1ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only 24fb0a5ebSJens Wiklander# OP-TEE Trusted Execution Environment Configuration 34fb0a5ebSJens Wiklanderconfig OPTEE 44fb0a5ebSJens Wiklander tristate "OP-TEE" 54fb0a5ebSJens Wiklander depends on HAVE_ARM_SMCCC 69e0caab8SVincenzo Frascino depends on MMU 74fb0a5ebSJens Wiklander help 84fb0a5ebSJens Wiklander This implements the OP-TEE Trusted Execution Environment (TEE) 94fb0a5ebSJens Wiklander driver. 10*f3040daaSJeffrey Kardatzke 11*f3040daaSJeffrey Kardatzkeconfig OPTEE_INSECURE_LOAD_IMAGE 12*f3040daaSJeffrey Kardatzke bool "Load OP-TEE image as firmware" 13*f3040daaSJeffrey Kardatzke default n 14*f3040daaSJeffrey Kardatzke depends on OPTEE && ARM64 15*f3040daaSJeffrey Kardatzke help 16*f3040daaSJeffrey Kardatzke This loads the BL32 image for OP-TEE as firmware when the driver is 17*f3040daaSJeffrey Kardatzke probed. This returns -EPROBE_DEFER until the firmware is loadable from 18*f3040daaSJeffrey Kardatzke the filesystem which is determined by checking the system_state until 19*f3040daaSJeffrey Kardatzke it is in SYSTEM_RUNNING. This also requires enabling the corresponding 20*f3040daaSJeffrey Kardatzke option in Trusted Firmware for Arm. The documentation there explains 21*f3040daaSJeffrey Kardatzke the security threat associated with enabling this as well as 22*f3040daaSJeffrey Kardatzke mitigations at the firmware and platform level. 23*f3040daaSJeffrey Kardatzke https://trustedfirmware-a.readthedocs.io/en/latest/threat_model/threat_model.html 24*f3040daaSJeffrey Kardatzke 25*f3040daaSJeffrey Kardatzke Additional documentation on kernel security risks are at 26*f3040daaSJeffrey Kardatzke Documentation/staging/tee.rst. 27