1ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only 24fb0a5ebSJens Wiklander# OP-TEE Trusted Execution Environment Configuration 34fb0a5ebSJens Wiklanderconfig OPTEE 44fb0a5ebSJens Wiklander tristate "OP-TEE" 54fb0a5ebSJens Wiklander depends on HAVE_ARM_SMCCC 69e0caab8SVincenzo Frascino depends on MMU 7*edd3183cSJens Wiklander depends on RPMB || !RPMB 84fb0a5ebSJens Wiklander help 94fb0a5ebSJens Wiklander This implements the OP-TEE Trusted Execution Environment (TEE) 104fb0a5ebSJens Wiklander driver. 11f3040daaSJeffrey Kardatzke 12f3040daaSJeffrey Kardatzkeconfig OPTEE_INSECURE_LOAD_IMAGE 13f3040daaSJeffrey Kardatzke bool "Load OP-TEE image as firmware" 14f3040daaSJeffrey Kardatzke default n 15f3040daaSJeffrey Kardatzke depends on OPTEE && ARM64 16f3040daaSJeffrey Kardatzke help 17f3040daaSJeffrey Kardatzke This loads the BL32 image for OP-TEE as firmware when the driver is 18f3040daaSJeffrey Kardatzke probed. This returns -EPROBE_DEFER until the firmware is loadable from 19f3040daaSJeffrey Kardatzke the filesystem which is determined by checking the system_state until 20f3040daaSJeffrey Kardatzke it is in SYSTEM_RUNNING. This also requires enabling the corresponding 21f3040daaSJeffrey Kardatzke option in Trusted Firmware for Arm. The documentation there explains 22f3040daaSJeffrey Kardatzke the security threat associated with enabling this as well as 23f3040daaSJeffrey Kardatzke mitigations at the firmware and platform level. 24f3040daaSJeffrey Kardatzke https://trustedfirmware-a.readthedocs.io/en/latest/threat_model/threat_model.html 25f3040daaSJeffrey Kardatzke 26f3040daaSJeffrey Kardatzke Additional documentation on kernel security risks are at 2750709576SSumit Garg Documentation/tee/op-tee.rst. 28