| # SPDX-License-Identifier: GPL-2.0-only |
| |
| source "src/security/tpm/tss/vendor/cr50/Kconfig" |
| |
| menu "Trusted Platform Module" |
| |
| choice |
| prompt "Trusted Platform Module" |
| default TPM2 if MAINBOARD_HAS_TPM2 |
| default TPM1 if MAINBOARD_HAS_TPM1 |
| default NO_TPM |
| |
| config NO_TPM |
| bool "No TPM" |
| help |
| No TPM support. Select this option if your system doesn't have a TPM, |
| or if you don't want coreboot to communicate with your TPM in any way. |
| (If your board doesn't offer a TPM interface, this will be the only |
| possible option.) |
| |
| config TPM1 |
| bool "TPM 1.2" |
| depends on I2C_TPM || MEMORY_MAPPED_TPM || SPI_TPM || CRB_TPM |
| depends on !MAINBOARD_HAS_TPM2 |
| help |
| Select this option if your TPM uses the older TPM 1.2 protocol. |
| |
| config TPM2 |
| bool "TPM 2.0" |
| depends on I2C_TPM || MEMORY_MAPPED_TPM || SPI_TPM || CRB_TPM |
| depends on !MAINBOARD_HAS_TPM1 |
| help |
| Select this option if your TPM uses the newer TPM 2.0 protocol. |
| |
| endchoice |
| |
| config TPM |
| bool |
| default y |
| depends on TPM1 || TPM2 |
| |
| config MAINBOARD_HAS_TPM1 |
| bool |
| help |
| This option can be selected by a mainboard to represent that its TPM |
| always uses the 1.2 protocol, and that it should be on by default. |
| |
| config MAINBOARD_HAS_TPM2 |
| bool |
| help |
| This option can be selected by a mainboard to represent that its TPM |
| always uses the 2.0 protocol, and that it should be on by default. |
| |
| config TPM_DEACTIVATE |
| bool "Deactivate TPM" |
| default n |
| depends on !VBOOT |
| depends on TPM1 |
| help |
| Deactivate TPM by issuing deactivate command. |
| |
| config DEBUG_TPM |
| bool "Output verbose TPM debug messages" |
| default n |
| select DRIVER_TPM_DISPLAY_TIS_BYTES if I2C_TPM |
| depends on TPM |
| help |
| This option enables additional TPM related debug messages. |
| |
| config TPM_RDRESP_NEED_DELAY |
| bool "Enable Delay Workaround for TPM" |
| default n |
| depends on MEMORY_MAPPED_TPM |
| help |
| Certain TPMs seem to need some delay when reading response |
| to work around a race-condition-related issue, possibly |
| caused by ill-programmed TPM firmware. |
| |
| config TPM_STARTUP_IGNORE_POSTINIT |
| bool |
| help |
| Select this to ignore POSTINIT INVALID return codes on TPM |
| startup. This is useful on platforms where a previous stage |
| issued a TPM startup. Examples of use cases are Intel TXT |
| or VBOOT on the Intel Arrandale processor, which issues a |
| CPU-only reset during the romstage. |
| |
| config TPM_MEASURED_BOOT |
| bool "Enable Measured Boot" |
| default n |
| select VBOOT_LIB |
| depends on TPM |
| depends on !VBOOT_RETURN_FROM_VERSTAGE |
| help |
| Enables measured boot (experimental) |
| |
| choice |
| prompt "TPM event log format" |
| depends on TPM_MEASURED_BOOT |
| default TPM_LOG_TPM1 if TPM1 |
| default TPM_LOG_TPM2 if TPM2 |
| |
| config TPM_LOG_CB |
| bool "coreboot's custom format" |
| help |
| Custom coreboot-specific format of the log derived from TPM1 log format. |
| config TPM_LOG_TPM1 |
| bool "TPM 1.2 format" |
| depends on TPM1 |
| help |
| Log per TPM 1.2 specification. |
| See "TCG PC Client Specific Implementation Specification for Conventional BIOS". |
| config TPM_LOG_TPM2 |
| bool "TPM 2.0 format" |
| depends on TPM2 |
| help |
| Log per TPM 2.0 specification. |
| See "TCG PC Client Platform Firmware Profile Specification". |
| |
| endchoice |
| |
| choice |
| prompt "TPM2 hashing algorithm" |
| depends on TPM_MEASURED_BOOT && TPM_LOG_TPM2 |
| default TPM_HASH_SHA1 if TPM1 |
| default TPM_HASH_SHA256 if TPM2 |
| |
| config TPM_HASH_SHA1 |
| bool "SHA1" |
| config TPM_HASH_SHA256 |
| bool "SHA256" |
| config TPM_HASH_SHA384 |
| bool "SHA384" |
| config TPM_HASH_SHA512 |
| bool "SHA512" |
| |
| endchoice |
| |
| config TPM_MEASURED_BOOT_INIT_BOOTBLOCK |
| bool |
| depends on TPM_MEASURED_BOOT && !VBOOT |
| help |
| Initialize TPM inside the bootblock instead of ramstage. This is |
| useful with some form of hardware assisted root of trust |
| measurement like Intel TXT/CBnT. |
| |
| config TPM_MEASURED_BOOT_RUNTIME_DATA |
| string "Runtime data whitelist" |
| default "" |
| depends on TPM_MEASURED_BOOT |
| help |
| Runtime data whitelist of cbfs filenames. Needs to be a |
| space delimited list |
| |
| config PCR_BOOT_MODE |
| int |
| default 0 if CHROMEOS |
| default 1 |
| |
| config PCR_HWID |
| int |
| default 1 |
| |
| config PCR_SRTM |
| int |
| default 2 |
| |
| config PCR_FW_VER |
| int |
| default 10 |
| |
| # PCR for measuring data which changes during runtime |
| # e.g. CMOS, NVRAM... |
| config PCR_RUNTIME_DATA |
| int |
| default 3 |
| |
| endmenu # Trusted Platform Module (tpm) |
| |
| config TPM_SETUP_HIBERNATE_ON_ERR |
| bool |
| depends on EC_GOOGLE_CHROMEEC |
| default y |
| help |
| Select this to force a device to hibernate on the next AP shutdown when a TPM |
| setup error occurs. This will cause a cold boot of the system and offer an |
| opportunity to recover the TPM should it be hung. This is only effective if |
| the Z-State brings the power rail down. |