4 files changed, 31 insertions, 41 deletions

diff --git a/src/mainboard/google/drallion/Kconfig b/src/mainboard/google/drallion/Kconfig
index 31cac26a76..9499a60608 100644
--- a/src/mainboard/google/drallion/Kconfig
+++ b/src/mainboard/google/drallion/Kconfig
@@ -21,7 +21,6 @@ config BOARD_GOOGLE_BASEBOARD_DRALLION
 	select SOC_INTEL_COMMON_BLOCK_HDA_VERB
 	select SOC_INTEL_COMMON_BLOCK_SMM_ESPI_DISABLE
 	select SYSTEM_TYPE_LAPTOP
-	select TPM2
 	select MAINBOARD_USES_IFD_EC_REGION
 	select HAVE_SPD_IN_CBFS
 
diff --git a/src/mainboard/protectli/vault_kbl/Kconfig b/src/mainboard/protectli/vault_kbl/Kconfig
index 7cf80e0a91..7aa78aab13 100644
--- a/src/mainboard/protectli/vault_kbl/Kconfig
+++ b/src/mainboard/protectli/vault_kbl/Kconfig
@@ -13,7 +13,7 @@ config BOARD_SPECIFIC_OPTIONS
 	select SUPERIO_ITE_IT8772F
 	select MAINBOARD_HAS_CRB_TPM
 	select HAVE_INTEL_PTT
-	select TPM2
+	select MAINBOARD_HAS_TPM2
 
 config IRQ_SLOT_COUNT
 	int
diff --git a/src/security/tpm/Kconfig b/src/security/tpm/Kconfig
index 96ab2e658f..e228a3d435 100644
--- a/src/security/tpm/Kconfig
+++ b/src/security/tpm/Kconfig
@@ -4,22 +4,42 @@ source "src/security/tpm/tss/vendor/cr50/Kconfig"
 
 menu "Trusted Platform Module"
 
+choice
+	prompt "Trusted Platform Module"
+	default TPM2 if MAINBOARD_HAS_TPM2
+	default TPM1 if MAINBOARD_HAS_TPM1
+	default NO_TPM
+
+config NO_TPM
+	bool "No TPM"
+	help
+	  No TPM support. Select this option if your system doesn't have a TPM,
+	  or if you don't want coreboot to communicate with your TPM in any way.
+	  (If your board doesn't offer a TPM interface, this will be the only
+	  possible option.)
+
 config TPM1
-	bool
-	default y if MAINBOARD_HAS_TPM1 || USER_TPM1
+	bool "TPM 1.2"
 	depends on MAINBOARD_HAS_LPC_TPM || \
 		   MAINBOARD_HAS_I2C_TPM_GENERIC || \
 		   MAINBOARD_HAS_I2C_TPM_ATMEL
+	depends on !MAINBOARD_HAS_TPM2
+	help
+	  Select this option if your TPM uses the older TPM 1.2 protocol.
 
 config TPM2
-	bool
-	default y if MAINBOARD_HAS_TPM2 || USER_TPM2
+	bool "TPM 2.0"
 	depends on MAINBOARD_HAS_I2C_TPM_GENERIC || \
 		   MAINBOARD_HAS_LPC_TPM || \
 		   MAINBOARD_HAS_I2C_TPM_ATMEL || \
 		   MAINBOARD_HAS_I2C_TPM_CR50 || \
 		   MAINBOARD_HAS_SPI_TPM || \
 		   MAINBOARD_HAS_CRB_TPM
+	depends on !MAINBOARD_HAS_TPM1
+	help
+	  Select this option if your TPM uses the newer TPM 2.0 protocol.
+
+endchoice
 
 config TPM
 	bool
@@ -28,45 +48,15 @@ config TPM
 
 config MAINBOARD_HAS_TPM1
 	bool
+	help
+	  This option can be selected by a mainboard to represent that its TPM
+	  always uses the 1.2 protocol, and that it should be on by default.
 
 config MAINBOARD_HAS_TPM2
 	bool
-
-if !MAINBOARD_HAS_TPM1 && !MAINBOARD_HAS_TPM2
-
-choice
-	prompt "Trusted Platform Module"
-	default USER_NO_TPM
-
-config USER_NO_TPM
-	bool "disabled"
-
-config USER_TPM1
-	bool "1.2"
-	depends on MAINBOARD_HAS_LPC_TPM || \
-		   MAINBOARD_HAS_I2C_TPM_GENERIC || \
-		   MAINBOARD_HAS_I2C_TPM_ATMEL
 	help
-		Enable this option to enable TPM 1.0 - 1.2 support in coreboot.
-
-		If unsure, say N.
-
-config USER_TPM2
-	bool "2.0"
-	depends on MAINBOARD_HAS_I2C_TPM_GENERIC || \
-		   MAINBOARD_HAS_LPC_TPM || \
-		   MAINBOARD_HAS_I2C_TPM_ATMEL || \
-		   MAINBOARD_HAS_I2C_TPM_CR50 || \
-		   MAINBOARD_HAS_SPI_TPM || \
-		   MAINBOARD_HAS_CRB_TPM
-	help
-		Enable this option to enable TPM 2.0 support in coreboot.
-
-		If unsure, say N.
-
-endchoice
-
-endif
+	  This option can be selected by a mainboard to represent that its TPM
+	  always uses the 2.0 protocol, and that it should be on by default.
 
 config TPM_DEACTIVATE
 	bool "Deactivate TPM"
diff --git a/src/security/tpm/tss/vendor/cr50/Kconfig b/src/security/tpm/tss/vendor/cr50/Kconfig
index 52c73859d8..c4ecdef2fd 100644
--- a/src/security/tpm/tss/vendor/cr50/Kconfig
+++ b/src/security/tpm/tss/vendor/cr50/Kconfig
@@ -2,6 +2,7 @@
 
 config TPM_CR50
 	bool
+	depends on TPM2
 	default y if MAINBOARD_HAS_I2C_TPM_CR50 || MAINBOARD_HAS_SPI_TPM_CR50
 
 if TPM_CR50