Upstream tboot and ACM recipes to OE meta-intel

Description

Intel TXT requires tboot (Intel-maintained open-source) and ACMs (CPU-specific binaries signed by Intel). OE support for building and packaging these hardware-specific components belongs in the meta-intel layer. Existing OpenXT recipes:

tboot: https://github.com/OpenXT/xenclient-oe/tree/master/recipes-security/tboot
acms: https://github.com/OpenXT/xenclient-oe/blob/master/recipes-security/acms/

Proposed approach:

  • Generalize and upstream ACM and tboot recipes from OpenXT to recipes-core of meta-intel layer

  • Enable syslinux and grub OE recipes to optionally generate TXT-configuration stanzas and install ACM binaries to the appropriate image directory, e.g. /boot or /isolinux. See the Xen meta-virt recipe for examples.

  • Constrain the ACM recipe by target machine type, based on machine definitions in the meta-intel layer. Allow optional installation of: single, subset or all ACMs

  • Commit Intel ACM binaries in a files directory for the recipe in meta-intel (binary redistribution is permitted by Intel click-through EULA). This will drop the requirement for the ACM mirror currently maintained by OpenXT

  • Work with the Intel TXT team to obtain commitment for upstream review and future maintenance of the OE tboot and ACM recipes, e.g. uprev for tboot releases, CVE backports to Yocto LTS, and addition of ACM binaries when new Intel platforms are released.

Validation Steps

None

Assignee

Unassigned

Reporter

Rich Persaud

Labels

None

QA Assignee

None

QA Image URL

None

Components

Fix versions

Priority

Major
Configure