2015-08-23 00:31:19 +00:00
|
|
|
#
|
|
|
|
# TPM subsystem configuration
|
|
|
|
#
|
|
|
|
|
|
|
|
menu "TPM support"
|
|
|
|
|
2018-05-15 09:57:05 +00:00
|
|
|
config TPM_V1
|
|
|
|
bool "TPMv1.x support"
|
|
|
|
depends on TPM
|
|
|
|
default y
|
|
|
|
help
|
|
|
|
Major TPM versions are not compatible at all, choose either
|
|
|
|
one or the other. This option enables TPMv1.x drivers/commands.
|
|
|
|
|
2018-07-19 20:35:09 +00:00
|
|
|
if TPM_V1
|
2018-05-15 09:57:05 +00:00
|
|
|
|
2015-03-06 20:19:07 +00:00
|
|
|
config TPM_TIS_SANDBOX
|
|
|
|
bool "Enable sandbox TPM driver"
|
2018-05-15 09:57:05 +00:00
|
|
|
depends on TPM_V1 && SANDBOX
|
2018-07-19 20:35:07 +00:00
|
|
|
default y
|
2015-03-06 20:19:07 +00:00
|
|
|
help
|
2018-05-15 09:57:25 +00:00
|
|
|
This driver emulates a TPMv1.x, providing access to base functions
|
2015-03-06 20:19:07 +00:00
|
|
|
such as reading and writing TPM private data. This is enough to
|
|
|
|
support Chrome OS verified boot. Extend functionality is not
|
|
|
|
implemented.
|
2015-08-23 00:31:19 +00:00
|
|
|
|
|
|
|
config TPM_ATMEL_TWI
|
|
|
|
bool "Enable Atmel TWI TPM device driver"
|
2018-05-15 09:57:05 +00:00
|
|
|
depends on TPM_V1
|
2015-08-23 00:31:19 +00:00
|
|
|
help
|
|
|
|
This driver supports an Atmel TPM device connected on the I2C bus.
|
|
|
|
The usual tpm operations and the 'tpm' command can be used to talk
|
|
|
|
to the device using the standard TPM Interface Specification (TIS)
|
|
|
|
protocol
|
|
|
|
|
2015-10-06 20:54:41 +00:00
|
|
|
config TPM_TIS_INFINEON
|
2015-08-23 00:31:19 +00:00
|
|
|
bool "Enable support for Infineon SLB9635/45 TPMs on I2C"
|
2018-05-15 09:57:05 +00:00
|
|
|
depends on TPM_V1 && DM_I2C
|
2015-08-23 00:31:19 +00:00
|
|
|
help
|
|
|
|
This driver supports Infineon TPM devices connected on the I2C bus.
|
|
|
|
The usual tpm operations and the 'tpm' command can be used to talk
|
|
|
|
to the device using the standard TPM Interface Specification (TIS)
|
|
|
|
protocol
|
|
|
|
|
|
|
|
config TPM_TIS_I2C_BURST_LIMITATION
|
|
|
|
bool "Enable I2C burst length limitation"
|
2018-05-15 09:57:06 +00:00
|
|
|
depends on TPM_TIS_INFINEON
|
2015-08-23 00:31:19 +00:00
|
|
|
help
|
|
|
|
Some broken TPMs have a limitation on the number of bytes they can
|
|
|
|
receive in one message. Enable this option to allow you to set this
|
|
|
|
option. The can allow a broken TPM to be used by splitting messages
|
|
|
|
into separate pieces.
|
|
|
|
|
|
|
|
config TPM_TIS_I2C_BURST_LIMITATION_LEN
|
|
|
|
int "Length"
|
|
|
|
depends on TPM_TIS_I2C_BURST_LIMITATION
|
|
|
|
help
|
|
|
|
Use this to set the burst limitation length
|
|
|
|
|
|
|
|
config TPM_TIS_LPC
|
|
|
|
bool "Enable support for Infineon SLB9635/45 TPMs on LPC"
|
2018-05-15 09:57:05 +00:00
|
|
|
depends on TPM_V1 && X86
|
2015-08-23 00:31:19 +00:00
|
|
|
help
|
2016-01-21 22:19:14 +00:00
|
|
|
This driver supports Infineon TPM devices connected on the LPC bus.
|
2015-08-23 00:31:19 +00:00
|
|
|
The usual tpm operations and the 'tpm' command can be used to talk
|
|
|
|
to the device using the standard TPM Interface Specification (TIS)
|
|
|
|
protocol
|
|
|
|
|
|
|
|
config TPM_AUTH_SESSIONS
|
|
|
|
bool "Enable TPM authentication session support"
|
2018-05-15 09:57:05 +00:00
|
|
|
depends on TPM_V1
|
2015-08-23 00:31:19 +00:00
|
|
|
help
|
|
|
|
Enable support for authorised (AUTH1) commands as specified in the
|
|
|
|
TCG Main Specification 1.2. OIAP-authorised versions of the commands
|
|
|
|
TPM_LoadKey2 and TPM_GetPubKey are provided. Both features are
|
|
|
|
available using the 'tpm' command, too.
|
|
|
|
|
2016-01-21 22:27:13 +00:00
|
|
|
config TPM_ST33ZP24_I2C
|
|
|
|
bool "STMicroelectronics ST33ZP24 I2C TPM"
|
2018-05-15 09:57:05 +00:00
|
|
|
depends on TPM_V1 && DM_I2C
|
2016-01-21 22:27:13 +00:00
|
|
|
---help---
|
|
|
|
This driver supports STMicroelectronics TPM devices connected on the I2C bus.
|
|
|
|
The usual tpm operations and the 'tpm' command can be used to talk
|
|
|
|
to the device using the standard TPM Interface Specification (TIS)
|
|
|
|
protocol
|
|
|
|
|
2016-01-21 22:27:14 +00:00
|
|
|
config TPM_ST33ZP24_SPI
|
|
|
|
bool "STMicroelectronics ST33ZP24 SPI TPM"
|
2018-05-15 09:57:05 +00:00
|
|
|
depends on TPM_V1 && DM_SPI
|
2016-01-21 22:27:14 +00:00
|
|
|
---help---
|
|
|
|
This driver supports STMicroelectronics TPM devices connected on the SPI bus.
|
|
|
|
The usual tpm operations and the 'tpm' command can be used to talk
|
|
|
|
to the device using the standard TPM Interface Specification (TIS)
|
|
|
|
protocol
|
|
|
|
|
2017-01-11 15:00:50 +00:00
|
|
|
config TPM_FLUSH_RESOURCES
|
|
|
|
bool "Enable TPM resource flushing support"
|
2018-05-15 09:57:05 +00:00
|
|
|
depends on TPM_V1
|
2017-01-11 15:00:50 +00:00
|
|
|
help
|
|
|
|
Enable support to flush specific resources (e.g. keys) from the TPM.
|
|
|
|
The functionality is available via the 'tpm' command as well.
|
tpm: Add function to load keys via their parent's SHA1 hash
If we want to load a key into a TPM, we need to know the designated parent
key's handle, so that the TPM is able to insert the key at the correct place in
the key hierarchy.
However, if we want to load a key whose designated parent key we also
previously loaded ourselves, we first need to memorize this parent key's handle
(since the handles for the key are chosen at random when they are inserted into
the TPM). If we are, however, unable to do so, for example if the parent key is
loaded into the TPM during production, and its child key during the actual
boot, we must find a different mechanism to identify the parent key.
To solve this problem, we add a function that allows U-Boot to load a key into
the TPM using their designated parent key's SHA1 hash, and the corresponding
auth data.
Signed-off-by: Mario Six <mario.six@gdsys.cc>
Reviewed-by: Simon Glass <sjg@chromium.org>
2017-03-20 09:28:28 +00:00
|
|
|
|
|
|
|
config TPM_LOAD_KEY_BY_SHA1
|
|
|
|
bool "Enable TPM key loading by SHA1 support"
|
2018-05-15 09:57:05 +00:00
|
|
|
depends on TPM_V1
|
tpm: Add function to load keys via their parent's SHA1 hash
If we want to load a key into a TPM, we need to know the designated parent
key's handle, so that the TPM is able to insert the key at the correct place in
the key hierarchy.
However, if we want to load a key whose designated parent key we also
previously loaded ourselves, we first need to memorize this parent key's handle
(since the handles for the key are chosen at random when they are inserted into
the TPM). If we are, however, unable to do so, for example if the parent key is
loaded into the TPM during production, and its child key during the actual
boot, we must find a different mechanism to identify the parent key.
To solve this problem, we add a function that allows U-Boot to load a key into
the TPM using their designated parent key's SHA1 hash, and the corresponding
auth data.
Signed-off-by: Mario Six <mario.six@gdsys.cc>
Reviewed-by: Simon Glass <sjg@chromium.org>
2017-03-20 09:28:28 +00:00
|
|
|
help
|
|
|
|
Enable support to load keys into the TPM by identifying
|
|
|
|
their parent via the public key's SHA1 hash.
|
|
|
|
The functionality is available via the 'tpm' command as well.
|
2017-03-20 09:28:30 +00:00
|
|
|
|
|
|
|
config TPM_LIST_RESOURCES
|
|
|
|
bool "Enable TPM resource listing support"
|
2018-05-15 09:57:05 +00:00
|
|
|
depends on TPM_V1
|
2017-03-20 09:28:30 +00:00
|
|
|
help
|
|
|
|
Enable support to list specific resources (e.g. keys) within the TPM.
|
|
|
|
The functionality is available via the 'tpm' command as well.
|
2018-05-15 09:57:05 +00:00
|
|
|
|
|
|
|
endif # TPM_V1
|
|
|
|
|
|
|
|
config TPM_V2
|
|
|
|
bool "TPMv2.x support"
|
|
|
|
depends on TPM
|
2018-07-19 20:35:11 +00:00
|
|
|
default y
|
2018-05-15 09:57:05 +00:00
|
|
|
help
|
|
|
|
Major TPM versions are not compatible at all, choose either
|
|
|
|
one or the other. This option enables TPMv2.x drivers/commands.
|
|
|
|
|
2018-07-19 20:35:09 +00:00
|
|
|
if TPM_V2
|
2018-05-15 09:57:05 +00:00
|
|
|
|
2020-02-06 16:55:04 +00:00
|
|
|
config TPM2_CR50_I2C
|
|
|
|
bool "Enable support for Google cr50 TPM"
|
|
|
|
depends on DM_I2C
|
|
|
|
help
|
|
|
|
Cr50 is an implementation of a TPM on Google's H1 security chip.
|
|
|
|
This uses the same open-source firmware as the Chromium OS EC.
|
|
|
|
While Cr50 has other features, its primary role is as the root of
|
|
|
|
trust for a device, It operates like a TPM and can be used with
|
|
|
|
verified boot. Cr50 is used on recent Chromebooks (since 2017).
|
|
|
|
|
2022-04-30 06:56:53 +00:00
|
|
|
config SPL_TPM2_CR50_I2C
|
|
|
|
bool "Enable support for Google cr50 TPM"
|
|
|
|
depends on DM_I2C && SPL_TPM
|
|
|
|
help
|
|
|
|
Cr50 is an implementation of a TPM on Google's H1 security chip.
|
|
|
|
This uses the same open-source firmware as the Chromium OS EC.
|
|
|
|
While Cr50 has other features, its primary role is as the root of
|
|
|
|
trust for a device, It operates like a TPM and can be used with
|
|
|
|
verified boot. Cr50 is used on recent Chromebooks (since 2017).
|
|
|
|
|
|
|
|
config TPL_TPM2_CR50_I2C
|
|
|
|
bool "Enable support for Google cr50 TPM"
|
|
|
|
depends on DM_I2C && TPL_TPM
|
|
|
|
help
|
|
|
|
Cr50 is an implementation of a TPM on Google's H1 security chip.
|
|
|
|
This uses the same open-source firmware as the Chromium OS EC.
|
|
|
|
While Cr50 has other features, its primary role is as the root of
|
|
|
|
trust for a device, It operates like a TPM and can be used with
|
|
|
|
verified boot. Cr50 is used on recent Chromebooks (since 2017).
|
|
|
|
|
|
|
|
config VPL_TPM2_CR50_I2C
|
|
|
|
bool "Enable support for Google cr50 TPM"
|
|
|
|
depends on DM_I2C && VPL_TPM
|
|
|
|
help
|
|
|
|
Cr50 is an implementation of a TPM on Google's H1 security chip.
|
|
|
|
This uses the same open-source firmware as the Chromium OS EC.
|
|
|
|
While Cr50 has other features, its primary role is as the root of
|
|
|
|
trust for a device, It operates like a TPM and can be used with
|
|
|
|
verified boot. Cr50 is used on recent Chromebooks (since 2017).
|
|
|
|
|
2018-05-15 09:57:25 +00:00
|
|
|
config TPM2_TIS_SANDBOX
|
|
|
|
bool "Enable sandbox TPMv2.x driver"
|
|
|
|
depends on TPM_V2 && SANDBOX
|
2018-07-19 20:35:07 +00:00
|
|
|
default y
|
2018-05-15 09:57:25 +00:00
|
|
|
help
|
|
|
|
This driver emulates a TPMv2.x, providing access to base functions
|
|
|
|
such as basic configuration, PCR extension and PCR read. Extended
|
|
|
|
functionalities are not implemented.
|
|
|
|
|
2018-05-15 09:57:21 +00:00
|
|
|
config TPM2_TIS_SPI
|
|
|
|
bool "Enable support for TPMv2.x SPI chips"
|
|
|
|
depends on TPM_V2 && DM_SPI
|
|
|
|
help
|
|
|
|
This driver supports TPMv2.x devices connected on the SPI bus.
|
|
|
|
The usual TPM operations and the 'tpm' command can be used to talk
|
|
|
|
to the device using the standard TPM Interface Specification (TIS)
|
|
|
|
protocol.
|
|
|
|
|
2022-05-13 18:30:00 +00:00
|
|
|
config TPM2_TIS_I2C
|
|
|
|
bool "Enable support for TPMv2.x I2C chips"
|
|
|
|
depends on TPM_V2 && DM_I2C
|
|
|
|
help
|
|
|
|
This driver supports TPMv2.x devices connected on the I2C bus.
|
|
|
|
The usual TPM operations and the 'tpm' command can be used to talk
|
|
|
|
to the device using the standard TPM Interface Specification (TIS)
|
|
|
|
protocol.
|
|
|
|
|
2020-01-13 07:34:22 +00:00
|
|
|
config TPM2_FTPM_TEE
|
|
|
|
bool "TEE based fTPM Interface"
|
|
|
|
depends on TEE && OPTEE && TPM_V2
|
|
|
|
help
|
|
|
|
This driver supports firmware TPM running in TEE.
|
|
|
|
|
2021-11-09 07:02:18 +00:00
|
|
|
config TPM2_MMIO
|
|
|
|
bool "MMIO based TPM2 Interface"
|
|
|
|
depends on TPM_V2
|
|
|
|
help
|
|
|
|
This driver supports firmware TPM2.0 MMIO interface.
|
|
|
|
The usual TPM operations and the 'tpm' command can be used to talk
|
|
|
|
to the device using the standard TPM Interface Specification (TIS)
|
|
|
|
protocol.
|
|
|
|
|
2018-05-15 09:57:05 +00:00
|
|
|
endif # TPM_V2
|
|
|
|
|
2015-08-23 00:31:19 +00:00
|
|
|
endmenu
|