On Wed, 14 Feb 2024 at 23:31, Ross Philipson <ross.philipson@xxxxxxxxxx> wrote: > > Initial bits to bring in Secure Launch functionality. Add Kconfig > options for compiling in/out the Secure Launch code. > > Signed-off-by: Ross Philipson <ross.philipson@xxxxxxxxxx> > --- > arch/x86/Kconfig | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig > index 5edec175b9bf..d96d75f6f1a9 100644 > --- a/arch/x86/Kconfig > +++ b/arch/x86/Kconfig > @@ -2071,6 +2071,18 @@ config EFI_RUNTIME_MAP > > See also Documentation/ABI/testing/sysfs-firmware-efi-runtime-map. > > +config SECURE_LAUNCH > + bool "Secure Launch support" > + default n 'n' is already the default, so you can drop this line. > + depends on X86_64 && X86_X2APIC This depends on CONFIG_TCG_TPM as well (I got build failures without it) > + help > + The Secure Launch feature allows a kernel to be loaded > + directly through an Intel TXT measured launch. Intel TXT > + establishes a Dynamic Root of Trust for Measurement (DRTM) > + where the CPU measures the kernel image. This feature then > + continues the measurement chain over kernel configuration > + information and init images. > + > source "kernel/Kconfig.hz" > > config ARCH_SUPPORTS_KEXEC > -- > 2.39.3 >