1## SPDX-License-Identifier: GPL-2.0-only 2 3config STM 4 bool "Enable STM" 5 default n 6 depends on ENABLE_VMX 7 depends on SMM_TSEG 8 9 help 10 Enabling the STM will load a simple hypervisor into SMM that will 11 restrict the actions of the SMI handler, which is the part of BIOS 12 that functions in system management mode (SMM). The kernel can 13 configure the STM to prevent the SMI handler from accessing platform 14 resources. 15 The STM closes a vulnerability in Intel TXT (D-RTM) 16 The SMI handler provides a list of platform resources that it 17 requires access to the STM during STM startup, which the kernel 18 cannot override. 19 An additional capability, called STM-PE, provides a protected 20 execution capability that allows modules to be executed without 21 observation and interference. Examples of usage include kernel 22 introspection and virtualized trusted platform module (vTPM). 23 Requirement: SMM must be enabled and there must be sufficient room 24 within the TSEG to fit the MSEG. 25 26if STM 27 28menu "SMI Transfer Monitor (STM)" 29 30config MSEG_SIZE 31 hex "mseg size" 32 default 0x100000 33 help 34 The MSEG_SIZE of 0x100000 assumes that: 35 IED_REGION_SIZE = 0x400000 36 SMM_RESERVED_SIZE = 0x200000 37 SMM_TSEG_SIZE = 0x800000 38 39 To use STM/PE, a larger MSEG_SIZE is necessary. This can be 40 done by either increasing SMM_TSEG_SIZE or reducing the 41 IED_REGION_SIZE and/or SMM_RESERVED_SIZE or some combination 42 of the three. 43 NOTE: The authors experience is that these configuration 44 parameters have to be changed at the soc Konfig for them to 45 be applied. 46 Minimum sizes: 47 STM only - 0x100000 - Supports up to 38 processor threads 48 - 0x200000 - Supports up to 102 processor threads 49 STM/PE - 0x300000+ depending on the amount of memory needed 50 for the protected execution virtual 51 machine (VM/PE) 52 53config STM_STMPE_ENABLED 54 bool "STM/PE Enabled" 55 default n 56 help 57 STM/PE provides for additional virtual machines in SMRAM 58 that provides a protected execution environment for 59 applications such as introspection, which need to be 60 protected from malicious code. More information can be 61 found on the stmpe branch of 62 https://review.coreboot.org/STM 63 64 65config BIOS_RESOURCE_LIST_SIZE 66 hex "bios resource list size" 67 default 0x1000 68 help 69 The BIOS resource list defines the resources that the 70 SMI handler needs. This list is created during the 71 coreboot bootup. Unless there has been a lot of elements 72 added to this list, this value should not change. 73 74config STM_BINARY_FILE 75 string "STM binary file" 76 default "3rdparty/stm/Stm/build/StmPkg/Core/stm.bin" 77 help 78 Location of the STM binary file. The default location is 79 where the file will be located when coreboot builds 80 the STM. 81 82config STM_HEAPSIZE 83 hex "stm heapsize" 84 default 0x46000 85 help 86 The STM_HEAPSIZE defines the heap space that is available 87 to the STM. The default size assumes a MSEG_SIZE of 0x100000. 88 For STM/PE this size should be a minimum of 0x246000. 89 90config STM_TTYS0_BASE 91 hex "stm uart" 92 default TTYS0_BASE if TTYS0_BASE 93 default 0x000 94 help 95 Defines the serial port for STM console output. 0x000 indicates 96 no serial port. 97 98config STM_CBMEM_CONSOLE 99 bool "STM cbmem console" 100 default n 101 depends on CONSOLE_CBMEM 102 help 103 Places the STM console output into the cbmem. 104 105choice 106 prompt "Select STM console output" 107 108config STM_CONSOLE_DEBUG 109 bool "Debug output" 110 depends on STM_CBMEM_CONSOLE || STM_TTYS0_BASE 111 help 112 "Produces all STM console output" 113 114config STM_CONSOLE_RELEASE 115 bool "Deactivate console output" 116 help 117 "No console output is produced" 118endchoice 119 120endmenu #STM 121 122endif 123