# SPDX-License-Identifier: GPL-2.0-only source "src/security/tpm/tss/vendor/cr50/Kconfig" menu "Trusted Platform Module" choice prompt "Trusted Platform Module" default TPM2 if MAINBOARD_HAS_TPM2 default TPM1 if MAINBOARD_HAS_TPM1 default NO_TPM config NO_TPM bool "No TPM" help No TPM support. Select this option if your system doesn't have a TPM, or if you don't want coreboot to communicate with your TPM in any way. (If your board doesn't offer a TPM interface, this will be the only possible option.) config TPM1 bool "TPM 1.2" depends on I2C_TPM || MEMORY_MAPPED_TPM || SPI_TPM || CRB_TPM depends on !MAINBOARD_HAS_TPM2 help Select this option if your TPM uses the older TPM 1.2 protocol. config TPM2 bool "TPM 2.0" depends on I2C_TPM || MEMORY_MAPPED_TPM || SPI_TPM || CRB_TPM depends on !MAINBOARD_HAS_TPM1 help Select this option if your TPM uses the newer TPM 2.0 protocol. endchoice config TPM bool default y depends on TPM1 || TPM2 config MAINBOARD_HAS_TPM1 bool help This option can be selected by a mainboard to represent that its TPM always uses the 1.2 protocol, and that it should be on by default. config MAINBOARD_HAS_TPM2 bool help This option can be selected by a mainboard to represent that its TPM always uses the 2.0 protocol, and that it should be on by default. config TPM_DEACTIVATE bool "Deactivate TPM" default n depends on !VBOOT depends on TPM1 help Deactivate TPM by issuing deactivate command. config DEBUG_TPM bool "Output verbose TPM debug messages" default n select DRIVER_TPM_DISPLAY_TIS_BYTES if I2C_TPM depends on TPM help This option enables additional TPM related debug messages. config TPM_RDRESP_NEED_DELAY bool "Enable Delay Workaround for TPM" default n depends on MEMORY_MAPPED_TPM help Certain TPMs seem to need some delay when reading response to work around a race-condition-related issue, possibly caused by ill-programmed TPM firmware. config TPM_STARTUP_IGNORE_POSTINIT bool help Select this to ignore POSTINIT INVALID return codes on TPM startup. This is useful on platforms where a previous stage issued a TPM startup. Examples of use cases are Intel TXT or VBOOT on the Intel Arrandale processor, which issues a CPU-only reset during the romstage. config TPM_MEASURED_BOOT bool "Enable Measured Boot" default n select VBOOT_LIB depends on TPM depends on !VBOOT_RETURN_FROM_VERSTAGE help Enables measured boot (experimental) choice prompt "TPM event log format" depends on TPM_MEASURED_BOOT default TPM_LOG_TPM1 if TPM1 default TPM_LOG_TPM2 if TPM2 config TPM_LOG_CB bool "coreboot's custom format" help Custom coreboot-specific format of the log derived from TPM1 log format. config TPM_LOG_TPM1 bool "TPM 1.2 format" depends on TPM1 help Log per TPM 1.2 specification. See "TCG PC Client Specific Implementation Specification for Conventional BIOS". config TPM_LOG_TPM2 bool "TPM 2.0 format" depends on TPM2 help Log per TPM 2.0 specification. See "TCG PC Client Platform Firmware Profile Specification". endchoice choice prompt "TPM2 hashing algorithm" depends on TPM_MEASURED_BOOT && TPM_LOG_TPM2 default TPM_HASH_SHA1 if TPM1 default TPM_HASH_SHA256 if TPM2 config TPM_HASH_SHA1 bool "SHA1" config TPM_HASH_SHA256 bool "SHA256" config TPM_HASH_SHA384 bool "SHA384" config TPM_HASH_SHA512 bool "SHA512" endchoice config TPM_MEASURED_BOOT_INIT_BOOTBLOCK bool depends on TPM_MEASURED_BOOT && !VBOOT help Initialize TPM inside the bootblock instead of ramstage. This is useful with some form of hardware assisted root of trust measurement like Intel TXT/CBnT. config TPM_MEASURED_BOOT_RUNTIME_DATA string "Runtime data whitelist" default "" depends on TPM_MEASURED_BOOT help Runtime data whitelist of cbfs filenames. Needs to be a space delimited list endmenu # Trusted Platform Module (tpm)