aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/soc/intel/common/block/cpu/Kconfig29
1 files changed, 10 insertions, 19 deletions
diff --git a/src/soc/intel/common/block/cpu/Kconfig b/src/soc/intel/common/block/cpu/Kconfig
index fb1e251f00..316ec403c3 100644
--- a/src/soc/intel/common/block/cpu/Kconfig
+++ b/src/soc/intel/common/block/cpu/Kconfig
@@ -142,7 +142,7 @@ config INTEL_TME
it would get enabled. If CPU supports MKTME, this same config option
enables MKTME.
-config TME_GENERATE_NEW_KEY_ON_WARM_BOOT
+config TME_KEY_REGENERATION_ON_WARM_BOOT
bool "Generate new TME key on each warm boot"
depends on INTEL_TME
default n
@@ -152,24 +152,15 @@ config TME_GENERATE_NEW_KEY_ON_WARM_BOOT
generates a new key even in warm boot. Without this option TME reuses
the key for warm boot.
-config TME_EXCLUDE_CBMEM_ENCRYPTION
- bool "Exclude CBMEM from TME encryption"
- depends on INTEL_TME
- default n
- help
- This option allows to exclude the CBMEM region from being encrypted by
- Intel TME. When TME is enabled it encrypts whole DRAM. TME provides
- option to carve out a region of physical memory to get excluded from
- encryption. With this config enabled, CBMEM region does not get
- encrypted by TME. If TME is not programmed to generate a new key in
- warm boot, exclusion range does not need be programmed due to the
- fact that TME uses same key in warm boot if
- TME_GENERATE_NEW_KEY_ON_WARM_BOOT is not set. But if TME is programmed
- to generate a new key in warm boot, contents of the CBMEM get
- encrypted with a new key in each warm boot case hence, that leads to
- loss of CBMEM data from previous warm boot. So enabling this config
- allows CBMEM region to get excluded from being encrypted and can be
- accessible irrespective of the type of the platform reset.
+ If a new key is generated on warm boot, DRAM contents from previous
+ warm boot will not get decrypted. This creates issue in accessing
+ CBMEM region from previous warm boot. To mitigate the issue coreboot
+ also programs exclusion range. Intel TME does not encrypt physical
+ memory range set in exclusion range. Current coreboot implementation
+ programs TME to exclude CBMEM region. When this config option is
+ enabled, coreboot instructs Intel FSP to program TME to generate
+ a new key on every warm boot and also exclude CBMEM region from being
+ encrypted by TME.
config CPU_XTAL_HZ
int
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-21 04:31:07 +0000