I recently start develop BIOS for the new Tiger Lake CPU. I want to enable Intel Boot Guard technology to make platform much more secure, but I encounter one concept that baffle me in Boot Guard: Key Manifest.
I reference Intel® Converged Boot Guard and Intel® Trusted ExecutionTechnology (Intel® TXT) (doc no 575623) document and it mentions a concept called Key Manifest, which stores hashed public key to verify Boot Policy Manifest components. Then I reference Tiger Lake and Rocket Lake Signing and Manifesting Guide for a clue about how signature work and how to make one. I encountered concept Key Manifest again in Tiger Lake and Rocket Lake Signing and Manifesting Guide (interestingly, this Key Manifest is called OEM Key Manifest), which contains hashed public key for firmware component (ISH, OS BootLoader, iUnit, Audio, ME...). Moreover, I compared structure of Key Manifest between two mentioned documents and they are different!
I want to know if there are actually two different Key Manifests for two different purposes:
- One for Intel Boot Guard (Key Manifest -> Boot Policy Manifest -> Initial Boot Block)
- One for verify firmware components (Key Manifest -> Firmware components). This Key Manifest is also called OEM Key Manifest
Beside, I'd like to know if it happens that there are two different Key Manifest, are their signature's public key come from same Field Programmable Fuses (FPF)?