| Eugene Myers | ae438be | 2020-01-21 17:01:47 -0500 | [diff] [blame] | 1 | config STM |
| 2 | bool "Enable STM" |
| 3 | default n |
| Eugene Myers | 9d4f94a | 2020-02-12 12:47:57 -0500 | [diff] [blame] | 4 | depends on ENABLE_VMX |
| 5 | depends on SMM_TSEG |
| Eugene Myers | ae438be | 2020-01-21 17:01:47 -0500 | [diff] [blame] | 6 | |
| 7 | help |
| 8 | Enabling the STM will load a simple hypervisor into SMM that will |
| 9 | restrict the actions of the SMI handler, which is the part of BIOS |
| 10 | that functions in system management mode (SMM). The kernel can |
| 11 | configure the STM to prevent the SMI handler from accessing platform |
| 12 | resources. |
| 13 | The STM closes a vulnerability in Intel TXT (D-RTM) |
| 14 | The SMI handler provides a list of platform resources that it |
| 15 | requires access to the STM during STM startup, which the kernel |
| 16 | cannot override. |
| 17 | An additional capability, called STM-PE, provides a protected |
| 18 | execution capability that allows modules to be executed without |
| 19 | observation and interference. Examples of usage include kernel |
| 20 | introspection and virtualized trusted platform module (vTPM). |
| 21 | Requirement: SMM must be enabled and there must be sufficient room |
| 22 | within the TSEG to fit the MSEG. |
| 23 | |
| 24 | if STM |
| 25 | |
| 26 | menu "SMI Transfer Monitor (STM)" |
| 27 | |
| 28 | config MSEG_SIZE |
| 29 | hex "mseg size" |
| Eugene Myers | 7979bf5 | 2020-10-01 14:59:27 -0400 | [diff] [blame] | 30 | default 0x100000 |
| Eugene Myers | ae438be | 2020-01-21 17:01:47 -0500 | [diff] [blame] | 31 | help |
| Eugene Myers | 7979bf5 | 2020-10-01 14:59:27 -0400 | [diff] [blame] | 32 | The MSEG_SIZE of 0x100000 assumes that: |
| 33 | IED_REGION_SIZE = 0x400000 |
| 34 | SMM_RESERVED_SIZE = 0x200000 |
| 35 | SMM_TSEG_SIZE = 0x800000 |
| 36 | |
| 37 | To use STM/PE, a larger MSEG_SIZE is necessary. This can be |
| 38 | done by either increasing SMM_TSEG_SIZE or reducing the |
| 39 | IED_REGION_SIZE and/or SMM_RESERVED_SIZE or some combination |
| 40 | of the three. |
| 41 | NOTE: The authors experience is that these configuration |
| 42 | parameters have to be changed at the soc Konfig for them to |
| 43 | be applied. |
| 44 | Minimum sizes: |
| 45 | STM only - 0x100000 - Supports up to 38 processor threads |
| 46 | - 0x200000 - Supports up to 102 processor threads |
| 47 | STM/PE - 0x300000+ depending on the amount of memory needed |
| 48 | for the protected execution virtual |
| 49 | machine (VM/PE) |
| 50 | |
| 51 | config STM_STMPE_ENABLED |
| 52 | bool "STM/PE Enabled" |
| 53 | default n |
| 54 | help |
| 55 | STM/PE provides for additional virtual machines in SMRAM |
| 56 | that provides a protected execution environment for |
| 57 | applications such as introspection, which need to be |
| 58 | protected from malicious code. More information can be |
| 59 | found on the stmpe branch of |
| 60 | https://review.coreboot.org/STM |
| 61 | |
| Eugene Myers | ae438be | 2020-01-21 17:01:47 -0500 | [diff] [blame] | 62 | |
| 63 | config BIOS_RESOURCE_LIST_SIZE |
| Eugene Myers | 7979bf5 | 2020-10-01 14:59:27 -0400 | [diff] [blame] | 64 | hex "bios resource list size" |
| Eugene Myers | ae438be | 2020-01-21 17:01:47 -0500 | [diff] [blame] | 65 | default 0x1000 |
| Eugene Myers | 7979bf5 | 2020-10-01 14:59:27 -0400 | [diff] [blame] | 66 | help |
| 67 | The BIOS resource list defines the resources that the |
| 68 | SMI handler needs. This list is created during the |
| 69 | coreboot bootup. Unless there has been a lot of elements |
| 70 | added to this list, this value should not change. |
| Eugene Myers | ae438be | 2020-01-21 17:01:47 -0500 | [diff] [blame] | 71 | |
| 72 | config STM_BINARY_FILE |
| 73 | string "STM binary file" |
| Eugene Myers | 7979bf5 | 2020-10-01 14:59:27 -0400 | [diff] [blame] | 74 | default "3rdparty/stm/Stm/build/StmPkg/Core/stm.bin" |
| 75 | help |
| 76 | Location of the STM binary file. The default location is |
| 77 | where the file will be located when coreboot builds |
| 78 | the STM. |
| 79 | |
| 80 | config STM_HEAPSIZE |
| 81 | hex "stm heapsize" |
| 82 | default 0x46000 |
| 83 | help |
| 84 | The STM_HEAPSIZE defines the heap space that is available |
| 85 | to the STM. The default size assumes a MSEG_SIZE of 0x100000. |
| 86 | For STM/PE this size should be a minimum of 0x246000. |
| 87 | |
| 88 | config STM_TTYS0_BASE |
| 89 | hex "stm uart" |
| 90 | default TTYS0_BASE if TTYS0_BASE |
| 91 | default 0x000 |
| 92 | help |
| 93 | Defines the serial port for STM console output. 0x000 indicates |
| 94 | no serial port. |
| 95 | |
| 96 | config STM_CBMEM_CONSOLE |
| 97 | bool "STM cbmem console" |
| 98 | default n |
| 99 | depends on CONSOLE_CBMEM |
| 100 | help |
| 101 | Places the STM console output into the cbmem. |
| 102 | |
| 103 | choice |
| 104 | prompt "Select STM console output" |
| 105 | |
| 106 | config STM_CONSOLE_DEBUG |
| 107 | bool "Debug output" |
| 108 | depends on STM_CBMEM_CONSOLE || STM_TTYS0_BASE |
| 109 | help |
| 110 | "Produces all STM console output" |
| 111 | |
| 112 | config STM_CONSOLE_RELEASE |
| 113 | bool "Deactivate console output" |
| 114 | help |
| 115 | "No console output is produced" |
| 116 | endchoice |
| Eugene Myers | ae438be | 2020-01-21 17:01:47 -0500 | [diff] [blame] | 117 | |
| 118 | endmenu #STM |
| 119 | |
| 120 | endif |