM from BIOS binary in human-readable format
  stitch          Stitches BPM, KM and ACM into given BIOS image file
  key-gen         Generates key for KM and BPM signing
  template-v-1    Writes template v1 JSON configuration into file
  template-v-2    Writes template v2 JSON configuration into file
  read-config     Reads config from existing BIOS file and translates it to a JSON configuration
  version         Prints the version of the program

Run "bg-prov <command> --help" for more information on a command.

bg-prov: error: expected one of "km-show",  "km-gen-v-1",  "km-gen-v-2",  "km-sign",  "km-verify",  ...

Workflows

I. Boot Policy / Key Manifest Generation/Signing/Stitching

Create a template config file

./bg-prov template ./config.json

Create keys for signing of Key Manifest (KM) and Boot Policy Manifest (BPM) Algorithm: RSA, BitSize: 2048, no password for enryption of private key files

./bg-prov key-gen RSA2048 "" --path=./Keys/mykey

Generate Key Manifest (KM)

./bg-prov km-gen-v-2 ./KM/km_unsigned.bin ./Keys/mykey_km_pub.pem \
        --config=./config.json \
        --pkhashalg=12 \
        --bpmpubkey=./Keys/mykey_bpmpub.pem \
        --bpmhashalgo=12

Generation of Boot Policy Manifest (BPM)

./bg-prov bpm-gen-v-2 ./BPM/bpm_unsigned.bin ./firmware.rom --config=./config.json

Sign Key Manifest (KM)

./bg-prov km-sign ./KM/km_unsigned.bin ./KM/km_signed.bin ./Keys/myKey_km_priv.pem ""

Sign Boot Policy Manifest (BPM)

./bg-prov bpm-sign ./BPM/bpm_unsigned.bin ./BPM/bpm_signed.bin ./Keys/myKey_bpm_priv.pem ""

Export ACM for stitching (Firmware image must contain an ACM) Skip this if you already have an ACM for stitching

./bg-prov export-acm ./firmware.rom ./ACM/acm_export.bin

Stitch BPM, KM and ACM into firmware image

./bg-prov stitch ./firmware.rom ./ACM/acm.bin ./KM/km_signed.bin ./BPM/bpm_signed.bin

II. Read config from a CBnT enabled firmware image

./bg-prov read-config ./config.json ./firmware.rom

III Export KM, BPM and ACM from CBnT enabled firmware image

Export of KM

./bg-prov export-km ./firmware.rom ./KM/km_export.bin

Export BPM

./bg-prov export-km ./firmware.rom ./BPM/bpm_export.bin

Export ACM

./bg-prov export-acm ./firmware.rom ./ACM/acm_export.bin

IV. Show details of exported KM, BPM, ACM

Show details of KM

./bg-prov show-km ./KM/km_signed.bin

Show details of BPM

./bg-prov show-bpm ./BPM/bpm_signed.bin

Show details of ACM

./bg-prov show-acm ./ACM/acm_signed.bin

Show all

./bg-prov show-all ./firmware.rom

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL