# SPDX-License-Identifier: GPL-2.0-only source "src/security/tpm/tss/vendor/cr50/Kconfig" menu "Trusted Platform Module" config NO_TPM bool default y if !TPM1 && !TPM2 help No TPM support. Select this option if your system doesn't have a TPM, or if you don't want coreboot to communicate with your TPM in any way. (If your board doesn't offer a TPM interface, this will be the only possible option.) config TPM1 bool "TPM 1.2" depends on I2C_TPM || MEMORY_MAPPED_TPM || SPI_TPM || CRB_TPM default y if MAINBOARD_HAS_TPM1 help Select this option if your TPM uses the older TPM 1.2 protocol. config TPM2 bool "TPM 2.0" depends on I2C_TPM || MEMORY_MAPPED_TPM || SPI_TPM || CRB_TPM default y if MAINBOARD_HAS_TPM2 help Select this option if your TPM uses the newer TPM 2.0 protocol. config TPM bool default y depends on TPM1 || TPM2 config MAINBOARD_HAS_TPM1 bool help This option can be selected by a mainboard to represent that its TPM always uses the 1.2 protocol, and that it should be on by default. config MAINBOARD_HAS_TPM2 bool help This option can be selected by a mainboard to represent that its TPM always uses the 2.0 protocol, and that it should be on by default. config TPM_DEACTIVATE bool "Deactivate TPM (for TPM1)" default n depends on !VBOOT depends on TPM1 help Deactivate TPM by issuing deactivate command. config DEBUG_TPM bool "Output verbose TPM debug messages" default n select DRIVER_TPM_DISPLAY_TIS_BYTES if I2C_TPM depends on TPM help This option enables additional TPM related debug messages. config TPM_STARTUP_IGNORE_POSTINIT bool help Select this to ignore POSTINIT INVALID return codes on TPM startup. This is useful on platforms where a previous stage issued a TPM startup. Examples of use cases are Intel TXT or VBOOT on the Intel Arrandale processor, which issues a CPU-only reset during the romstage. config TPM_MEASURED_BOOT bool "Enable Measured Boot" default n select VBOOT_LIB depends on TPM depends on !VBOOT_RETURN_FROM_VERSTAGE help Enables measured boot (experimental) choice prompt "TPM event log format" depends on TPM_MEASURED_BOOT default TPM_LOG_TPM1 if TPM1 default TPM_LOG_TPM2 if TPM2 config TPM_LOG_CB bool "coreboot's custom format" help Custom coreboot-specific format of the log derived from TPM1 log format. config TPM_LOG_TPM1 bool "TPM 1.2 format" depends on TPM1 && !TPM2 help Log per TPM 1.2 specification. See "TCG PC Client Specific Implementation Specification for Conventional BIOS". config TPM_LOG_TPM2 bool "TPM 2.0 format" depends on TPM1 || TPM2 help Log per TPM 2.0 specification. See "TCG PC Client Platform Firmware Profile Specification". endchoice choice prompt "TPM2 hashing algorithm" depends on TPM_MEASURED_BOOT && TPM_LOG_TPM2 default TPM_HASH_SHA1 if TPM1 default TPM_HASH_SHA256 if TPM2 config TPM_HASH_SHA1 bool "SHA1" config TPM_HASH_SHA256 bool "SHA256" config TPM_HASH_SHA384 bool "SHA384" config TPM_HASH_SHA512 bool "SHA512" endchoice config TPM_MEASURED_BOOT_INIT_BOOTBLOCK bool depends on TPM_MEASURED_BOOT && !VBOOT help Initialize TPM inside the bootblock instead of ramstage. This is useful with some form of hardware assisted root of trust measurement like Intel TXT/CBnT. config TPM_MEASURED_BOOT_RUNTIME_DATA string "Runtime data whitelist" default "" depends on TPM_MEASURED_BOOT help Runtime data whitelist of cbfs filenames. Needs to be a space delimited list config PCR_BOOT_MODE int default 0 if CHROMEOS default 1 config PCR_HWID int default 1 config PCR_SRTM int default 2 config PCR_FW_VER int default 10 # PCR for measuring data which changes during runtime # e.g. CMOS, NVRAM... config PCR_RUNTIME_DATA int default 3 endmenu # Trusted Platform Module (tpm) config TPM_SETUP_HIBERNATE_ON_ERR bool depends on EC_GOOGLE_CHROMEEC default y help Select this to force a device to hibernate on the next AP shutdown when a TPM setup error occurs. This will cause a cold boot of the system and offer an opportunity to recover the TPM should it be hung. This is only effective if the Z-State brings the power rail down.