summaryrefslogtreecommitdiff
path: root/src/security/tpm/Kconfig
blob: 377d6dcb88799cc2bb5c2d9b5c44cc1396c9e90d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
# SPDX-License-Identifier: GPL-2.0-only

source "src/security/tpm/tss/vendor/cr50/Kconfig"

menu "Trusted Platform Module"

config NO_TPM
	bool
	default y if !TPM1 && !TPM2
	help
	  No TPM support. Select this option if your system doesn't have a TPM,
	  or if you don't want coreboot to communicate with your TPM in any way.
	  (If your board doesn't offer a TPM interface, this will be the only
	  possible option.)

config TPM1
	bool "TPM 1.2"
	depends on I2C_TPM || MEMORY_MAPPED_TPM || SPI_TPM || CRB_TPM
	default y if MAINBOARD_HAS_TPM1
	help
	  Select this option if your TPM uses the older TPM 1.2 protocol.

config TPM2
	bool "TPM 2.0"
	depends on I2C_TPM || MEMORY_MAPPED_TPM || SPI_TPM || CRB_TPM
	default y if MAINBOARD_HAS_TPM2
	help
	  Select this option if your TPM uses the newer TPM 2.0 protocol.

config TPM
	bool
	default y
	depends on TPM1 || TPM2

config MAINBOARD_HAS_TPM1
	bool
	help
	  This option can be selected by a mainboard to represent that its TPM
	  always uses the 1.2 protocol, and that it should be on by default.

config MAINBOARD_HAS_TPM2
	bool
	help
	  This option can be selected by a mainboard to represent that its TPM
	  always uses the 2.0 protocol, and that it should be on by default.

config TPM_DEACTIVATE
	bool "Deactivate TPM (for TPM1)"
	default n
	depends on !VBOOT
	depends on TPM1
	help
	  Deactivate TPM by issuing deactivate command.

config DEBUG_TPM
	bool "Output verbose TPM debug messages"
	default n
	select DRIVER_TPM_DISPLAY_TIS_BYTES if I2C_TPM
	depends on TPM
	help
	  This option enables additional TPM related debug messages.

config TPM_STARTUP_IGNORE_POSTINIT
	bool
	help
	  Select this to ignore POSTINIT INVALID return codes on TPM
	  startup. This is useful on platforms where a previous stage
	  issued a TPM startup. Examples of use cases are Intel TXT
	  or VBOOT on the Intel Arrandale processor, which issues a
	  CPU-only reset during the romstage.

config TPM_MEASURED_BOOT
	bool "Enable Measured Boot"
	default n
	select VBOOT_LIB
	depends on TPM
	depends on !VBOOT_RETURN_FROM_VERSTAGE
	help
	  Enables measured boot (experimental)

choice
	prompt "TPM event log format"
	depends on TPM_MEASURED_BOOT
	default TPM_LOG_TPM1 if TPM1
	default TPM_LOG_TPM2 if TPM2

config TPM_LOG_CB
	bool "coreboot's custom format"
	help
	  Custom coreboot-specific format of the log derived from TPM1 log format.
config TPM_LOG_TPM1
	bool "TPM 1.2 format"
	depends on TPM1 && !TPM2
	help
	  Log per TPM 1.2 specification.
	  See "TCG PC Client Specific Implementation Specification for Conventional BIOS".
config TPM_LOG_TPM2
	bool "TPM 2.0 format"
	depends on TPM1 || TPM2
	help
	  Log per TPM 2.0 specification.
	  See "TCG PC Client Platform Firmware Profile Specification".

endchoice

choice
	prompt "TPM2 hashing algorithm"
	depends on TPM_MEASURED_BOOT && TPM_LOG_TPM2
	default TPM_HASH_SHA1 if TPM1
	default TPM_HASH_SHA256 if TPM2

config TPM_HASH_SHA1
	bool "SHA1"
config TPM_HASH_SHA256
	bool "SHA256"
config TPM_HASH_SHA384
	bool "SHA384"
config TPM_HASH_SHA512
	bool "SHA512"

endchoice

config TPM_MEASURED_BOOT_INIT_BOOTBLOCK
	bool
	depends on TPM_MEASURED_BOOT && !VBOOT
	help
	  Initialize TPM inside the bootblock instead of ramstage. This is
	  useful with some form of hardware assisted root of trust
	  measurement like Intel TXT/CBnT.

config TPM_MEASURED_BOOT_RUNTIME_DATA
	string "Runtime data whitelist"
	default ""
	depends on TPM_MEASURED_BOOT
	help
	  Runtime data whitelist of cbfs filenames. Needs to be a
	  space delimited list

config PCR_BOOT_MODE
	int
	default 0 if CHROMEOS
	default 1

config PCR_HWID
	int
	default 1

config PCR_SRTM
	int
	default 2

config PCR_FW_VER
	int
	default 10

# PCR for measuring data which changes during runtime
# e.g. CMOS, NVRAM...
config PCR_RUNTIME_DATA
	int
	default 3

endmenu # Trusted Platform Module (tpm)

config TPM_SETUP_HIBERNATE_ON_ERR
	bool
	depends on EC_GOOGLE_CHROMEEC
	default y
	help
	  Select this to force a device to hibernate on the next AP shutdown when a TPM
	  setup error occurs. This will cause a cold boot of the system and offer an
	  opportunity to recover the TPM should it be hung. This is only effective if
	  the Z-State brings the power rail down.