src/security/intel/stm/Kconfig

## SPDX-License-Identifier: GPL-2.0-only

config STM
	bool "Enable STM"
	default n
	depends on ENABLE_VMX
	depends on SMM_TSEG

	help
	  Enabling the STM will load a simple hypervisor into SMM that will
	  restrict the actions of the SMI handler, which is the part of BIOS
	  that functions in system management mode (SMM).  The kernel can
	  configure the STM to prevent the SMI handler from accessing platform
	  resources.
	  The STM closes a vulnerability in Intel TXT (D-RTM)
	  The SMI handler provides a list of platform resources that it
	  requires access to the STM during STM startup, which the kernel
	  cannot override.
	  An additional capability, called STM-PE, provides a protected
	  execution capability that allows modules to be executed without
	  observation and interference. Examples of usage include kernel
	  introspection and virtualized trusted platform module (vTPM).
	  Requirement: SMM must be enabled and there must be sufficient room
	  within the TSEG to fit the MSEG.

if STM

menu "SMI Transfer Monitor (STM)"

config MSEG_SIZE
	hex "mseg size"
	default 0x100000
	help
	  The MSEG_SIZE of 0x100000 assumes that:
	      IED_REGION_SIZE   = 0x400000
	      SMM_RESERVED_SIZE = 0x200000
	      SMM_TSEG_SIZE     = 0x800000

	  To use STM/PE, a larger MSEG_SIZE is necessary.  This can be
	  done by either increasing SMM_TSEG_SIZE or reducing the
	  IED_REGION_SIZE and/or SMM_RESERVED_SIZE or some combination
	  of the three.
	  NOTE: The authors experience is that these configuration
	  parameters have to be changed at the soc Konfig for them to
	  be applied.
	  Minimum sizes:
	        STM only - 0x100000 - Supports up to 38 processor threads
	                 - 0x200000 - Supports up to 102 processor threads
	        STM/PE   - 0x300000+ depending on the amount of memory needed
	                             for the protected execution virtual
	                             machine (VM/PE)

config STM_STMPE_ENABLED
	bool "STM/PE Enabled"
	default n
	help
	  STM/PE provides for additional virtual machines in SMRAM
	  that provides a protected execution environment for
	  applications such as introspection, which need to be
	  protected from malicious code.  More information can be
	  found on the stmpe branch of
	  https://review.coreboot.org/STM


config BIOS_RESOURCE_LIST_SIZE
	hex "bios resource list size"
	default 0x1000
	help
	  The BIOS resource list defines the resources that the
	  SMI handler needs.  This list is created during the
	  coreboot bootup.  Unless there has been a lot of elements
	  added to this list, this value should not change.

config STM_BINARY_FILE
	string "STM binary file"
	default "3rdparty/stm/Stm/build/StmPkg/Core/stm.bin"
	help
	  Location of the STM binary file.  The default location is
	  where the file will be located when coreboot builds
	  the STM.

config STM_HEAPSIZE
	hex "stm heapsize"
	default 0x46000
	help
	  The STM_HEAPSIZE defines the heap space that is available
	  to the STM.  The default size assumes a MSEG_SIZE of 0x100000.
	  For STM/PE this size should be a minimum of 0x246000.

config STM_TTYS0_BASE
	hex "stm uart"
	default TTYS0_BASE if TTYS0_BASE
	default 0x000
	help
	  Defines the serial port for STM console output.  0x000 indicates
	  no serial port.

config STM_CBMEM_CONSOLE
	bool "STM cbmem console"
	default n
	depends on CONSOLE_CBMEM
	help
	  Places the STM console output into the cbmem.

choice
	prompt "Select STM console output"

config STM_CONSOLE_DEBUG
	bool "Debug output"
	depends on STM_CBMEM_CONSOLE || STM_TTYS0_BASE
	help
	  "Produces all STM console output"

config STM_CONSOLE_RELEASE
	bool "Deactivate console output"
	help
	  "No console output is produced"
endchoice

endmenu #STM

endif