security/vboot: Add Support for Intel PTT

Add support for Intel PTT. For supporting Intel PTT we need to disable
read and write access to the TPM NVRAM during the bootblock. TPM NVRAM
will only be available once the DRAM is initialized. To circumvent this,
we mock secdata if HAVE_INTEL_PTT is set. The underlying problem is,
that the iTPM only supports a stripped down instruction set while the
Intel ME is not fully booted up. Details can be found in Intel document
number 571993 - Paragraph 2.10.

Change-Id: I08c9a839f53f96506be5fb68f7c1ed5bf6692505
Signed-off-by: Christian Walter <christian.walter@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34510
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>

1 files changed, 4 insertions, 1 deletions

diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig
index ea1f73889a..c5146c61e7 100644
--- a/src/security/vboot/Kconfig
+++ b/src/security/vboot/Kconfig
@@ -26,10 +26,13 @@ config VBOOT
 
 if VBOOT
 
+comment "Anti-Rollback Protection disabled because mocking secdata is enabled."
+	depends on VBOOT_MOCK_SECDATA
+
 config VBOOT_MEASURED_BOOT
 	bool "Enable Measured Boot"
 	default n
-	depends on !VBOOT_MOCK_SECDATA
+	depends on TPM1 || TPM2
 	depends on !VBOOT_RETURN_FROM_VERSTAGE
 	help
 	  Enables measured boot mode in vboot (experimental)