summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/soc/intel/common/block/cpu/Kconfig29
1 files changed, 29 insertions, 0 deletions
diff --git a/src/soc/intel/common/block/cpu/Kconfig b/src/soc/intel/common/block/cpu/Kconfig
index 8b30dcf12c..fb1e251f00 100644
--- a/src/soc/intel/common/block/cpu/Kconfig
+++ b/src/soc/intel/common/block/cpu/Kconfig
@@ -142,6 +142,35 @@ config INTEL_TME
it would get enabled. If CPU supports MKTME, this same config option
enables MKTME.
+config TME_GENERATE_NEW_KEY_ON_WARM_BOOT
+ bool "Generate new TME key on each warm boot"
+ depends on INTEL_TME
+ default n
+ help
+ Program Intel TME to generate a new key for each warm boot. TME always
+ generates a new key on each cold boot. With this option enabled TME
+ generates a new key even in warm boot. Without this option TME reuses
+ the key for warm boot.
+
+config TME_EXCLUDE_CBMEM_ENCRYPTION
+ bool "Exclude CBMEM from TME encryption"
+ depends on INTEL_TME
+ default n
+ help
+ This option allows to exclude the CBMEM region from being encrypted by
+ Intel TME. When TME is enabled it encrypts whole DRAM. TME provides
+ option to carve out a region of physical memory to get excluded from
+ encryption. With this config enabled, CBMEM region does not get
+ encrypted by TME. If TME is not programmed to generate a new key in
+ warm boot, exclusion range does not need be programmed due to the
+ fact that TME uses same key in warm boot if
+ TME_GENERATE_NEW_KEY_ON_WARM_BOOT is not set. But if TME is programmed
+ to generate a new key in warm boot, contents of the CBMEM get
+ encrypted with a new key in each warm boot case hence, that leads to
+ loss of CBMEM data from previous warm boot. So enabling this config
+ allows CBMEM region to get excluded from being encrypted and can be
+ accessible irrespective of the type of the platform reset.
+
config CPU_XTAL_HZ
int
help