1# SPDX-License-Identifier: GPL-2.0-only 2 3source "src/security/tpm/tss/vendor/cr50/Kconfig" 4 5menu "Trusted Platform Module" 6 7config NO_TPM 8 bool 9 default y if !TPM1 && !TPM2 10 help 11 No TPM support. Select this option if your system doesn't have a TPM, 12 or if you don't want coreboot to communicate with your TPM in any way. 13 (If your board doesn't offer a TPM interface, this will be the only 14 possible option.) 15 16config TPM1 17 bool "TPM 1.2" 18 depends on I2C_TPM || MEMORY_MAPPED_TPM || SPI_TPM || CRB_TPM 19 default y if MAINBOARD_HAS_TPM1 20 help 21 Select this option if your TPM uses the older TPM 1.2 protocol. 22 23config TPM2 24 bool "TPM 2.0" 25 depends on I2C_TPM || MEMORY_MAPPED_TPM || SPI_TPM || CRB_TPM 26 default y if MAINBOARD_HAS_TPM2 27 help 28 Select this option if your TPM uses the newer TPM 2.0 protocol. 29 30config TPM 31 bool 32 default y 33 depends on TPM1 || TPM2 34 35config MAINBOARD_HAS_TPM1 36 bool 37 help 38 This option can be selected by a mainboard to represent that its TPM 39 always uses the 1.2 protocol, and that it should be on by default. 40 41config MAINBOARD_HAS_TPM2 42 bool 43 help 44 This option can be selected by a mainboard to represent that its TPM 45 always uses the 2.0 protocol, and that it should be on by default. 46 47config TPM_DEACTIVATE 48 bool "Deactivate TPM (for TPM1)" 49 default n 50 depends on !VBOOT 51 depends on TPM1 52 help 53 Deactivate TPM by issuing deactivate command. 54 55config DEBUG_TPM 56 bool "Output verbose TPM debug messages" 57 default n 58 select DRIVER_TPM_DISPLAY_TIS_BYTES if I2C_TPM 59 depends on TPM 60 help 61 This option enables additional TPM related debug messages. 62 63config TPM_RDRESP_NEED_DELAY 64 bool "Enable Delay Workaround for TPM" 65 default n 66 depends on MEMORY_MAPPED_TPM 67 help 68 Certain TPMs seem to need some delay when reading response 69 to work around a race-condition-related issue, possibly 70 caused by ill-programmed TPM firmware. 71 72config TPM_STARTUP_IGNORE_POSTINIT 73 bool 74 help 75 Select this to ignore POSTINIT INVALID return codes on TPM 76 startup. This is useful on platforms where a previous stage 77 issued a TPM startup. Examples of use cases are Intel TXT 78 or VBOOT on the Intel Arrandale processor, which issues a 79 CPU-only reset during the romstage. 80 81config TPM_MEASURED_BOOT 82 bool "Enable Measured Boot" 83 default n 84 select VBOOT_LIB 85 depends on TPM 86 depends on !VBOOT_RETURN_FROM_VERSTAGE 87 help 88 Enables measured boot (experimental) 89 90choice 91 prompt "TPM event log format" 92 depends on TPM_MEASURED_BOOT 93 default TPM_LOG_TPM1 if TPM1 94 default TPM_LOG_TPM2 if TPM2 95 96config TPM_LOG_CB 97 bool "coreboot's custom format" 98 help 99 Custom coreboot-specific format of the log derived from TPM1 log format. 100config TPM_LOG_TPM1 101 bool "TPM 1.2 format" 102 depends on TPM1 && !TPM2 103 help 104 Log per TPM 1.2 specification. 105 See "TCG PC Client Specific Implementation Specification for Conventional BIOS". 106config TPM_LOG_TPM2 107 bool "TPM 2.0 format" 108 depends on TPM1 || TPM2 109 help 110 Log per TPM 2.0 specification. 111 See "TCG PC Client Platform Firmware Profile Specification". 112 113endchoice 114 115choice 116 prompt "TPM2 hashing algorithm" 117 depends on TPM_MEASURED_BOOT && TPM_LOG_TPM2 118 default TPM_HASH_SHA1 if TPM1 119 default TPM_HASH_SHA256 if TPM2 120 121config TPM_HASH_SHA1 122 bool "SHA1" 123config TPM_HASH_SHA256 124 bool "SHA256" 125config TPM_HASH_SHA384 126 bool "SHA384" 127config TPM_HASH_SHA512 128 bool "SHA512" 129 130endchoice 131 132config TPM_MEASURED_BOOT_INIT_BOOTBLOCK 133 bool 134 depends on TPM_MEASURED_BOOT && !VBOOT 135 help 136 Initialize TPM inside the bootblock instead of ramstage. This is 137 useful with some form of hardware assisted root of trust 138 measurement like Intel TXT/CBnT. 139 140config TPM_MEASURED_BOOT_RUNTIME_DATA 141 string "Runtime data whitelist" 142 default "" 143 depends on TPM_MEASURED_BOOT 144 help 145 Runtime data whitelist of cbfs filenames. Needs to be a 146 space delimited list 147 148config PCR_BOOT_MODE 149 int 150 default 0 if CHROMEOS 151 default 1 152 153config PCR_HWID 154 int 155 default 1 156 157config PCR_SRTM 158 int 159 default 2 160 161config PCR_FW_VER 162 int 163 default 10 164 165# PCR for measuring data which changes during runtime 166# e.g. CMOS, NVRAM... 167config PCR_RUNTIME_DATA 168 int 169 default 3 170 171endmenu # Trusted Platform Module (tpm) 172 173config TPM_SETUP_HIBERNATE_ON_ERR 174 bool 175 depends on EC_GOOGLE_CHROMEEC 176 default y 177 help 178 Select this to force a device to hibernate on the next AP shutdown when a TPM 179 setup error occurs. This will cause a cold boot of the system and offer an 180 opportunity to recover the TPM should it be hung. This is only effective if 181 the Z-State brings the power rail down. 182