summaryrefslogtreecommitdiff
path: root/src/soc/intel/common/block
diff options
context:
space:
mode:
authorPratikkumar Prajapati <pratikkumar.v.prajapati@intel.com>2023-06-05 18:13:16 -0700
committerFelix Held <felix-coreboot@felixheld.de>2023-06-16 14:14:25 +0000
commit42f7dc7493ff09ae75ec22f0d0b291cfcead71a6 (patch)
tree5a8742e5438c2f96ccdbffcad18a6a5eaa905ecf /src/soc/intel/common/block
parent4162654f1b86163370ea34abcab17d6377ab1420 (diff)
soc/intel/common: Add configs for TME exclusion range and new key gen
Add following config options. 1. TME_GENERATE_NEW_KEY_ON_WARM_BOOT Program Intel TME to generate a new key for each warm boot. TME always generates a new key on each cold boot. With this option enabled TME generates a new key even in warm boot. Without this option TME reuses the key for warm boot. 2. TME_EXCLUDE_CBMEM_ENCRYPTION This option allows to exclude the CBMEM region from being encrypted by Intel TME. When TME is enabled it encrypts whole DRAM. TME provides option to carve out a region of physical memory to get excluded from encryption. With this config enabled, CBMEM region does not get encrypted by TME. If TME is not programmed to generate a new key in warm boot, exclusion range does not need be programmed due to the fact that TME uses same key in warm boot if TME_GENERATE_NEW_KEY_ON_WARM_BOOT is not set. But if TME is programmed to generate a new key in warm boot, contents of the CBMEM get encrypted with a new key in each warm boot case hence, that leads to loss of CBMEM data from previous warm boot. So enabling this config allows CBMEM region to get excluded from being encrypted and can be accessible irrespective of the type of the platform reset. Bug=b:276120526 TEST=Able to build rex Signed-off-by: Pratikkumar Prajapati <pratikkumar.v.prajapati@intel.com> Change-Id: Id5008fee07b97faadc7dd585f445295425173782 Reviewed-on: https://review.coreboot.org/c/coreboot/+/75625 Reviewed-by: Subrata Banik <subratabanik@google.com> Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Diffstat (limited to 'src/soc/intel/common/block')
-rw-r--r--src/soc/intel/common/block/cpu/Kconfig29
1 files changed, 29 insertions, 0 deletions
diff --git a/src/soc/intel/common/block/cpu/Kconfig b/src/soc/intel/common/block/cpu/Kconfig
index 8b30dcf12c..fb1e251f00 100644
--- a/src/soc/intel/common/block/cpu/Kconfig
+++ b/src/soc/intel/common/block/cpu/Kconfig
@@ -142,6 +142,35 @@ config INTEL_TME
it would get enabled. If CPU supports MKTME, this same config option
enables MKTME.
+config TME_GENERATE_NEW_KEY_ON_WARM_BOOT
+ bool "Generate new TME key on each warm boot"
+ depends on INTEL_TME
+ default n
+ help
+ Program Intel TME to generate a new key for each warm boot. TME always
+ generates a new key on each cold boot. With this option enabled TME
+ generates a new key even in warm boot. Without this option TME reuses
+ the key for warm boot.
+
+config TME_EXCLUDE_CBMEM_ENCRYPTION
+ bool "Exclude CBMEM from TME encryption"
+ depends on INTEL_TME
+ default n
+ help
+ This option allows to exclude the CBMEM region from being encrypted by
+ Intel TME. When TME is enabled it encrypts whole DRAM. TME provides
+ option to carve out a region of physical memory to get excluded from
+ encryption. With this config enabled, CBMEM region does not get
+ encrypted by TME. If TME is not programmed to generate a new key in
+ warm boot, exclusion range does not need be programmed due to the
+ fact that TME uses same key in warm boot if
+ TME_GENERATE_NEW_KEY_ON_WARM_BOOT is not set. But if TME is programmed
+ to generate a new key in warm boot, contents of the CBMEM get
+ encrypted with a new key in each warm boot case hence, that leads to
+ loss of CBMEM data from previous warm boot. So enabling this config
+ allows CBMEM region to get excluded from being encrypted and can be
+ accessible irrespective of the type of the platform reset.
+
config CPU_XTAL_HZ
int
help