[coreboot] How is CONFIG_TPM selected?
Trammell Hudson
hudson at trmm.net
Tue Aug 16 16:30:47 CEST 2016
On Mon, Aug 15, 2016 at 03:54:49PM -0700, Julius Werner wrote:
> I think the answer is that CONFIG_TPM doesn't do anything by itself
> (it just compiles extra libraries that offer functions to access
> TPMs), so there's no point in selecting it directly from menuconfig.
> Any feature that uses the TPM (like CONFIG_VBOOT) should have its own
> Kconfig option that you select through menuconfig and which just has a
> 'select TPM' clause to pull in those libraries.
Ah, I see. That makes more sense.
> [...]
> So if you're adding anything new that wants to use tlcl functions, you
> should give it its own Kconfig option that does 'select TPM'.
That's what I'll do. Thanks for the insight.
On a related topic, is there a reason to wait to enable the TPM? Looking
at src/northbridge/intel/sandybridge/romstage.c, it isn't enabled until
after the MRC cache has been read from the read-write portions of the
flash chip, which could potentially compromise the root of trust.
--
Trammell
More information about the coreboot
mailing list