summaryrefslogtreecommitdiff
path: root/src/security/tpm/Kconfig
blob: 13bef069858a7316c7b617880cc928594fce9981 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
# SPDX-License-Identifier: GPL-2.0-only

source "src/security/tpm/tss/vendor/cr50/Kconfig"

menu "Trusted Platform Module"

config TPM1
	bool
	default y if MAINBOARD_HAS_TPM1 || USER_TPM1
	depends on MAINBOARD_HAS_LPC_TPM || \
		   MAINBOARD_HAS_I2C_TPM_GENERIC || \
		   MAINBOARD_HAS_I2C_TPM_ATMEL

config TPM2
	bool
	default y if MAINBOARD_HAS_TPM2 || USER_TPM2
	depends on MAINBOARD_HAS_I2C_TPM_GENERIC || \
		   MAINBOARD_HAS_LPC_TPM || \
		   MAINBOARD_HAS_I2C_TPM_ATMEL || \
		   MAINBOARD_HAS_I2C_TPM_CR50 || \
		   MAINBOARD_HAS_SPI_TPM || \
		   MAINBOARD_HAS_CRB_TPM

config MAINBOARD_HAS_TPM1
	bool

config MAINBOARD_HAS_TPM2
	bool

if !MAINBOARD_HAS_TPM1 && !MAINBOARD_HAS_TPM2

choice
	prompt "Trusted Platform Module"
	default USER_NO_TPM

config USER_NO_TPM
	bool "disabled"

config USER_TPM1
	bool "1.2"
	depends on MAINBOARD_HAS_LPC_TPM || \
		   MAINBOARD_HAS_I2C_TPM_GENERIC || \
		   MAINBOARD_HAS_I2C_TPM_ATMEL
	help
		Enable this option to enable TPM 1.0 - 1.2 support in coreboot.

		If unsure, say N.

config USER_TPM2
	bool "2.0"
	depends on MAINBOARD_HAS_I2C_TPM_GENERIC || \
		   MAINBOARD_HAS_LPC_TPM || \
		   MAINBOARD_HAS_I2C_TPM_ATMEL || \
		   MAINBOARD_HAS_I2C_TPM_CR50 || \
		   MAINBOARD_HAS_SPI_TPM || \
		   MAINBOARD_HAS_CRB_TPM
	help
		Enable this option to enable TPM 2.0 support in coreboot.

		If unsure, say N.

endchoice

endif

config TPM_DEACTIVATE
	bool "Deactivate TPM"
	default n
	depends on !VBOOT
	depends on TPM1
	help
	  Deactivate TPM by issuing deactivate command.

config DEBUG_TPM
	bool "Output verbose TPM debug messages"
	default n
	select DRIVER_TPM_DISPLAY_TIS_BYTES if I2C_TPM
	depends on TPM1 || TPM2
	help
	  This option enables additional TPM related debug messages.

config TPM_RDRESP_NEED_DELAY
	bool "Enable Delay Workaround for TPM"
	default n
	depends on MAINBOARD_HAS_LPC_TPM
	help
	  Certain TPMs seem to need some delay when reading response
	  to work around a race-condition-related issue, possibly
	  caused by ill-programmed TPM firmware.

config TPM_STARTUP_IGNORE_POSTINIT
	bool
	help
	  Select this to ignore POSTINIT INVALID return codes on TPM
	  startup. This is useful on platforms where a previous stage
	  issued a TPM startup. Examples of use cases are Intel TXT
	  or VBOOT on the Intel Arrandale processor, which issues a
	  CPU-only reset during the romstage.

config TPM_MEASURED_BOOT
	bool "Enable Measured Boot"
	default n
	select VBOOT_LIB
	depends on TPM1 || TPM2
	depends on !VBOOT_RETURN_FROM_VERSTAGE
	help
	  Enables measured boot (experimental)

config TPM_MEASURED_BOOT_INIT_BOOTBLOCK
	bool
	depends on TPM_MEASURED_BOOT && !VBOOT
	help
	  Initialize TPM inside the bootblock instead of ramstage. This is
	  useful with some form of hardware assisted root of trust
	  measurement like Intel TXT/CBnT.

config TPM_MEASURED_BOOT_RUNTIME_DATA
	string "Runtime data whitelist"
	default ""
	depends on TPM_MEASURED_BOOT
	help
	  Runtime data whitelist of cbfs filenames. Needs to be a
	  space delimited list

endmenu # Trusted Platform Module (tpm)