xref: /linux/drivers/tee/optee/Kconfig (revision c7546e2c3cb739a3c1a2f5acaf9bb629d401afe5)
1# SPDX-License-Identifier: GPL-2.0-only
2# OP-TEE Trusted Execution Environment Configuration
3config OPTEE
4	tristate "OP-TEE"
5	depends on HAVE_ARM_SMCCC
6	depends on MMU
7	depends on RPMB || !RPMB
8	help
9	  This implements the OP-TEE Trusted Execution Environment (TEE)
10	  driver.
11
12config OPTEE_INSECURE_LOAD_IMAGE
13	bool "Load OP-TEE image as firmware"
14	default n
15	depends on OPTEE && ARM64
16	help
17	  This loads the BL32 image for OP-TEE as firmware when the driver is
18	  probed. This returns -EPROBE_DEFER until the firmware is loadable from
19	  the filesystem which is determined by checking the system_state until
20	  it is in SYSTEM_RUNNING. This also requires enabling the corresponding
21	  option in Trusted Firmware for Arm. The documentation there explains
22	  the security threat associated with enabling this as well as
23	  mitigations at the firmware and platform level.
24	  https://trustedfirmware-a.readthedocs.io/en/latest/threat_model/threat_model.html
25
26	  Additional documentation on kernel security risks are at
27	  Documentation/tee/op-tee.rst.
28