tpm: Remove USER_TPMx options, make TPM1/TPM2 menuconfig visible

We would like to have an easy way to completely disable TPM support on a board. For boards that don't pre-select a TPM protocol via the MAINBOARD_HAS_TPMx options, this is already possible with the USER_NO_TPM option. In order to make this available for all boards, this patch just removes the whole USER_TPMx option group and directly makes the TPM1 and TPM2 options visible to menuconfig. The MAINBOARD_HAS_TPMx options can still be used to select defaults and to prevent selection of a protocol that the TPM is known to not support, but the NO_TPM option always remains available. Also fix some mainboards that selected TPM2 directly, which they're not supposed to do (that's what MAINBOARD_HAS_TPM2 is for), and add a missing dependency to TPM_CR50 so it is set correctly for a NO_TPM scenario. Signed-off-by: Julius Werner <jwerner@chromium.org> Change-Id: Ib0a73da3c42fa4e8deffecb53f29ee38cbb51a93 Reviewed-on: https://review.coreboot.org/c/coreboot/+/54641 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Aaron Durbin <adurbin@chromium.org> Reviewed-by: Christian Walter <christian.walter@9elements.com>
2021-05-18 17:15:50 -07:00 · 2021-05-18 17:15:50 -07:00 · 8ad93797d6
parent 9d8a5ba128
commit 8ad93797d6
6 changed files with 33 additions and 43 deletions
--- a/configs/config.asrock_b85m_pro4.tpm2_txt_placeholder_acms
+++ b/configs/config.asrock_b85m_pro4.tpm2_txt_placeholder_acms
@ -3,7 +3,7 @@
 # Used ACMs were extracted from a Supermicro X10SLH firmware update.
 CONFIG_VENDOR_ASROCK=y
 CONFIG_BOARD_ASROCK_B85M_PRO4=y
-CONFIG_USER_TPM2=y
+CONFIG_TPM2=y
 CONFIG_INTEL_TXT=y
 CONFIG_INTEL_TXT_BIOSACM_FILE="3rdparty/blobs/cpu/intel/stm/stm.bin"
 CONFIG_INTEL_TXT_SINITACM_FILE="3rdparty/blobs/cpu/intel/stm/stm.bin"
--- a/configs/config.libretrend_lt1000
+++ b/configs/config.libretrend_lt1000
@ -1,5 +1,5 @@
 CONFIG_VENDOR_LIBRETREND=y
 CONFIG_POWER_STATE_OFF_AFTER_FAILURE=y
 CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
-CONFIG_USER_TPM2=y
+CONFIG_TPM2=y
 CONFIG_SEABIOS_ADD_SERCON_PORT_FILE=y
--- a/src/mainboard/google/drallion/Kconfig
+++ b/src/mainboard/google/drallion/Kconfig
@ -21,7 +21,6 @@ config BOARD_GOOGLE_BASEBOARD_DRALLION
 	select SOC_INTEL_COMMON_BLOCK_HDA_VERB
 	select SOC_INTEL_COMMON_BLOCK_SMM_ESPI_DISABLE
 	select SYSTEM_TYPE_LAPTOP
 	select TPM2
 	select MAINBOARD_USES_IFD_EC_REGION
 	select HAVE_SPD_IN_CBFS
--- a/src/mainboard/protectli/vault_kbl/Kconfig
+++ b/src/mainboard/protectli/vault_kbl/Kconfig
@ -13,7 +13,7 @@ config BOARD_SPECIFIC_OPTIONS
 	select SUPERIO_ITE_IT8772F
 	select MAINBOARD_HAS_CRB_TPM
 	select HAVE_INTEL_PTT
-	select TPM2
+	select MAINBOARD_HAS_TPM2
 config IRQ_SLOT_COUNT
 	int
--- a/src/security/tpm/Kconfig
+++ b/src/security/tpm/Kconfig
@ -4,22 +4,42 @@ source "src/security/tpm/tss/vendor/cr50/Kconfig"
 menu "Trusted Platform Module"
 choice
 	prompt "Trusted Platform Module"
 	default TPM2 if MAINBOARD_HAS_TPM2
 	default TPM1 if MAINBOARD_HAS_TPM1
 	default NO_TPM
 config NO_TPM
 	bool "No TPM"
 	help
 	  No TPM support. Select this option if your system doesn't have a TPM,
 	  or if you don't want coreboot to communicate with your TPM in any way.
 	  (If your board doesn't offer a TPM interface, this will be the only
 	  possible option.)
 config TPM1
-	bool
+	bool "TPM 1.2"
 	default y if MAINBOARD_HAS_TPM1 || USER_TPM1
 	depends on MAINBOARD_HAS_LPC_TPM || \
 		   MAINBOARD_HAS_I2C_TPM_GENERIC || \
 		   MAINBOARD_HAS_I2C_TPM_ATMEL
 	depends on !MAINBOARD_HAS_TPM2
 	help
 	  Select this option if your TPM uses the older TPM 1.2 protocol.
 config TPM2
-	bool
+	bool "TPM 2.0"
 	default y if MAINBOARD_HAS_TPM2 || USER_TPM2
 	depends on MAINBOARD_HAS_I2C_TPM_GENERIC || \
 		   MAINBOARD_HAS_LPC_TPM || \
 		   MAINBOARD_HAS_I2C_TPM_ATMEL || \
 		   MAINBOARD_HAS_I2C_TPM_CR50 || \
 		   MAINBOARD_HAS_SPI_TPM || \
 		   MAINBOARD_HAS_CRB_TPM
 	depends on !MAINBOARD_HAS_TPM1
 	help
 	  Select this option if your TPM uses the newer TPM 2.0 protocol.
 endchoice
 config TPM
 	bool
@ -28,45 +48,15 @@ config TPM
 config MAINBOARD_HAS_TPM1
 	bool
 	help
 	  This option can be selected by a mainboard to represent that its TPM
 	  always uses the 1.2 protocol, and that it should be on by default.
 config MAINBOARD_HAS_TPM2
 	bool
 if !MAINBOARD_HAS_TPM1 && !MAINBOARD_HAS_TPM2
 choice
 	prompt "Trusted Platform Module"
 	default USER_NO_TPM
 config USER_NO_TPM
 	bool "disabled"
 config USER_TPM1
 	bool "1.2"
 	depends on MAINBOARD_HAS_LPC_TPM || \
 		   MAINBOARD_HAS_I2C_TPM_GENERIC || \
 		   MAINBOARD_HAS_I2C_TPM_ATMEL
 	help
-		Enable this option to enable TPM 1.0 - 1.2 support in coreboot.
+	  This option can be selected by a mainboard to represent that its TPM
-
+	  always uses the 2.0 protocol, and that it should be on by default.
 		If unsure, say N.
 config USER_TPM2
 	bool "2.0"
 	depends on MAINBOARD_HAS_I2C_TPM_GENERIC || \
 		   MAINBOARD_HAS_LPC_TPM || \
 		   MAINBOARD_HAS_I2C_TPM_ATMEL || \
 		   MAINBOARD_HAS_I2C_TPM_CR50 || \
 		   MAINBOARD_HAS_SPI_TPM || \
 		   MAINBOARD_HAS_CRB_TPM
 	help
 		Enable this option to enable TPM 2.0 support in coreboot.
 		If unsure, say N.
 endchoice
 endif
 config TPM_DEACTIVATE
 	bool "Deactivate TPM"
--- a/src/security/tpm/tss/vendor/cr50/Kconfig
+++ b/src/security/tpm/tss/vendor/cr50/Kconfig
@ -2,6 +2,7 @@
 config TPM_CR50
 	bool
 	depends on TPM2
 	default y if MAINBOARD_HAS_I2C_TPM_CR50 || MAINBOARD_HAS_SPI_TPM_CR50
 if TPM_CR50