# SPDX-License-Identifier: GPL-2.0-only

source "src/security/tpm/tss/vendor/cr50/Kconfig"

menu "Trusted Platform Module"

config NO_TPM
	bool
	default y if !TPM1 && !TPM2
	help
	  No TPM support. Select this option if your system doesn't have a TPM,
	  or if you don't want coreboot to communicate with your TPM in any way.
	  (If your board doesn't offer a TPM interface, this will be the only
	  possible option.)

config TPM1
	bool "TPM 1.2"
	depends on I2C_TPM || MEMORY_MAPPED_TPM || SPI_TPM || CRB_TPM
	default y if MAINBOARD_HAS_TPM1
	help
	  Select this option if your TPM uses the older TPM 1.2 protocol.

config TPM2
	bool "TPM 2.0"
	depends on I2C_TPM || MEMORY_MAPPED_TPM || SPI_TPM || CRB_TPM
	default y if MAINBOARD_HAS_TPM2
	help
	  Select this option if your TPM uses the newer TPM 2.0 protocol.

config TPM
	bool
	default y
	depends on TPM1 || TPM2

config MAINBOARD_HAS_TPM1
	bool
	help
	  This option can be selected by a mainboard to represent that its TPM
	  always uses the 1.2 protocol, and that it should be on by default.

config MAINBOARD_HAS_TPM2
	bool
	help
	  This option can be selected by a mainboard to represent that its TPM
	  always uses the 2.0 protocol, and that it should be on by default.

config TPM_DEACTIVATE
	bool "Deactivate TPM (for TPM1)"
	default n
	depends on !VBOOT
	depends on TPM1
	help
	  Deactivate TPM by issuing deactivate command.

config DEBUG_TPM
	bool "Output verbose TPM debug messages"
	default n
	select DRIVER_TPM_DISPLAY_TIS_BYTES if I2C_TPM
	depends on TPM
	help
	  This option enables additional TPM related debug messages.

config TPM_RDRESP_NEED_DELAY
	bool "Enable Delay Workaround for TPM"
	default n
	depends on MEMORY_MAPPED_TPM
	help
	  Certain TPMs seem to need some delay when reading response
	  to work around a race-condition-related issue, possibly
	  caused by ill-programmed TPM firmware.

config TPM_STARTUP_IGNORE_POSTINIT
	bool
	help
	  Select this to ignore POSTINIT INVALID return codes on TPM
	  startup. This is useful on platforms where a previous stage
	  issued a TPM startup. Examples of use cases are Intel TXT
	  or VBOOT on the Intel Arrandale processor, which issues a
	  CPU-only reset during the romstage.

config TPM_MEASURED_BOOT
	bool "Enable Measured Boot"
	default n
	select VBOOT_LIB
	depends on TPM
	depends on !VBOOT_RETURN_FROM_VERSTAGE
	help
	  Enables measured boot (experimental)

choice
	prompt "TPM event log format"
	depends on TPM_MEASURED_BOOT
	default TPM_LOG_TPM1 if TPM1
	default TPM_LOG_TPM2 if TPM2

config TPM_LOG_CB
	bool "coreboot's custom format"
	help
	  Custom coreboot-specific format of the log derived from TPM1 log format.
config TPM_LOG_TPM1
	bool "TPM 1.2 format"
	depends on TPM1 && !TPM2
	help
	  Log per TPM 1.2 specification.
	  See "TCG PC Client Specific Implementation Specification for Conventional BIOS".
config TPM_LOG_TPM2
	bool "TPM 2.0 format"
	depends on TPM1 || TPM2
	help
	  Log per TPM 2.0 specification.
	  See "TCG PC Client Platform Firmware Profile Specification".

endchoice

choice
	prompt "TPM2 hashing algorithm"
	depends on TPM_MEASURED_BOOT && TPM_LOG_TPM2
	default TPM_HASH_SHA1 if TPM1
	default TPM_HASH_SHA256 if TPM2

config TPM_HASH_SHA1
	bool "SHA1"
config TPM_HASH_SHA256
	bool "SHA256"
config TPM_HASH_SHA384
	bool "SHA384"
config TPM_HASH_SHA512
	bool "SHA512"

endchoice

config TPM_MEASURED_BOOT_INIT_BOOTBLOCK
	bool
	depends on TPM_MEASURED_BOOT && !VBOOT
	help
	  Initialize TPM inside the bootblock instead of ramstage. This is
	  useful with some form of hardware assisted root of trust
	  measurement like Intel TXT/CBnT.

config TPM_MEASURED_BOOT_RUNTIME_DATA
	string "Runtime data whitelist"
	default ""
	depends on TPM_MEASURED_BOOT
	help
	  Runtime data whitelist of cbfs filenames. Needs to be a
	  space delimited list

config PCR_BOOT_MODE
	int
	default 0 if CHROMEOS
	default 1

config PCR_HWID
	int
	default 1

config PCR_SRTM
	int
	default 2

config PCR_FW_VER
	int
	default 10

# PCR for measuring data which changes during runtime
# e.g. CMOS, NVRAM...
config PCR_RUNTIME_DATA
	int
	default 3

endmenu # Trusted Platform Module (tpm)

config TPM_SETUP_HIBERNATE_ON_ERR
	bool
	depends on EC_GOOGLE_CHROMEEC
	default y
	help
	  Select this to force a device to hibernate on the next AP shutdown when a TPM
	  setup error occurs. This will cause a cold boot of the system and offer an
	  opportunity to recover the TPM should it be hung. This is only effective if
	  the Z-State brings the power rail down.