From 6f8e9443aa55ad27045fb437fd8df3386d66ba3e Mon Sep 17 00:00:00 2001
From: Arthur Heymans <arthur@aheymans.xyz>
Date: Mon, 29 Mar 2021 14:23:53 +0200
Subject: security/tpm: Add option to init TPM in bootblock

When using a hardware assisted root of trust measurement, like Intel
TXT/CBnT, the TPM init needs to happen inside the bootblock to form a
proper chain of trust.

Change-Id: Ifacba5d9ab19b47968b4f2ed5731ded4aac55022
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/51923
Reviewed-by: Christian Walter <christian.walter@9elements.com>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
---
 src/security/intel/cbnt/Kconfig | 1 +
 1 file changed, 1 insertion(+)

(limited to 'src/security/intel')

diff --git a/src/security/intel/cbnt/Kconfig b/src/security/intel/cbnt/Kconfig
index 415092b6c2..9208ab42ce 100644
--- a/src/security/intel/cbnt/Kconfig
+++ b/src/security/intel/cbnt/Kconfig
@@ -8,6 +8,7 @@ config INTEL_CBNT_SUPPORT
 	select INTEL_TXT
 	# With CBnT the bootblock is set up as a CBnT IBB and needs a fixed size
 	select FIXED_BOOTBLOCK_SIZE
+	select TPM_MEASURED_BOOT_INIT_BOOTBLOCK if TPM_MEASURED_BOOT
 	help
 	  Enables Intel Converged Bootguard and Trusted Execution Technology
 	  Support. This will enable one to add a Key Manifest (KM) and a Boot
-- 
cgit v1.2.3