Blame - src/security/tpm/Kconfig - coreboot

blob: ea13fa43c120d315226a3acfe71909bbf2b2c4d3 [file] [log] [blame]

Elyes HAOUAS	f7b2fe6	2020-05-07 12:38:15 +0200	[diff] [blame]	1	# SPDX-License-Identifier: GPL-2.0-only
Philipp Deppenwiese	64e2d19	2017-10-18 17:13:07 +0200	[diff] [blame]	2
Philipp Deppenwiese	c07f8fb	2018-02-27 19:40:52 +0100	[diff] [blame]	3	source "src/security/tpm/tss/vendor/cr50/Kconfig"
				4
Philipp Deppenwiese	64e2d19	2017-10-18 17:13:07 +0200	[diff] [blame]	5	menu "Trusted Platform Module"
				6
Julius Werner	8ad9379	2021-05-18 17:15:50 -0700	[diff] [blame]	7	config NO_TPM
Sergii Dmytruk	3e5cefc	2022-11-01 00:48:43 +0200	[diff] [blame^]	8	bool
				9	default y if !TPM1 && !TPM2
Julius Werner	8ad9379	2021-05-18 17:15:50 -0700	[diff] [blame]	10	help
				11	No TPM support. Select this option if your system doesn't have a TPM,
				12	or if you don't want coreboot to communicate with your TPM in any way.
				13	(If your board doesn't offer a TPM interface, this will be the only
				14	possible option.)
				15
Philipp Deppenwiese	c07f8fb	2018-02-27 19:40:52 +0100	[diff] [blame]	16	config TPM1
Julius Werner	8ad9379	2021-05-18 17:15:50 -0700	[diff] [blame]	17	bool "TPM 1.2"
Jes B. Klinke	c6b041a1	2022-04-19 14:00:33 -0700	[diff] [blame]	18	depends on I2C_TPM \|\| MEMORY_MAPPED_TPM \|\| SPI_TPM \|\| CRB_TPM
Sergii Dmytruk	3e5cefc	2022-11-01 00:48:43 +0200	[diff] [blame^]	19	default y if MAINBOARD_HAS_TPM1
Julius Werner	8ad9379	2021-05-18 17:15:50 -0700	[diff] [blame]	20	help
				21	Select this option if your TPM uses the older TPM 1.2 protocol.
Philipp Deppenwiese	64e2d19	2017-10-18 17:13:07 +0200	[diff] [blame]	22
				23	config TPM2
Julius Werner	8ad9379	2021-05-18 17:15:50 -0700	[diff] [blame]	24	bool "TPM 2.0"
Jes B. Klinke	c6b041a1	2022-04-19 14:00:33 -0700	[diff] [blame]	25	depends on I2C_TPM \|\| MEMORY_MAPPED_TPM \|\| SPI_TPM \|\| CRB_TPM
Sergii Dmytruk	3e5cefc	2022-11-01 00:48:43 +0200	[diff] [blame^]	26	default y if MAINBOARD_HAS_TPM2
Julius Werner	8ad9379	2021-05-18 17:15:50 -0700	[diff] [blame]	27	help
				28	Select this option if your TPM uses the newer TPM 2.0 protocol.
				29
Kyösti Mälkki	d2b2a18	2021-04-29 15:33:07 +0300	[diff] [blame]	30	config TPM
				31	bool
				32	default y
				33	depends on TPM1 \|\| TPM2
				34
Philipp Deppenwiese	c07f8fb	2018-02-27 19:40:52 +0100	[diff] [blame]	35	config MAINBOARD_HAS_TPM1
				36	bool
Julius Werner	8ad9379	2021-05-18 17:15:50 -0700	[diff] [blame]	37	help
				38	This option can be selected by a mainboard to represent that its TPM
				39	always uses the 1.2 protocol, and that it should be on by default.
Philipp Deppenwiese	c07f8fb	2018-02-27 19:40:52 +0100	[diff] [blame]	40
				41	config MAINBOARD_HAS_TPM2
				42	bool
Philipp Deppenwiese	c07f8fb	2018-02-27 19:40:52 +0100	[diff] [blame]	43	help
Julius Werner	8ad9379	2021-05-18 17:15:50 -0700	[diff] [blame]	44	This option can be selected by a mainboard to represent that its TPM
				45	always uses the 2.0 protocol, and that it should be on by default.
Philipp Deppenwiese	c07f8fb	2018-02-27 19:40:52 +0100	[diff] [blame]	46
				47	config TPM_DEACTIVATE
Sergii Dmytruk	3e5cefc	2022-11-01 00:48:43 +0200	[diff] [blame^]	48	bool "Deactivate TPM (for TPM1)"
Philipp Deppenwiese	c07f8fb	2018-02-27 19:40:52 +0100	[diff] [blame]	49	default n
				50	depends on !VBOOT
				51	depends on TPM1
				52	help
				53	Deactivate TPM by issuing deactivate command.
Philipp Deppenwiese	64e2d19	2017-10-18 17:13:07 +0200	[diff] [blame]	54
				55	config DEBUG_TPM
				56	bool "Output verbose TPM debug messages"
				57	default n
Philipp Deppenwiese	c07f8fb	2018-02-27 19:40:52 +0100	[diff] [blame]	58	select DRIVER_TPM_DISPLAY_TIS_BYTES if I2C_TPM
Kyösti Mälkki	f303b4f	2021-05-27 19:33:57 +0300	[diff] [blame]	59	depends on TPM
Philipp Deppenwiese	64e2d19	2017-10-18 17:13:07 +0200	[diff] [blame]	60	help
				61	This option enables additional TPM related debug messages.
				62
Philipp Deppenwiese	c07f8fb	2018-02-27 19:40:52 +0100	[diff] [blame]	63	config TPM_RDRESP_NEED_DELAY
				64	bool "Enable Delay Workaround for TPM"
Philipp Deppenwiese	64e2d19	2017-10-18 17:13:07 +0200	[diff] [blame]	65	default n
Jes B. Klinke	c6b041a1	2022-04-19 14:00:33 -0700	[diff] [blame]	66	depends on MEMORY_MAPPED_TPM
Philipp Deppenwiese	64e2d19	2017-10-18 17:13:07 +0200	[diff] [blame]	67	help
Philipp Deppenwiese	c07f8fb	2018-02-27 19:40:52 +0100	[diff] [blame]	68	Certain TPMs seem to need some delay when reading response
				69	to work around a race-condition-related issue, possibly
				70	caused by ill-programmed TPM firmware.
Philipp Deppenwiese	64e2d19	2017-10-18 17:13:07 +0200	[diff] [blame]	71
Arthur Heymans	6d5fcf4	2019-10-14 17:06:27 +0200	[diff] [blame]	72	config TPM_STARTUP_IGNORE_POSTINIT
				73	bool
				74	help
				75	Select this to ignore POSTINIT INVALID return codes on TPM
				76	startup. This is useful on platforms where a previous stage
				77	issued a TPM startup. Examples of use cases are Intel TXT
Angel Pons	31b7ee4	2020-02-17 14:04:28 +0100	[diff] [blame]	78	or VBOOT on the Intel Arrandale processor, which issues a
Arthur Heymans	6d5fcf4	2019-10-14 17:06:27 +0200	[diff] [blame]	79	CPU-only reset during the romstage.
				80
Bill XIE	c79e96b	2019-08-22 20:28:36 +0800	[diff] [blame]	81	config TPM_MEASURED_BOOT
				82	bool "Enable Measured Boot"
				83	default n
				84	select VBOOT_LIB
Kyösti Mälkki	f303b4f	2021-05-27 19:33:57 +0300	[diff] [blame]	85	depends on TPM
Bill XIE	c79e96b	2019-08-22 20:28:36 +0800	[diff] [blame]	86	depends on !VBOOT_RETURN_FROM_VERSTAGE
				87	help
				88	Enables measured boot (experimental)
				89
Sergii Dmytruk	97fe17f	2022-10-23 00:24:37 +0300	[diff] [blame]	90	choice
				91	prompt "TPM event log format"
				92	depends on TPM_MEASURED_BOOT
Sergii Dmytruk	4191dbf	2022-10-23 00:34:32 +0300	[diff] [blame]	93	default TPM_LOG_TPM1 if TPM1
Sergii Dmytruk	53db677	2022-10-23 00:47:55 +0300	[diff] [blame]	94	default TPM_LOG_TPM2 if TPM2
Sergii Dmytruk	97fe17f	2022-10-23 00:24:37 +0300	[diff] [blame]	95
				96	config TPM_LOG_CB
				97	bool "coreboot's custom format"
				98	help
				99	Custom coreboot-specific format of the log derived from TPM1 log format.
Sergii Dmytruk	4191dbf	2022-10-23 00:34:32 +0300	[diff] [blame]	100	config TPM_LOG_TPM1
				101	bool "TPM 1.2 format"
Sergii Dmytruk	3e5cefc	2022-11-01 00:48:43 +0200	[diff] [blame^]	102	depends on TPM1 && !TPM2
Sergii Dmytruk	4191dbf	2022-10-23 00:34:32 +0300	[diff] [blame]	103	help
				104	Log per TPM 1.2 specification.
				105	See "TCG PC Client Specific Implementation Specification for Conventional BIOS".
Sergii Dmytruk	53db677	2022-10-23 00:47:55 +0300	[diff] [blame]	106	config TPM_LOG_TPM2
				107	bool "TPM 2.0 format"
Sergii Dmytruk	3e5cefc	2022-11-01 00:48:43 +0200	[diff] [blame^]	108	depends on TPM1 \|\| TPM2
Sergii Dmytruk	53db677	2022-10-23 00:47:55 +0300	[diff] [blame]	109	help
				110	Log per TPM 2.0 specification.
				111	See "TCG PC Client Platform Firmware Profile Specification".
				112
				113	endchoice
				114
				115	choice
				116	prompt "TPM2 hashing algorithm"
				117	depends on TPM_MEASURED_BOOT && TPM_LOG_TPM2
				118	default TPM_HASH_SHA1 if TPM1
				119	default TPM_HASH_SHA256 if TPM2
				120
				121	config TPM_HASH_SHA1
				122	bool "SHA1"
				123	config TPM_HASH_SHA256
				124	bool "SHA256"
				125	config TPM_HASH_SHA384
				126	bool "SHA384"
				127	config TPM_HASH_SHA512
				128	bool "SHA512"
Sergii Dmytruk	97fe17f	2022-10-23 00:24:37 +0300	[diff] [blame]	129
				130	endchoice
				131
Arthur Heymans	6f8e944	2021-03-29 14:23:53 +0200	[diff] [blame]	132	config TPM_MEASURED_BOOT_INIT_BOOTBLOCK
				133	bool
				134	depends on TPM_MEASURED_BOOT && !VBOOT
				135	help
				136	Initialize TPM inside the bootblock instead of ramstage. This is
				137	useful with some form of hardware assisted root of trust
				138	measurement like Intel TXT/CBnT.
				139
Bill XIE	c79e96b	2019-08-22 20:28:36 +0800	[diff] [blame]	140	config TPM_MEASURED_BOOT_RUNTIME_DATA
				141	string "Runtime data whitelist"
				142	default ""
				143	depends on TPM_MEASURED_BOOT
				144	help
				145	Runtime data whitelist of cbfs filenames. Needs to be a
harshit	aae1633	2020-05-12 12:55:39 +0530	[diff] [blame]	146	space delimited list
Bill XIE	c79e96b	2019-08-22 20:28:36 +0800	[diff] [blame]	147
Sergii Dmytruk	4129c26	2022-10-24 01:17:41 +0300	[diff] [blame]	148	config PCR_BOOT_MODE
				149	int
				150	default 0 if CHROMEOS
				151	default 1
				152
				153	config PCR_HWID
				154	int
				155	default 1
				156
				157	config PCR_SRTM
				158	int
				159	default 2
				160
Yi Chou	0f910e7	2023-08-11 14:40:37 +0800	[diff] [blame]	161	config PCR_FW_VER
				162	int
				163	default 10
				164
Sergii Dmytruk	4129c26	2022-10-24 01:17:41 +0300	[diff] [blame]	165	# PCR for measuring data which changes during runtime
				166	# e.g. CMOS, NVRAM...
				167	config PCR_RUNTIME_DATA
				168	int
				169	default 3
				170
Philipp Deppenwiese	64e2d19	2017-10-18 17:13:07 +0200	[diff] [blame]	171	endmenu # Trusted Platform Module (tpm)
Jon Murphy	a2f08aa	2023-09-05 11:43:14 -0600	[diff] [blame]	172
				173	config TPM_SETUP_HIBERNATE_ON_ERR
				174	bool
				175	depends on EC_GOOGLE_CHROMEEC
Jon Murphy	3aa7bb0	2023-09-22 15:29:20 -0600	[diff] [blame]	176	default y
Jon Murphy	a2f08aa	2023-09-05 11:43:14 -0600	[diff] [blame]	177	help
				178	Select this to force a device to hibernate on the next AP shutdown when a TPM
				179	setup error occurs. This will cause a cold boot of the system and offer an
				180	opportunity to recover the TPM should it be hung. This is only effective if
				181	the Z-State brings the power rail down.