src/security/intel/txt/Kconfig

# SPDX-License-Identifier: GPL-2.0-only

config INTEL_TXT_LIB
	bool
	default n
	help
	  This option includes library functions related to the TXT
	  operation which SoC would still like to access without enabling
	  INTEL_TXT config.

config INTEL_TXT
	bool "Intel TXT support"
	default n
	select INTEL_TXT_LIB
	select MRC_SETTINGS_PROTECT if CACHE_MRC_SETTINGS
	select ENABLE_VMX if CPU_INTEL_COMMON
	select AP_IN_SIPI_WAIT
	select TPM_MEASURED_BOOT_INIT_BOOTBLOCK if TPM_MEASURED_BOOT
	depends on TPM
	depends on PLATFORM_HAS_DRAM_CLEAR
	depends on (SOC_INTEL_COMMON_BLOCK_SA || HAVE_CF9_RESET)

if INTEL_TXT

config INTEL_TXT_BIOSACM_FILE
	string "BIOS ACM file"
	default "3rdparty/blobs/soc/intel/skylake/biosacm.bin" if SOC_INTEL_COMMON_SKYLAKE_BASE
	help
	  Intel TXT BIOS ACM file. This file can be obtained through privileged
	  access to Intel resources. Or for some platforms found inside the
	  blob repository.

config INTEL_TXT_SINITACM_FILE
	string "SINIT ACM file"
	default "3rdparty/blobs/soc/intel/skylake/sinitacm.bin" if SOC_INTEL_COMMON_SKYLAKE_BASE
	help
	  Intel TXT SINIT ACM file. This file can be obtained through privileged
	  access to Intel resources. Or for some platforms found inside the
	  blob repository.

config INTEL_TXT_DPR_SIZE
	int
	range 0 255
	default 3
	help
	  Specify the size the DPR region needs to have. On at least Haswell,
	  the MRC does not have an input to specify the size of DPR, so this
	  field is only used to check if the programmed size is large enough.

config INTEL_TXT_BDR_VERSION
	int "BIOS Data Region version"
	range 2 6
	default 5 if TPM1
	default 6 if TPM2
	help
	  Specify the TXT heap BIOS Data Region version. Sometimes when using
	  an older Trusted Boot version, it may report unsupported BIOS Data
	  Region version and refuse to set up the measured launch environment.
	  Setting lower version may work around such issue. Allowed values
	  currently range from 2 to 6.

config INTEL_TXT_TEST_BIOS_ACM_CALLING_CODE
	bool "Test BIOS ACM calling code with NOP function"
	help
	  Run a NOP function of the BIOS ACM to check that the ACM calling code
	  is functioning properly. Use in pre-production environments only!

config INTEL_TXT_LOGGING
	bool "Enable verbose logging"
	help
	  Print more TXT related debug output.
	  Use in pre-production environments only!

config INTEL_TXT_BIOSACM_ALIGNMENT
	hex
	default 0x40000 if INTEL_CBNT_SUPPORT
	default 0x20000 # 128 KiB
	help
	  Exceptions are Ivy and Sandy Bridge with 64 KiB and Purley with 256 KiB
	  alignment size. If necessary, override from platform-specific Kconfig.

config INTEL_TXT_CBFS_BIOS_POLICY
	string
	default "txt_bios_policy.bin"

config INTEL_TXT_CBFS_BIOS_ACM
	string
	default "txt_bios_acm.bin"

config INTEL_TXT_CBFS_SINIT_ACM
	string
	default "txt_sinit_acm.bin"

config INTEL_TXT_SINIT_SIZE
	hex
	default 0x20000
	help
	  This is the size that will be programmed in TXT_SINIT_SIZE.
	  This needs to be at least the size of the SINIT ACM.
	  This is platform dependent. For instance on CPX this has
	  to be the ACM size + 64K.

config INTEL_TXT_HEAP_SIZE
	hex
	default 0xe0000
	help
	  This is the size that will be programmed in TXT_HEAP_SIZE.
	  This is platform dependent.

endif