blob: 144deeda9e9a450bae448f0dbbbd1a230adb95fd (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
config PLATFORM_SUPPORTS_STM
bool
depends on SMM_TSEG
config STM
bool "Enable STM"
default n
depends on PLATFORM_SUPPORTS_STM
select USE_BLOBS
help
Enabling the STM will load a simple hypervisor into SMM that will
restrict the actions of the SMI handler, which is the part of BIOS
that functions in system management mode (SMM). The kernel can
configure the STM to prevent the SMI handler from accessing platform
resources.
The STM closes a vulnerability in Intel TXT (D-RTM)
The SMI handler provides a list of platform resources that it
requires access to the STM during STM startup, which the kernel
cannot override.
An additional capability, called STM-PE, provides a protected
execution capability that allows modules to be executed without
observation and interference. Examples of usage include kernel
introspection and virtualized trusted platform module (vTPM).
Requirement: SMM must be enabled and there must be sufficient room
within the TSEG to fit the MSEG.
if STM
menu "SMI Transfer Monitor (STM)"
config MSEG_SIZE
hex "mseg size"
default 0x400000
help
STM only - 0x100000
STM/PE - 0x300000+ depending on the amount of memory needed
for the protected execution virtual
machine (VM/PE)
config BIOS_RESOURCE_LIST_SIZE
hex "bios_resource_list_size"
default 0x1000
config STM_BINARY_FILE
string "STM binary file"
default "3rdparty/blobs/cpu/intel/stm/stm.bin"
endmenu #STM
endif
|