summaryrefslogtreecommitdiff
path: root/src/security/tpm
diff options
context:
space:
mode:
authorJulius Werner <jwerner@chromium.org>2021-05-18 17:15:50 -0700
committerJulius Werner <jwerner@chromium.org>2021-05-27 22:01:44 +0000
commit8ad93797d6e1eb2d4be4010e29152636551567fa (patch)
treea17b9d2c794b854057f169f9e7486c69885e6f7a /src/security/tpm
parent9d8a5ba128d7e5a8b6fbedf79c4c470acc918b4c (diff)
tpm: Remove USER_TPMx options, make TPM1/TPM2 menuconfig visible
We would like to have an easy way to completely disable TPM support on a board. For boards that don't pre-select a TPM protocol via the MAINBOARD_HAS_TPMx options, this is already possible with the USER_NO_TPM option. In order to make this available for all boards, this patch just removes the whole USER_TPMx option group and directly makes the TPM1 and TPM2 options visible to menuconfig. The MAINBOARD_HAS_TPMx options can still be used to select defaults and to prevent selection of a protocol that the TPM is known to not support, but the NO_TPM option always remains available. Also fix some mainboards that selected TPM2 directly, which they're not supposed to do (that's what MAINBOARD_HAS_TPM2 is for), and add a missing dependency to TPM_CR50 so it is set correctly for a NO_TPM scenario. Signed-off-by: Julius Werner <jwerner@chromium.org> Change-Id: Ib0a73da3c42fa4e8deffecb53f29ee38cbb51a93 Reviewed-on: https://review.coreboot.org/c/coreboot/+/54641 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Aaron Durbin <adurbin@chromium.org> Reviewed-by: Christian Walter <christian.walter@9elements.com>
Diffstat (limited to 'src/security/tpm')
-rw-r--r--src/security/tpm/Kconfig68
-rw-r--r--src/security/tpm/tss/vendor/cr50/Kconfig1
2 files changed, 30 insertions, 39 deletions
diff --git a/src/security/tpm/Kconfig b/src/security/tpm/Kconfig
index 96ab2e658f..e228a3d435 100644
--- a/src/security/tpm/Kconfig
+++ b/src/security/tpm/Kconfig
@@ -4,22 +4,42 @@ source "src/security/tpm/tss/vendor/cr50/Kconfig"
menu "Trusted Platform Module"
+choice
+ prompt "Trusted Platform Module"
+ default TPM2 if MAINBOARD_HAS_TPM2
+ default TPM1 if MAINBOARD_HAS_TPM1
+ default NO_TPM
+
+config NO_TPM
+ bool "No TPM"
+ help
+ No TPM support. Select this option if your system doesn't have a TPM,
+ or if you don't want coreboot to communicate with your TPM in any way.
+ (If your board doesn't offer a TPM interface, this will be the only
+ possible option.)
+
config TPM1
- bool
- default y if MAINBOARD_HAS_TPM1 || USER_TPM1
+ bool "TPM 1.2"
depends on MAINBOARD_HAS_LPC_TPM || \
MAINBOARD_HAS_I2C_TPM_GENERIC || \
MAINBOARD_HAS_I2C_TPM_ATMEL
+ depends on !MAINBOARD_HAS_TPM2
+ help
+ Select this option if your TPM uses the older TPM 1.2 protocol.
config TPM2
- bool
- default y if MAINBOARD_HAS_TPM2 || USER_TPM2
+ bool "TPM 2.0"
depends on MAINBOARD_HAS_I2C_TPM_GENERIC || \
MAINBOARD_HAS_LPC_TPM || \
MAINBOARD_HAS_I2C_TPM_ATMEL || \
MAINBOARD_HAS_I2C_TPM_CR50 || \
MAINBOARD_HAS_SPI_TPM || \
MAINBOARD_HAS_CRB_TPM
+ depends on !MAINBOARD_HAS_TPM1
+ help
+ Select this option if your TPM uses the newer TPM 2.0 protocol.
+
+endchoice
config TPM
bool
@@ -28,45 +48,15 @@ config TPM
config MAINBOARD_HAS_TPM1
bool
+ help
+ This option can be selected by a mainboard to represent that its TPM
+ always uses the 1.2 protocol, and that it should be on by default.
config MAINBOARD_HAS_TPM2
bool
-
-if !MAINBOARD_HAS_TPM1 && !MAINBOARD_HAS_TPM2
-
-choice
- prompt "Trusted Platform Module"
- default USER_NO_TPM
-
-config USER_NO_TPM
- bool "disabled"
-
-config USER_TPM1
- bool "1.2"
- depends on MAINBOARD_HAS_LPC_TPM || \
- MAINBOARD_HAS_I2C_TPM_GENERIC || \
- MAINBOARD_HAS_I2C_TPM_ATMEL
help
- Enable this option to enable TPM 1.0 - 1.2 support in coreboot.
-
- If unsure, say N.
-
-config USER_TPM2
- bool "2.0"
- depends on MAINBOARD_HAS_I2C_TPM_GENERIC || \
- MAINBOARD_HAS_LPC_TPM || \
- MAINBOARD_HAS_I2C_TPM_ATMEL || \
- MAINBOARD_HAS_I2C_TPM_CR50 || \
- MAINBOARD_HAS_SPI_TPM || \
- MAINBOARD_HAS_CRB_TPM
- help
- Enable this option to enable TPM 2.0 support in coreboot.
-
- If unsure, say N.
-
-endchoice
-
-endif
+ This option can be selected by a mainboard to represent that its TPM
+ always uses the 2.0 protocol, and that it should be on by default.
config TPM_DEACTIVATE
bool "Deactivate TPM"
diff --git a/src/security/tpm/tss/vendor/cr50/Kconfig b/src/security/tpm/tss/vendor/cr50/Kconfig
index 52c73859d8..c4ecdef2fd 100644
--- a/src/security/tpm/tss/vendor/cr50/Kconfig
+++ b/src/security/tpm/tss/vendor/cr50/Kconfig
@@ -2,6 +2,7 @@
config TPM_CR50
bool
+ depends on TPM2
default y if MAINBOARD_HAS_I2C_TPM_CR50 || MAINBOARD_HAS_SPI_TPM_CR50
if TPM_CR50