Add an x86 Kconfig option for compiling in/out the Secure Launch feature. Secure Launch is controlled by a single on/off boolean.
Signed-off-by: Ross Philipson <[email protected]> --- arch/x86/Kconfig | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index e2df1b147184..fd9edb0651d9 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -1989,6 +1989,21 @@ config EFI_RUNTIME_MAP See also Documentation/ABI/testing/sysfs-firmware-efi-runtime-map. +config SECURE_LAUNCH + bool "Secure Launch DRTM support" + depends on X86_64 && X86_X2APIC && TCG_TIS && TCG_CRB + select CRYPTO_LIB_SHA1 + select CRYPTO_LIB_SHA256 + select CRYPTO_LIB_SHA512 + help + The Secure Launch feature allows a kernel to be launched directly + through a vendor neutral DRTM (Dynamic Root of Trust for Measurement) + solution, with Intel TXT being one example. The DRTM establishes an + environment where the CPU measures the kernel image, employing the TPM, + before starting it. Secure Launch then continues the measurement chain + over kernel configuration information and other launch artifacts (e.g. + any initramfs image). + source "kernel/Kconfig.hz" config ARCH_SUPPORTS_KEXEC -- 2.47.3
