| blob | 8f1774896eaa5ded320e70cce75edb1d1f99077e |
1 ## SPDX-License-Identifier: GPL-2.0-only
3 config STM
4 bool "Enable STM"
5 default n
6 depends on ENABLE_VMX
7 depends on SMM_TSEG
9 help
10 Enabling the STM will load a simple hypervisor into SMM that will
11 restrict the actions of the SMI handler, which is the part of BIOS
12 that functions in system management mode (SMM). The kernel can
13 configure the STM to prevent the SMI handler from accessing platform
14 resources.
15 The STM closes a vulnerability in Intel TXT (D-RTM)
16 The SMI handler provides a list of platform resources that it
17 requires access to the STM during STM startup, which the kernel
18 cannot override.
19 An additional capability, called STM-PE, provides a protected
20 execution capability that allows modules to be executed without
21 observation and interference. Examples of usage include kernel
22 introspection and virtualized trusted platform module (vTPM).
23 Requirement: SMM must be enabled and there must be sufficient room
24 within the TSEG to fit the MSEG.
26 if STM
28 menu "SMI Transfer Monitor (STM)"
30 config MSEG_SIZE
31 hex "mseg size"
32 default 0x100000
33 help
34 The MSEG_SIZE of 0x100000 assumes that:
35 IED_REGION_SIZE = 0x400000
36 SMM_RESERVED_SIZE = 0x200000
37 SMM_TSEG_SIZE = 0x800000
39 To use STM/PE, a larger MSEG_SIZE is necessary. This can be
40 done by either increasing SMM_TSEG_SIZE or reducing the
41 IED_REGION_SIZE and/or SMM_RESERVED_SIZE or some combination
42 of the three.
43 NOTE: The authors experience is that these configuration
44 parameters have to be changed at the soc Konfig for them to
45 be applied.
46 Minimum sizes:
47 STM only - 0x100000 - Supports up to 38 processor threads
48 - 0x200000 - Supports up to 102 processor threads
49 STM/PE - 0x300000+ depending on the amount of memory needed
50 for the protected execution virtual
51 machine (VM/PE)
53 config STM_STMPE_ENABLED
54 bool "STM/PE Enabled"
55 default n
56 help
57 STM/PE provides for additional virtual machines in SMRAM
58 that provides a protected execution environment for
59 applications such as introspection, which need to be
60 protected from malicious code. More information can be
61 found on the stmpe branch of
62 https://review.coreboot.org/STM
65 config BIOS_RESOURCE_LIST_SIZE
66 hex "bios resource list size"
67 default 0x1000
68 help
69 The BIOS resource list defines the resources that the
70 SMI handler needs. This list is created during the
71 coreboot bootup. Unless there has been a lot of elements
72 added to this list, this value should not change.
74 config STM_BINARY_FILE
75 string "STM binary file"
76 default "3rdparty/stm/Stm/build/StmPkg/Core/stm.bin"
77 help
78 Location of the STM binary file. The default location is
79 where the file will be located when coreboot builds
80 the STM.
82 config STM_HEAPSIZE
83 hex "stm heapsize"
84 default 0x46000
85 help
86 The STM_HEAPSIZE defines the heap space that is available
87 to the STM. The default size assumes a MSEG_SIZE of 0x100000.
88 For STM/PE this size should be a minimum of 0x246000.
90 config STM_TTYS0_BASE
91 hex "stm uart"
92 default TTYS0_BASE if TTYS0_BASE
93 default 0x000
94 help
95 Defines the serial port for STM console output. 0x000 indicates
96 no serial port.
98 config STM_CBMEM_CONSOLE
99 bool "STM cbmem console"
100 default n
101 depends on CONSOLE_CBMEM
102 help
103 Places the STM console output into the cbmem.
105 choice
106 prompt "Select STM console output"
108 config STM_CONSOLE_DEBUG
109 bool "Debug output"
110 depends on STM_CBMEM_CONSOLE || STM_TTYS0_BASE
111 help
112 "Produces all STM console output"
114 config STM_CONSOLE_RELEASE
115 bool "Deactivate console output"
116 help
117 "No console output is produced"
118 endchoice
120 endmenu #STM
122 endif