| # SPDX-License-Identifier: GPL-2.0-only |
| |
| source "src/security/tpm/tss/vendor/cr50/Kconfig" |
| |
| menu "Trusted Platform Module" |
| |
| choice |
| prompt "Trusted Platform Module" |
| default TPM2 if MAINBOARD_HAS_TPM2 |
| default TPM1 if MAINBOARD_HAS_TPM1 |
| default NO_TPM |
| |
| config NO_TPM |
| bool "No TPM" |
| help |
| No TPM support. Select this option if your system doesn't have a TPM, |
| or if you don't want coreboot to communicate with your TPM in any way. |
| (If your board doesn't offer a TPM interface, this will be the only |
| possible option.) |
| |
| config TPM1 |
| bool "TPM 1.2" |
| depends on MAINBOARD_HAS_LPC_TPM || \ |
| MAINBOARD_HAS_I2C_TPM_GENERIC || \ |
| MAINBOARD_HAS_I2C_TPM_ATMEL |
| depends on !MAINBOARD_HAS_TPM2 |
| help |
| Select this option if your TPM uses the older TPM 1.2 protocol. |
| |
| config TPM2 |
| bool "TPM 2.0" |
| depends on MAINBOARD_HAS_I2C_TPM_GENERIC || \ |
| MAINBOARD_HAS_LPC_TPM || \ |
| MAINBOARD_HAS_I2C_TPM_ATMEL || \ |
| MAINBOARD_HAS_I2C_TPM_CR50 || \ |
| MAINBOARD_HAS_SPI_TPM || \ |
| MAINBOARD_HAS_CRB_TPM |
| depends on !MAINBOARD_HAS_TPM1 |
| help |
| Select this option if your TPM uses the newer TPM 2.0 protocol. |
| |
| endchoice |
| |
| config TPM |
| bool |
| default y |
| depends on TPM1 || TPM2 |
| |
| config MAINBOARD_HAS_TPM1 |
| bool |
| help |
| This option can be selected by a mainboard to represent that its TPM |
| always uses the 1.2 protocol, and that it should be on by default. |
| |
| config MAINBOARD_HAS_TPM2 |
| bool |
| help |
| This option can be selected by a mainboard to represent that its TPM |
| always uses the 2.0 protocol, and that it should be on by default. |
| |
| config TPM_DEACTIVATE |
| bool "Deactivate TPM" |
| default n |
| depends on !VBOOT |
| depends on TPM1 |
| help |
| Deactivate TPM by issuing deactivate command. |
| |
| config DEBUG_TPM |
| bool "Output verbose TPM debug messages" |
| default n |
| select DRIVER_TPM_DISPLAY_TIS_BYTES if I2C_TPM |
| depends on TPM |
| help |
| This option enables additional TPM related debug messages. |
| |
| config TPM_RDRESP_NEED_DELAY |
| bool "Enable Delay Workaround for TPM" |
| default n |
| depends on MAINBOARD_HAS_LPC_TPM |
| help |
| Certain TPMs seem to need some delay when reading response |
| to work around a race-condition-related issue, possibly |
| caused by ill-programmed TPM firmware. |
| |
| config TPM_STARTUP_IGNORE_POSTINIT |
| bool |
| help |
| Select this to ignore POSTINIT INVALID return codes on TPM |
| startup. This is useful on platforms where a previous stage |
| issued a TPM startup. Examples of use cases are Intel TXT |
| or VBOOT on the Intel Arrandale processor, which issues a |
| CPU-only reset during the romstage. |
| |
| config TPM_MEASURED_BOOT |
| bool "Enable Measured Boot" |
| default n |
| select VBOOT_LIB |
| depends on TPM |
| depends on !VBOOT_RETURN_FROM_VERSTAGE |
| help |
| Enables measured boot (experimental) |
| |
| config TPM_MEASURED_BOOT_INIT_BOOTBLOCK |
| bool |
| depends on TPM_MEASURED_BOOT && !VBOOT |
| help |
| Initialize TPM inside the bootblock instead of ramstage. This is |
| useful with some form of hardware assisted root of trust |
| measurement like Intel TXT/CBnT. |
| |
| config TPM_MEASURED_BOOT_RUNTIME_DATA |
| string "Runtime data whitelist" |
| default "" |
| depends on TPM_MEASURED_BOOT |
| help |
| Runtime data whitelist of cbfs filenames. Needs to be a |
| space delimited list |
| |
| endmenu # Trusted Platform Module (tpm) |
