sravan/system76-coreboot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
3e5cefcc45d7ef7da9fd9b6ecc499a05f8134039
system76-coreboot/src/security/tpm/Kconfig
Sergii Dmytruk 3e5cefcc45 security/tpm: support compiling in multiple TPM drivers 
Starting from here CONFIG_TPM1 and CONFIG_TPM2 are no longer mutually
exclusive.

Change-Id: I44c5a1d825afe414c2f5c2c90f4cfe41ba9bef5f
Ticket: https://ticket.coreboot.org/issues/433
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/69162
Reviewed-by: Julius Werner <jwerner@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
2024-04-16 13:52:14 +00:00

182 lines
4.4 KiB
Plaintext
Raw Blame History

# SPDX-License-Identifier: GPL-2.0-only
source "src/security/tpm/tss/vendor/cr50/Kconfig"
menu "Trusted Platform Module"
config NO_TPM
bool
default y if !TPM1 && !TPM2
help
No TPM support. Select this option if your system doesn't have a TPM,
or if you don't want coreboot to communicate with your TPM in any way.
(If your board doesn't offer a TPM interface, this will be the only
possible option.)
config TPM1
bool "TPM 1.2"
depends on I2C_TPM || MEMORY_MAPPED_TPM || SPI_TPM || CRB_TPM
default y if MAINBOARD_HAS_TPM1
help
Select this option if your TPM uses the older TPM 1.2 protocol.
config TPM2
bool "TPM 2.0"
depends on I2C_TPM || MEMORY_MAPPED_TPM || SPI_TPM || CRB_TPM
default y if MAINBOARD_HAS_TPM2
help
Select this option if your TPM uses the newer TPM 2.0 protocol.
config TPM
bool
default y
depends on TPM1 || TPM2
config MAINBOARD_HAS_TPM1
bool
help
This option can be selected by a mainboard to represent that its TPM
always uses the 1.2 protocol, and that it should be on by default.
config MAINBOARD_HAS_TPM2
bool
help
This option can be selected by a mainboard to represent that its TPM
always uses the 2.0 protocol, and that it should be on by default.
config TPM_DEACTIVATE
bool "Deactivate TPM (for TPM1)"
default n
depends on !VBOOT
depends on TPM1
help
Deactivate TPM by issuing deactivate command.
config DEBUG_TPM
bool "Output verbose TPM debug messages"
default n
select DRIVER_TPM_DISPLAY_TIS_BYTES if I2C_TPM
depends on TPM
help
This option enables additional TPM related debug messages.
config TPM_RDRESP_NEED_DELAY
bool "Enable Delay Workaround for TPM"
default n
depends on MEMORY_MAPPED_TPM
help
Certain TPMs seem to need some delay when reading response
to work around a race-condition-related issue, possibly
caused by ill-programmed TPM firmware.
config TPM_STARTUP_IGNORE_POSTINIT
bool
help
Select this to ignore POSTINIT INVALID return codes on TPM
startup. This is useful on platforms where a previous stage
issued a TPM startup. Examples of use cases are Intel TXT
or VBOOT on the Intel Arrandale processor, which issues a
CPU-only reset during the romstage.
config TPM_MEASURED_BOOT
bool "Enable Measured Boot"
default n
select VBOOT_LIB
depends on TPM
depends on !VBOOT_RETURN_FROM_VERSTAGE
help
Enables measured boot (experimental)
choice
prompt "TPM event log format"
depends on TPM_MEASURED_BOOT
default TPM_LOG_TPM1 if TPM1
default TPM_LOG_TPM2 if TPM2
config TPM_LOG_CB
bool "coreboot's custom format"
help
Custom coreboot-specific format of the log derived from TPM1 log format.
config TPM_LOG_TPM1
bool "TPM 1.2 format"
depends on TPM1 && !TPM2
help
Log per TPM 1.2 specification.
See "TCG PC Client Specific Implementation Specification for Conventional BIOS".
config TPM_LOG_TPM2
bool "TPM 2.0 format"
depends on TPM1 || TPM2
help
Log per TPM 2.0 specification.
See "TCG PC Client Platform Firmware Profile Specification".
endchoice
choice
prompt "TPM2 hashing algorithm"
depends on TPM_MEASURED_BOOT && TPM_LOG_TPM2
default TPM_HASH_SHA1 if TPM1
default TPM_HASH_SHA256 if TPM2
config TPM_HASH_SHA1
bool "SHA1"
config TPM_HASH_SHA256
bool "SHA256"
config TPM_HASH_SHA384
bool "SHA384"
config TPM_HASH_SHA512
bool "SHA512"
endchoice
config TPM_MEASURED_BOOT_INIT_BOOTBLOCK
bool
depends on TPM_MEASURED_BOOT && !VBOOT
help
Initialize TPM inside the bootblock instead of ramstage. This is
useful with some form of hardware assisted root of trust
measurement like Intel TXT/CBnT.
config TPM_MEASURED_BOOT_RUNTIME_DATA
string "Runtime data whitelist"
default ""
depends on TPM_MEASURED_BOOT
help
Runtime data whitelist of cbfs filenames. Needs to be a
space delimited list
config PCR_BOOT_MODE
int
default 0 if CHROMEOS
default 1
config PCR_HWID
int
default 1
config PCR_SRTM
int
default 2
config PCR_FW_VER
int
default 10
# PCR for measuring data which changes during runtime
# e.g. CMOS, NVRAM...
config PCR_RUNTIME_DATA
int
default 3
endmenu # Trusted Platform Module (tpm)
config TPM_SETUP_HIBERNATE_ON_ERR
bool
depends on EC_GOOGLE_CHROMEEC
default y
help
Select this to force a device to hibernate on the next AP shutdown when a TPM
setup error occurs. This will cause a cold boot of the system and offer an
opportunity to recover the TPM should it be hung. This is only effective if
the Z-State brings the power rail down.
Reference in New Issue View Git Blame Copy Permalink